I had an issue of being logged out of my account and could not log back in, after closing and reopening the site, closing browser, etc until I cleared my cookies, then it let me back in. If that helps anyone.

So what happened:

• Someone posted a post.
• The post contained some instruction to display custom emoji.
• So far so good.
• There is a bug in JavaScript (TypeScript) that runs on client's machine (arbitrary code execution?).
• The attacker leveraged the bug to grab victim's JWT (cookie) when the victim visited the page with that post.
• The attacker used the grabbed JWTs to log-in as victim (some of them were admins) and do bad stuff on the server.

Am I right?

I'm old-school developer/programmer and it seems that web is peace of sheet. Basic security stuff violated:

• User provided content (post using custom emojis) caused havoc when processing (doesn't matter if on server or on client). This is lack of sanitization of user-provided-data.
• JavaScript (TypeScript) has access to cookies (and thus JWT). This should be handled by web browser, not JS. In case of log-in, in HTTPS POST request and in case of response of successful log-in, in HTTPS POST response. Then, in case of requesting web page, again, it should be handled in HTTPS GET request. This is lack of using least permissions as possible, JS should not have access to cookies.
• How the attacker got those JWTs? JavaScript sent them to him? Web browser sent them to him when requesting resources form his server? This is lack of site isolation, one web page should not have access to other domains, requesting data form them or sending data to them.
• The attacker logged-in as admin and caused havoc. Again, this should not be possible, admins should have normal level of access to the site, exactly the same as normal users do. Then, if they want to administer something, they should log-in using separate username + password into separate log-in form and display completely different web page, not allowing them to do the actions normal users can do. You know, separate UI/applications for users and for admins.

Am I right? Correct me if I'm wrong.

Again, web is peace of sheet. This would never happen in desktop/server application. Any of the bullet points above would prevent this from happening. Even if the previous bullet point failed to do its job. Am I too naïve? Maybe.

Marek.

Is there a rough time range when it happened? and any news about other big instances like lemmy.ml? Are those safe? Currently they are not on the same version as lemmy.world.

Thanks Ruud for fixing it! Just a reminder guys that If you are using a third party app you need to login again.

Thanks for the post-mortem and the quick fix! Glad you guys around to help battle test Lemmy's code.

Thanks for the quick reaction and TRANSPARENCY!!

Good shit! Thanks for keeping things up and the pretty quick response as well.

Is a password change advised? How does the JWT cookie and exploit effect apps eg Jerboa?

Thanks for the quick response. Do we know if there was any data leak?

******* This happened to me, one of my posts had it's photo deleted (I didn't delete it), then when I replaced it, the next time I checked the entire post had been deleted.

thanks to admin team for resolving that quickly

Is this why I had to sign in and out of my account on liftoff?

I couldn't comment untill I did that. There may be others!

How are you preventing it to happen again until a patch is released from devs?

Well done on acting on it so quickly. I think I did see some of the fake announcements you were referring too but were taken down very quickly. Keep up the good work team and thanks for everything you are doing!

Been busy for lemmy team lately hopefully it's not too much

Thanks for being open about this and quick to fix it!

So is it safe to log back in?

I lost some of my post history. Is there a data issue that's come from this? Why are my comments gone?

lemmy explorer still acting kinda funny, not sure who is the person in charge to inform

Had an issue at work not long ago involving stolen tokens and back then it looked as if the token was scraped along with a lot of other web traffic and then about 12 days later they gained access.