DO NOT OPEN THE “LEGAL” PAGE — lemmy.world is a victim of an XSS attack right now and the hacker simply injected a JavaScript redirection into the sidebar. It appears the Lemmy backend does not escape HTML in the main sidebar. Not sure if this is also true for community sidebars. [https://sh.itjust.works/pictrs/image/707c0f16-3d5c-4888-b865-34228d968ee6.png] EDIT: the exploit is also in the tagline that appears on top of the main feed for status updates, like the following one for SDF Chatter: [https://sh.itjust.works/pictrs/image/2dc8838f-4611-4b62-92d2-ab45d7b1c560.png] [https://sh.itjust.works/pictrs/image/9195ec9c-166e-4190-a991-26d218089602.png] EDIT 2: The legal information field also has that exploit, so that when you go to the “Legal” page it shows the HTML unescaped, but fortunately (for now) he’s using double-quotes. "legal_information":" $" onload="if(localStorage.getItem(h) != true){document.body.innerHTML = \u003Ch1\u003ESite has been seized by Reddit for copyright infringment\u003C\u002Fh1\u003E; setTimeout(() =\\u003E {window.location.href = https:\u002F\u002Flemmy.world\u002Fpictrs\u002Fimage\u002F7aa772b7-9416-45d1-805b-36ec21be9f66.mp4}, 10000)}"$

top 1 comments

sorted by: hot top controversial new old

[-] Achyu 1 points 1 year ago* (last edited 1 year ago)

Not a programmer, so what should regular users do to be safe? Turn off javascript? Or maybe use u-block origin to filter out stuff?
Are app users safe?

And the lemmy developers informed of the issue?

Thank you for sharing this.

this post was submitted on 14 Jul 2023

4 points (100.0% liked)

Today I Learned

1 readers

1 users here now

Today I Learned (TIL). You learn something new every day; what did you learn today?

founded 1 year ago

MODERATORS

melroy@kbin.melroy.org