Several instances of the Reddit alternative Lemmy were hacked in recent days by attackers who had apparently exploited a zero-day vulnerability.
Lemmy is an open source software designed for running self-hosted news aggregation and discussion forums. Each Lemmy instance is run by a different individual or organization, but they are interconnected, allowing users from one instance to interact with posts on other servers. Currently there are more than 1,100 instances with a total of nearly 850,000 users.
A few days ago, someone started exploiting a cross-site scripting (XSS) vulnerability related to the rendering of custom emojis.
The attacker leveraged the vulnerability to deface pages on some popular instances, including Lemmy.world, the most popular instance, which has over 100,000 users.
“A couple of the bigger Lemmy instances had several user accounts compromised through stolen [JWT] authentication cookies. Some of these cookies belonged to admins, these admin cookies were used to deface instances. Only users that opened pages with malicious content during the incident were vulnerable,” Lemmy.world maintainers explained.
They added, “Stolen cookies gave attackers access to all private messages and e-mail addresses of affected users.”
It appears that the attacker used the compromised pages to redirect users to hateful or shocking content.
Some Lemmy instances were preemptively shut down when the attack started.
The vulnerability should now be patched, but users have also been advised to rotate their JWT secrets.