this post was submitted on 10 Jul 2023
307 points (98.4% liked)

Android

17625 readers
175 users here now

The new home of /r/Android on Lemmy and the Fediverse!

Android news, reviews, tips, and discussions about rooting, tutorials, and apps.

πŸ”—Universal Link: !android@lemdro.id


πŸ’‘Content Philosophy:

Content which benefits the community (news, rumours, and discussions) is generally allowed and is valued over content which benefits only the individual (technical questions, help buying/selling, rants, self-promotion, etc.) which will be removed if it's in violation of the rules.


Support, technical, or app related questions belong in: !askandroid@lemdro.id

For fresh communities, lemmy apps, and instance updates: !lemdroid@lemdro.id

πŸ’¬Matrix Chat

πŸ’¬Telegram channels / chats

πŸ“°Our communities below


Rules

  1. Stay on topic: All posts should be related to the Android OS or ecosystem.

  2. No support questions, recommendation requests, rants, or bug reports: Posts must benefit the community rather than the individual. Please post to !askandroid@lemdro.id.

  3. Describe images/videos, no memes: Please include a text description when sharing images or videos. Post memes to !androidmemes@lemdro.id.

  4. No self-promotion spam: Active community members can post their apps if they answer any questions in the comments. Please do not post links to your own website, YouTube, blog content, or communities.

  5. No reposts or rehosted content: Share only the original source of an article, unless it's not available in English or requires logging in (like Twitter). Avoid reposting the same topic from other sources.

  6. No editorializing titles: You can add the author or website's name if helpful, but keep article titles unchanged.

  7. No piracy or unverified APKs: Do not share links or direct people to pirated content or unverified APKs, which may contain malicious code.

  8. No unauthorized polls, bots, or giveaways: Do not create polls, use bots, or organize giveaways without first contacting mods for approval.

  9. No offensive or low-effort content: Don't post offensive or unhelpful content. Keep it civil and friendly!

  10. No affiliate links: Posting affiliate links is not allowed.

Quick Links

Our Communities

Lemmy App List

Chat and More


founded 1 year ago
MODERATORS
 

cross-posted from: https://lemmy.ml/post/1895271

FYI!!! In case you start getting re-directed to porn sites.

Maybe the admin got hacked?


edit: lemmy.blahaj.zone has also been hacked. beehaw.org is also down, possibly intentionally by their admins until the issue is fixed.

Post discussing the point of vulnerability: https://lemmy.ml/post/1896249

top 50 comments
sorted by: hot top controversial new old
[–] alaxitoo@lemmy.world 42 points 1 year ago (2 children)

Swear this is the same guy that did the trending community spam a few days ago, he was angry about being banned for squatting on known subreddit names here on Lemmy, even the compromised admin account said something about it in her comments before this happened πŸ€¦β€β™‚οΈ

[–] bdonvr@thelemmy.club 12 points 1 year ago

Time to move from banning to contacting authorities then.... spam is one thing. This is criminal.

[–] Nepenthe@kbin.social 9 points 1 year ago (1 children)

Wait, was that the one that had a community list well into the twenties? Or was that someone else? I don't think all that stuff reached me, but I did hear about a wannabe powermod like a week and a half ago. Much good that does anyone in a defederated system.

[–] alaxitoo@lemmy.world 11 points 1 year ago* (last edited 1 year ago)

His username at the time was β€œLMAO” and I think so… he did it again on another Lemmy instance but used a different username that time as well πŸ˜‚

[–] LillianVS@lemmy.world 34 points 1 year ago* (last edited 1 year ago) (13 children)

Some information I have posted to Lemmy.World:

I am not a super code-literate person so bare with me on this... But. Still please becareful. There appears to be a vulnerability.

Users are posting images like the following:

https://imgur.com/a/RS4iAeI

And inside hidden is JavaScript code that when executed can take cookie information and send it to a URL address.

Among other things. At this time if you see an image please click the icon circled before clicking the link. DO NOT CLICK THE IMAGE. If you see anything suspicious, please report it immediately. It is better a false report than a missed one.

I have seen multiple posts by these people during the attack. It is most certainly related to JS.

[–] erre@feddit.win 19 points 1 year ago* (last edited 1 year ago) (1 children)

If it's onload then simply viewing the image runs that script. Yikes.

[–] LillianVS@lemmy.world 14 points 1 year ago (1 children)

That's even worse, if Lemmy has a vulnerability like that it needs to get fixed ASAP... Also if that code actually works, I am going to have to secure my account.

[–] erre@feddit.win 15 points 1 year ago* (last edited 1 year ago) (2 children)

I'd wager you're likely fine if you're using a mobile app when the affected image loads. Also, it appears they're stealing auth tokens.. not passwords or anything. At worst they could impersonate you until your token expires.. but you're not a high value target unless you're an admin of an instance.

[–] LillianVS@lemmy.world 12 points 1 year ago (1 children)

I used Firefox... So I definitely reset my password. Thing is I do not see an option for Lemmy where you can "sign out everywhere" which is the counter to Auth token stealing.

So I had to change it so that the Auth token would expire. Whilst I am not an admin I won't take the chance. It could compromise other users and I do not want to take that risk.

[–] deweydecibel@lemmy.world 6 points 1 year ago

Apparently the fix for the vulnerability signs everyone out.

[–] phoenix591@lemmy.phoenix591.com 5 points 1 year ago* (last edited 1 year ago) (1 children)

the thing is right now lemmy by defaultNEVER expires the tokens... oops. Right now servers are manually expiring all their user's tokens by changing the secret in the database because of this attack.

[–] erre@feddit.win 4 points 1 year ago

Oops indeed. Lemmy needs a security audit 😬

[–] TheFrirish@jlai.lu 3 points 1 year ago (2 children)

lmao I'm so stupid I pressed on that image and now my account is compromised. oh well it forced to create another and this is my first hack yayyyyy!

[–] LillianVS@lemmy.world 9 points 1 year ago

Clicking the image isn't the issue, scrolling by it will nab your Auth tokens. Resetting your password will reset the Auth tokens protecting your account. A sign out everywhere button would fix it but that isn't an option yet. It really needs to be.

[–] Fal@yiffit.net 7 points 1 year ago

There's so many things wrong with this I don't even know where to start

load more comments (11 replies)
[–] TheSaneWriter@lemm.ee 31 points 1 year ago (1 children)

Deeply unfortunate that something like this could happen, you always hope that code injection vulnerabilities are found before someone is hacked. With that in mind, this shows the importance of two security principles: always parse and clean user input and don't click links (including images) before checking where they are going to send you.

[–] db2@lemmy.one 14 points 1 year ago (2 children)

This used an onLoad which isn't generally shown when you hover over a link in a browser. Most people, even devs, aren't going to jump on the console to check every link.

NoScript would probably have helped though.

[–] erre@feddit.win 29 points 1 year ago

What kind of terrible markdown editor allows adding onload scripts to images though.. it's insane.

[–] deweydecibel@lemmy.world 16 points 1 year ago (1 children)

Also doesn't help when using mobile and there's no hover over

[–] thetreesaysbark@sh.itjust.works 4 points 1 year ago (2 children)

You can usually click and hold on mobile and an popup will appear showing the link (I think) - or you can click and hold and copy the link and paste it somewhere to see where it's going to go.

[–] deweydecibel@lemmy.world 3 points 1 year ago

You can, yes, but it's not the sort of thing most do before taping. The hover-over is passive.

load more comments (1 replies)
[–] db2@lemmy.one 26 points 1 year ago (1 children)

Script kiddies. insert eyeroll emoji here

[–] Tywele@lemmy.dbzer0.com 6 points 1 year ago

Here take this: πŸ™„

[–] cole@lemdro.id 15 points 1 year ago

Hey everyone, this exploit was present in the custom emoji feature of Lemmy. Because lemdro.id does not use custom emojis, we are not vulnerable at this time.

[–] PeckerBrown@lemmy.world 11 points 1 year ago* (last edited 1 year ago) (1 children)

When I wanted to do some lemmying earlier, the LemmyWorld logo said 'Israel', and when I put my cursor over it, it said 'N***a Style. Then when I clicked the logo (stupid me, no doubt), it redirected me to a pic of some dude with a cigar, with the caption (iirc) "I r * pe kids in the woods". I did a virus scan which came up clear. Dunno what else to do when shit like that happens, as I am not the brightest bulb in the chandelier.

[–] tal@kbin.social 6 points 1 year ago* (last edited 1 year ago) (1 children)

I have not seen any notice as to how either users or admins should mitigate the problem so far. Obviously, admins should update once a new release is out, but beyond that...

From an end-user standpoint, I would guess -- I have not looked at the code and have not been working on the security hole -- the following:

  • This basically allows the attacker to masquerade as a currently-logged-in user who has viewed their link.

  • Viewing content on a lemmy server while logged in as an admin right now is probably a particularly bad idea.

  • I don't know what the full impact is for a regular user account, but it's probably possible for at minimum posts to be deleted, and posts to be made as someone. In kbin, my account shows my email address, so if lemmy does the same, it would be possible to link an email account used for registration with a username. If you used a throw-away email account that is publicly-accessible -- as I did -- that could allow for full account compromise.

  • Viewing content while not logged in is probably safe -- maybe they can make Javascript run from a link, but without you being logged in, there isn't anything interesting that the attacker can do. If I were going to be viewing content on lemmy servers right now, and okay with being limited to lurking, I might do that for a few days until the issue is resolved and lemmy servers update.

  • I don't know if kbin is vulnerable. It didn't accept the URL given in the bug as an example of a malicious URL when I tested submitting one, but it's possible that it trusts URLs coming from federated servers, which I did not check.

[–] gene@kbin.social 2 points 1 year ago* (last edited 1 year ago)

https://github.com/LemmyNet/lemmy-ui/issues/1895#issuecomment-1628270766

As for a user, I'd avoid using any Lemmy instances from the browser until they get updated.

[–] darrsil@lemdro.id 9 points 1 year ago* (last edited 1 year ago) (1 children)

Did this result in Lemmy.world being defederated from Lemdro.id?

Lemmy.world is back up and the hack is over, but when I view !android@lemdro.id using my lemmy.world account I can't see anything.

EDIT: In case anyone else is having this problem, the issue was my language settings. Despite having β€œUndetermined” set as a language, that was the problem - I clicked the little β€œX” to unselect all languages and then saved, and now it’s working again.

[–] cole@lemdro.id 3 points 1 year ago

I have not de-federated other instances simply because lemdro.id is not vulnerable to this particular exploit

[–] TheSaneWriter@lemm.ee 8 points 1 year ago (1 children)

Deeply unfortunate that something like this could happen, you always hope that code injection vulnerabilities are found before someone is hacked. With that in mind, this shows the importance of two security principles: always parse and clean user input and don't click links (including images) before checking where they are going to send you.

[–] Dioxy@programming.dev 7 points 1 year ago (1 children)

It’s worse than that. Until Lemmy is more mature, I would reccomend using the lite version of Lemmy, the JS-free version, for sake of client side security. Alternatively, or as an added point of security, the front-ends themselves should implement more sanitazion themselves. I’m willing to spend some free time vulnerability testing, but I would need a dedicated sand-box for that.

[–] r00ty@kbin.life 3 points 1 year ago

The ansible method of setting up a lemmy instance generally "just works". I set one up for federation tests with kbin recently.

[–] ElectronSoup@kbin.social 5 points 1 year ago (1 children)

beehaw isn't down, just very slow, which is it's normal state of being if we're being honest

[–] jherazob@kbin.social 8 points 1 year ago (1 children)
[–] ImaginaryFox@kbin.social 4 points 1 year ago

Seems like a good cautious move on their part.

[–] sgtlighttree@kbin.social 2 points 1 year ago

I don't see any weird content, but I couldn't log in. There's a notification at the bottom that says "logged in" but I'm still blinded by light mode.

load more comments
view more: next β€Ί