482

PSA: Lemmy.world has been compromised! (Edit: Multiple Instances are down) (lemmy.ml)

submitted 1 year ago* (last edited 1 year ago) by G59@lemmy.ml to c/fediverse@lemmy.ml

242 comments fedilink hide all child comments

FYI!!! In case you start getting re-directed to porn sites.

Maybe the admin got hacked?

edit: lemmy.blahaj.zone has also been hacked. beehaw.org is also down, possibly intentionally by their admins until the issue is fixed.

Post discussing the point of vulnerability: https://lemmy.ml/post/1896249

Github Issue created here: https://github.com/LemmyNet/lemmy-ui/issues/1895

you are viewing a single comment's thread
view the rest of the comments

[-] thanks_shakey_snake@lemmy.ca 4 points 1 year ago

Yeah the "redirect somewhere else" attack definitely doesn't necessarily require any particular control of the site. Usually it's noticing that you can trick some text into being run as Javascript, instead of interpreted as text... And then you just stick in a cheeky little <notarealscript>window.location = "https://www.badsite.horse"</notarealscript> into that spot.

Then every time that comment, username, (in this case apparently) custom emoji, etc. gets loaded, whoops, the code runs and off you go!

So no control of the site is required at all.

this post was submitted on 10 Jul 2023

482 points (99.2% liked)

Fediverse

17537 readers

2 users here now

A community dedicated to fediverse news and discussion.

Fediverse is a portmanteau of "federation" and "universe".

Getting started on Fediverse;

What is the fediverse?
- Short ver.
- Full ver.
Fediverse Platforms
How to run your own community

founded 4 years ago

MODERATORS

deadsuperhero@lemmy.ml

wakest@lemmy.ml