Hexbear was a victim of a targeted XSS attack similar to the attack many other Lemmy instances have seen.

The account that first leveraged the attack was registered on 2023-07-10 at 03:58 UTC, the fix for the vulnerability was applied by around 04:35 UTC. This leaves a ~40 minute window in which anyone browsing the site could have had their account hijacked.

The attacker was able to act (post, comment, DM) as the account they hijacked. They will also have been able to view/use the compromised account's settings page. This means they will have been able to see users' email addresses. Some accounts that were compromised were temporarily banned, these bans have now been lifted.

If you were using the site during the above time window, please double check your account settings to see if anything was changed.

Passwords were not stolen, JWTs were. We have just invalidated all old JWTs so the attacker no longer has access to the hijacked accounts (this is why all users have been logged out).

  • TheCaconym [any]
    ·
    1 year ago

    @Admins: please do not assume the current lemmy bug report is exhaustive; do not simply select for "%onload%" or something in the DB. "%onclick%" would work too, for example (even if it'd require the target to click the emoji).

    I'd quickly, visually check any comment containing quotes in the affected window (and even a bit outside of it)

    Also this is exactly the kind of fucking thing that wouldn't happen were we not required to use JS to access lemmy; though I shouldn't be surprised given the frontend at least IIRC is fucking made out of the abomination that is nodejs. Deploying that thing cleanly must be painful, too

    At any rate kudos to the admins for reacting so quickly rat-salute-2

    • layla
      hexagon
      ·
      1 year ago

      We didn't just remove the comments/DMs etc from the DB, we actually fixed the vulnerability so even if other malicious scripts were used they won't work anymore

      Agreed, about JS 😅

      • TheCaconym [any]
        ·
        1 year ago

        I should've realized since I was able to post a custom emoji (or, you know, had I read your initial post properly 🤦)

        Thanks again for all you do !

    • CannotSleep420
      ·
      1 year ago

      Also this is exactly the kind of fucking thing that wouldn't happen were we not required to use JS to access lemmy; though I shouldn't be surprised given the frontend at least IIRC is fucking made out of the abomination that is nodejs.

      Not only that, but the framework we use is infernojs. Imagine react, but it doesn't have hooks, has barely any documentation, and has virtually no compatible UI libraries or tooling. It's significantly more performant and has a smaller bundle size than react, but the negatives outweigh the positives.

      In particular, there is no isomorphic framework for inferno like next for react, nuxt for vue, sveltkit for svelte, etc. To get around this, there's a filthy kludge where we take an object of isomorphic data and assign it to a property on window in a script tag. This is both error prone and insecure, but also required for the UI to work without needing to generate the whole page on the client side. If you wantb to see this for yourself, open your browser's devtools and look for a script tag towards the top.

      inshallah for the Leptos WASM rewrite.

    • StellarTabi [none/use name]
      ·
      1 year ago

      I looked through the recent PRs and I'm still confused about how non-admin inputted data is being rendered to the user as raw HTML. I suppose that's just a problem with react's SSR and/or why we have non-http-only cookies?

      • TheCaconym [any]
        ·
        edit-2
        1 year ago

        This is the bug report you want to read (well this one too obviously but I assume you saw that one, and it was the former that made me manage a working payload in my test env, not this one - they reasonably censured the latter in case of copycats); basically IIRC: faulty escaping of control characters (and then html/js) in the custom emoji syntax. With a set of functions also shared by the legal and sidebar customizable-by-mods parts (but really the custom emoji thing is the main route to wholesale exploitation obviously).

        Taking a step back, remarkable real-life-cyber-exercise for the lemmy community, by the way: it was all patched in like 48hours max for basically all instances I've cared to look at. Believe me from experience: critical (as in defense-related) capitalist entities wish they had that kind of turnaround on cyber issues to be honest. Also, a lucky break too of course; seems only to be one attacker, with a shitty domain name for the payload on top of it. Could have been noticeably worse (like a wide variety of DNS used with varied payloads and triggers + automated admin JWT token stealing + replication through the other lemmy customizable parts through admin accounts + mass-fetching of user emails and publication of the same; you know, the horror scenario I could see an intelligence agency getting hold of such a flaw would go for).

        More and more I'm having my "write-a-no-javascript-needed-lemmy-frontend-using-the-same-neat-css-tricks-as-darknet-markets-for-usability" envy raising; writing it in something sane, too, like python+flask. I pray for the free time to do it.

          • TheCaconym [any]
            ·
            1 year ago

            I'd really like a reddit-like UI, much like the one we're currently using actually; just without JS.

            • Aceivan [they/them]
              ·
              edit-2
              1 year ago

              https://mlmym.org/hexbear.net/ this is that I think

              Not like the one we are using though. just an exact clone of old reddit lol

              • TheCaconym [any]
                ·
                1 year ago

                OK that's... not great but surprisingly close, and I'm very surprised it exists in the first place. Thanks !

                • Aceivan [they/them]
                  ·
                  edit-2
                  1 year ago

                  yeah lol. it has a dark mode even! and we could self host it in single instance mode. browsing at least works without js, didn't want to give them my login info to see if anything else did