Connect with us

Hi, what are you looking for?



Hackers Target Reddit Alternative Lemmy via Zero-Day Vulnerability

Several instances of the Reddit alternative Lemmy were hacked in recent days by attackers who had exploited a zero-day vulnerability.

Several instances of the Reddit alternative Lemmy were hacked in recent days by attackers who had apparently exploited a zero-day vulnerability.

Lemmy is an open source software designed for running self-hosted news aggregation and discussion forums. Each Lemmy instance is run by a different individual or organization, but they are interconnected, allowing users from one instance to interact with posts on other servers. Currently there are more than 1,100 instances with a total of nearly 850,000 users. 

A few days ago, someone started exploiting a cross-site scripting (XSS) vulnerability related to the rendering of custom emojis. 

The attacker leveraged the vulnerability to deface pages on some popular instances, including, the most popular instance, which has over 100,000 users.

“A couple of the bigger Lemmy instances had several user accounts compromised through stolen [JWT] authentication cookies. Some of these cookies belonged to admins, these admin cookies were used to deface instances. Only users that opened pages with malicious content during the incident were vulnerable,” maintainers explained

They added, “Stolen cookies gave attackers access to all private messages and e-mail addresses of affected users.”

It appears that the attacker used the compromised pages to redirect users to hateful or shocking content. 

Advertisement. Scroll to continue reading.

Some Lemmy instances were preemptively shut down when the attack started. 

The vulnerability should now be patched, but users have also been advised to rotate their JWT secrets. 

Related: Google Researchers Discover In-the-Wild Exploitation of Zimbra Zero-Day

Related: Apple Re-Releases Urgent Zero-Day Patches With Fix for Website Access Issue

Related: Microsoft Warns of Office Zero-Day Attacks, No Patch Available

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.