cross-posted from: https://lemmy.ml/post/1895271

FYI!!! In case you start getting re-directed to porn sites.

Maybe the admin got hacked?


edit: lemmy.blahaj.zone has also been hacked. beehaw.org is also down, possibly intentionally by their admins until the issue is fixed.

Post discussing the point of vulnerability: https://lemmy.ml/post/1896249

  • Aer@lemmy.world
    link
    fedilink
    English
    arrow-up
    34
    ·
    edit-2
    1 year ago

    Some information I have posted to Lemmy.World:

    I am not a super code-literate person so bare with me on this… But. Still please becareful. There appears to be a vulnerability.

    Users are posting images like the following:

    https://imgur.com/a/RS4iAeI

    And inside hidden is JavaScript code that when executed can take cookie information and send it to a URL address.

    Among other things. At this time if you see an image please click the icon circled before clicking the link. DO NOT CLICK THE IMAGE. If you see anything suspicious, please report it immediately. It is better a false report than a missed one.

    I have seen multiple posts by these people during the attack. It is most certainly related to JS.

      • Aer@lemmy.world
        link
        fedilink
        English
        arrow-up
        14
        ·
        1 year ago

        That’s even worse, if Lemmy has a vulnerability like that it needs to get fixed ASAP… Also if that code actually works, I am going to have to secure my account.

        • 𝙚𝙧𝙧𝙚@feddit.win
          link
          fedilink
          English
          arrow-up
          15
          ·
          edit-2
          1 year ago

          I’d wager you’re likely fine if you’re using a mobile app when the affected image loads. Also, it appears they’re stealing auth tokens… not passwords or anything. At worst they could impersonate you until your token expires… but you’re not a high value target unless you’re an admin of an instance.

          • Aer@lemmy.world
            link
            fedilink
            English
            arrow-up
            13
            ·
            1 year ago

            I used Firefox… So I definitely reset my password. Thing is I do not see an option for Lemmy where you can “sign out everywhere” which is the counter to Auth token stealing.

            So I had to change it so that the Auth token would expire. Whilst I am not an admin I won’t take the chance. It could compromise other users and I do not want to take that risk.

    • Hairypooper@lemmy.world
      link
      fedilink
      English
      arrow-up
      6
      ·
      1 year ago

      Wtf how is this even possible? Are the Lemmy devs smoking crack? If you’re going to run a reddit alternative, it may be wise to sanitize the fuck out of everything posted on there.

        • waltuh@feddit.uk
          link
          fedilink
          English
          arrow-up
          8
          ·
          1 year ago

          Not really helpful though is it? It’s like going to a friend’s house and asking why there is a sink hole in the middle of the floor that everyone is walking around, and they say “feel free get a hammer out”.

          • lowleveldata@programming.dev
            link
            fedilink
            English
            arrow-up
            3
            ·
            1 year ago

            It’s more like when everyone is looking at the previously unknown hole and discussing how to patch it up and you start yelling how it is unacceptable as your friend’s house is a “bar alternative”

            • madcaesar@lemmy.world
              link
              fedilink
              English
              arrow-up
              1
              ·
              1 year ago

              Honestly I think you’re all right. This is such a basic vulnerability it should never existed… AND I told you so’s and bitching don’t help.

      • jherazob@kbin.social
        link
        fedilink
        arrow-up
        6
        ·
        edit-2
        1 year ago

        Little Bobby Tables strikes again

        Now seriously, people forget that Lemmy is alpha software, and Kbin is even younger

      • PupBiru@kbin.social
        link
        fedilink
        arrow-up
        3
        ·
        1 year ago

        the threadiverse wasn’t exactly popular until the reddit exodus

        id probably flip it: are lemmy users smoking crack? if you’re going to run to a reddit alternative, it’d be wise not to choose alpha software!

      • HobbitFoot @thelemmy.club
        link
        fedilink
        English
        arrow-up
        2
        ·
        1 year ago

        People have said the platform is years old, but it didn’t really get tested until June. I wouldn’t be surprised if more issues like this are found.

    • TheFrirish@jlai.lu
      link
      fedilink
      English
      arrow-up
      5
      ·
      1 year ago

      lmao I’m so stupid I pressed on that image and now my account is compromised. oh well it forced to create another and this is my first hack yayyyyy!

      • Aer@lemmy.world
        link
        fedilink
        English
        arrow-up
        9
        ·
        1 year ago

        Clicking the image isn’t the issue, scrolling by it will nab your Auth tokens. Resetting your password will reset the Auth tokens protecting your account. A sign out everywhere button would fix it but that isn’t an option yet. It really needs to be.

      • Fal@yiffit.net
        link
        fedilink
        English
        arrow-up
        9
        arrow-down
        1
        ·
        1 year ago

        There’s so many things wrong with this I don’t even know where to start