Found the error Not allowed to load local resource: file:///etc/passwd while looking at infosec.pub’s communities page. There’s a community called “ignore me” that adds a few image tags trying to steal your passwd file.
You have to be extremely poorly configured for this to work, but the red flags you see should keep you on your toes for the red flags you don’t.
Is this, by any chance, originated from the sub called ignore? In that case is probably my bad because is set as the image of the channel. (I was playing with lemmy in the previous version and forgot about it, sorry. It will not work since your browser can’t access local file that easily without breaking the sandbox :))
Edit: I removed it so you shouldn’t see the alert anymore. What I wasn’t expecting is that apparently every sub is loaded even if you don’t visit it.
But… why? Why even put that URL there? Even if it was most likely harmless for all users, this still looks like an attempt at data exfiltration.
If you find something, report it. Don’t experiment on the public.
https://www.bugcrowd.com/resources/guide/what-is-responsible-disclosure/
https://letmegooglethat.com/?q=Twitter+self+retweeting+tweet+exploit
Sorry I couldn’t resist. Here’s a Tom Scott video https://youtu.be/zv0kZKC6GAM
Holy shit this is kind of unsettling. Though I would expect ALL major browsers to reject reading any local files like this… would this kind of thing actually succeed somewhere/somehow?
If you ran your browser as root and configured your browser to load local resources on non-local domains maybe. I think you can do that in chrome://flags but you have to explicitly list the domains allowed to do it.
I’m hoping this is just a bad joke.
Are you sure? What do you get when you run cat /etc/passwd in terminal? Just paste the results here 😇
Edit: to anyone reading this on the future, don’t actually do this, it was a joke
Yeah, seems highly unlikely to ever yield any results. Even if you did manage to read a file, you have to get lucky finding a password hash in a rainbow table or the password being shit enough to crack.
I cracked the BMC on my workstation motherboard by binwalking the publicly available firmware and finding, to my delight and dread, that the built in root user password was laughably weak. If a top5 motherboard manufacturer is still doing shit like that, users are too.
I also work in support and have seen first hand the bananas things people do, even smart people that should know better
Can confirm it’s still there for the ignore me community.
I’ve had around 20 of ‘lol exploit’ queries in my instance. Luckily none of them succeeded.
