Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Hackers Target Reddit Alternative Lemmy via Zero-Day Vulnerability

Several instances of the Reddit alternative Lemmy were hacked in recent days by attackers who had exploited a zero-day vulnerability.

Several instances of the Reddit alternative Lemmy were hacked in recent days by attackers who had apparently exploited a zero-day vulnerability.

Lemmy is an open source software designed for running self-hosted news aggregation and discussion forums. Each Lemmy instance is run by a different individual or organization, but they are interconnected, allowing users from one instance to interact with posts on other servers. Currently there are more than 1,100 instances with a total of nearly 850,000 users. 

A few days ago, someone started exploiting a cross-site scripting (XSS) vulnerability related to the rendering of custom emojis. 

The attacker leveraged the vulnerability to deface pages on some popular instances, including Lemmy.world, the most popular instance, which has over 100,000 users.

“A couple of the bigger Lemmy instances had several user accounts compromised through stolen [JWT] authentication cookies. Some of these cookies belonged to admins, these admin cookies were used to deface instances. Only users that opened pages with malicious content during the incident were vulnerable,” Lemmy.world maintainers explained

They added, “Stolen cookies gave attackers access to all private messages and e-mail addresses of affected users.”

It appears that the attacker used the compromised pages to redirect users to hateful or shocking content. 

Some Lemmy instances were preemptively shut down when the attack started. 

Advertisement. Scroll to continue reading.

The vulnerability should now be patched, but users have also been advised to rotate their JWT secrets. 

Related: Google Researchers Discover In-the-Wild Exploitation of Zimbra Zero-Day

Related: Apple Re-Releases Urgent Zero-Day Patches With Fix for Website Access Issue

Related: Microsoft Warns of Office Zero-Day Attacks, No Patch Available

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how the LOtL threat landscape has evolved, why traditional endpoint hardening methods fall short, and how adaptive, user-aware approaches can reduce risk.

Watch Now

Join the summit to explore critical threats to public cloud infrastructure, APIs, and identity systems through discussions, case studies, and insights into emerging technologies like AI and LLMs.

Register

People on the Move

Matthew Cowell has assumed the role of VP of Strategic Alliances at Nozomi Networks. He previously served in the same role at Dragos.

Bret Arsenault is retiring from his full-time role after 35 years at Microsoft.

Social engineering defense platform Doppel has appointed Bobby Ford as Chief Strategy and Experience Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.