cross-posted from: https://lemmy.ml/post/1895271
FYI!!! In case you start getting re-directed to porn sites.
Maybe the admin got hacked?
edit: lemmy.blahaj.zone has also been hacked. beehaw.org is also down, possibly intentionally by their admins until the issue is fixed.
Post discussing the point of vulnerability: https://lemmy.ml/post/1896249
Swear this is the same guy that did the trending community spam a few days ago, he was angry about being banned for squatting on known subreddit names here on Lemmy, even the compromised admin account said something about it in her comments before this happened 🤦♂️
Wait, was that the one that had a community list well into the twenties? Or was that someone else? I don’t think all that stuff reached me, but I did hear about a wannabe powermod like a week and a half ago. Much good that does anyone in a defederated system.
Deeply unfortunate that something like this could happen, you always hope that code injection vulnerabilities are found before someone is hacked. With that in mind, this shows the importance of two security principles: always parse and clean user input and don’t click links (including images) before checking where they are going to send you.
This used an onLoad which isn’t generally shown when you hover over a link in a browser. Most people, even devs, aren’t going to jump on the console to check every link.
NoScript would probably have helped though.
You can usually click and hold on mobile and an popup will appear showing the link (I think) - or you can click and hold and copy the link and paste it somewhere to see where it’s going to go.
Some information I have posted to Lemmy.World:
I am not a super code-literate person so bare with me on this… But. Still please becareful. There appears to be a vulnerability.
Users are posting images like the following:
And inside hidden is JavaScript code that when executed can take cookie information and send it to a URL address.
Among other things. At this time if you see an image please click the icon circled before clicking the link. DO NOT CLICK THE IMAGE. If you see anything suspicious, please report it immediately. It is better a false report than a missed one.
I have seen multiple posts by these people during the attack. It is most certainly related to JS.
That’s even worse, if Lemmy has a vulnerability like that it needs to get fixed ASAP… Also if that code actually works, I am going to have to secure my account.
I’d wager you’re likely fine if you’re using a mobile app when the affected image loads. Also, it appears they’re stealing auth tokens… not passwords or anything. At worst they could impersonate you until your token expires… but you’re not a high value target unless you’re an admin of an instance.
lmao I’m so stupid I pressed on that image and now my account is compromised. oh well it forced to create another and this is my first hack yayyyyy!
Wtf how is this even possible? Are the Lemmy devs smoking crack? If you’re going to run a reddit alternative, it may be wise to sanitize the fuck out of everything posted on there.
Not really helpful though is it? It’s like going to a friend’s house and asking why there is a sink hole in the middle of the floor that everyone is walking around, and they say “feel free get a hammer out”.
Script kiddies. insert eyeroll emoji here
