Several instances of the Reddit alternative Lemmy were hacked in recent days by attackers who had apparently exploited a zero-day vulnerability.
Lemmy is an open source software designed for running self-hosted news aggregation and discussion forums. Each Lemmy instance is run by a different individual or organization, but they are interconnected, allowing users from one instance to interact with posts on other servers. Currently there are more than 1,100 instances with a total of nearly 850,000 users.
A few days ago, someone started exploiting a cross-site scripting (XSS) vulnerability related to the rendering of custom emojis.
The attacker leveraged the vulnerability to deface pages on some popular instances, including Lemmy.world, the most popular instance, which has over 100,000 users.
“A couple of the bigger Lemmy instances had several user accounts compromised through stolen [JWT] authentication cookies. Some of these cookies belonged to admins, these admin cookies were used to deface instances. Only users that opened pages with malicious content during the incident were vulnerable,” Lemmy.world maintainers explained.
They added, “Stolen cookies gave attackers access to all private messages and e-mail addresses of affected users.”
It appears that the attacker used the compromised pages to redirect users to hateful or shocking content.
Some Lemmy instances were preemptively shut down when the attack started.
The vulnerability should now be patched, but users have also been advised to rotate their JWT secrets.
Related: Google Researchers Discover In-the-Wild Exploitation of Zimbra Zero-Day
Related: Apple Re-Releases Urgent Zero-Day Patches With Fix for Website Access Issue
Related: Microsoft Warns of Office Zero-Day Attacks, No Patch Available

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- CISA Warns of Old JBoss RichFaces Vulnerability Being Exploited in Attacks
- NIST Publishes Final Version of 800-82r3 OT Security Guide
- Johnson Controls Hit by Ransomware
- Verisoul Raises $3.25 Million in Seed Funding to Detect Fake Users
- Government Shutdown Could Bench 80% of CISA Staff
- Google Rushes to Patch New Zero-Day Exploited by Spyware Vendor
- macOS 14 Sonoma Patches 60 Vulnerabilities
- New GPU Side-Channel Attack Allows Malicious Websites to Steal Data
Latest News
- Bankrupt IronNet Shuts Down Operations
- AWS Using MadPot Decoy System to Disrupt APTs, Botnets
- Generative AI Startup Nexusflow Raises $10.6 Million
- In Other News: RSA Encryption Attack, Meta AI Privacy, ShinyHunters Hacker Guilty Plea
- Researchers Extract Sounds From Still Images on Smartphone Cameras
- National Security Agency is Starting an Artificial Intelligence Security Center
- CISA Warns of Old JBoss RichFaces Vulnerability Being Exploited in Attacks
- Hackers Set Sights on Apache NiFi Flaw That Exposes Many Organizations to Attacks
