3281
Lemmy.world (and some others) were hacked
(lemmy.world)
This Community is intended for posts about the Lemmy.world server by the admins.
For support with issues at Lemmy.world, go to the Lemmy.world Support community.
Any support requests are best sent to info@lemmy.world e-mail.
If you would like to make a donation to support the cost of running this platform, please do so at the following donation URLs.
If you can, please use / switch to Ko-Fi, it has the lowest fees for us
One thing I don't get. Custom emojis can only be created by an admin, but you're saying an admin's account here got compromised because of that and not the other way around. Does that mean that an evil instance set a custom emoji with the injected JavaScript and propagated it to the federated instances?
From the fix, I believe the custom emojis were not double checked after a user submits a post. The post data was used to display the emojis, and thus allowing injection.
The fix now is to search the emojis in the custom emojis list from the backend rather than the user post.