cross-posted from: https://lemmy.ml/post/1895271
FYI!!! In case you start getting re-directed to porn sites.
Maybe the admin got hacked?
edit: lemmy.blahaj.zone has also been hacked. beehaw.org is also down, possibly intentionally by their admins until the issue is fixed.
Post discussing the point of vulnerability: https://lemmy.ml/post/1896249
You must log in or register to comment.
Swear this is the same guy that did the trending community spam a few days ago, he was angry about being banned for squatting on known subreddit names here on Lemmy, even the compromised admin account said something about it in her comments before this happened 🤦♂️
Some information I have posted to Lemmy.World:
I am not a super code-literate person so bare with me on this… But. Still please becareful. There appears to be a vulnerability.
Users are posting images like the following:
And inside hidden is JavaScript code that when executed can take cookie information and send it to a URL address.
Among other things. At this time if you see an image please click the icon circled before clicking the link. DO NOT CLICK THE IMAGE. If you see anything suspicious, please report it immediately. It is better a false report than a missed one.
I have seen multiple posts by these people during the attack. It is most certainly related to JS.
lmao I’m so stupid I pressed on that image and now my account is compromised. oh well it forced to create another and this is my first hack yayyyyy!
There’s so many things wrong with this I don’t even know where to start
Wtf how is this even possible? Are the Lemmy devs smoking crack? If you’re going to run a reddit alternative, it may be wise to sanitize the fuck out of everything posted on there.
You are free to open a PR
Hey everyone, this exploit was present in the custom emoji feature of Lemmy. Because lemdro.id does not use custom emojis, we are not vulnerable at this time.
Did this result in Lemmy.world being defederated from Lemdro.id?
Lemmy.world is back up and the hack is over, but when I view !android@lemdro.id using my lemmy.world account I can’t see anything.
EDIT: In case anyone else is having this problem, the issue was my language settings. Despite having “Undetermined” set as a language, that was the problem - I clicked the little “X” to unselect all languages and then saved, and now it’s working again.
I have not de-federated other instances simply because lemdro.id is not vulnerable to this particular exploit
When I wanted to do some lemmying earlier, the LemmyWorld logo said ‘Israel’, and when I put my cursor over it, it said 'N***a Style. Then when I clicked the logo (stupid me, no doubt), it redirected me to a pic of some dude with a cigar, with the caption (iirc) “I r * pe kids in the woods”. I did a virus scan which came up clear. Dunno what else to do when shit like that happens, as I am not the brightest bulb in the chandelier.
Is blahaj zone still down? Haven’t been able to log in recently.
If they changed their server token, which they would have done to reduce the chances of the hackers reusing the same account tokens, you need to refresh your browser cache/cookies.
On desktop, you can do this by hitting
CTRL-SHIFT-R, and on mobile, you probably just have to sign out and sign back in again.
I think it’s hilarious that Reddit protesters were redirected to NSFW content, karma is coming around lmfao
