this post was submitted on 10 Jul 2023
469 points (99.2% liked)
Fediverse
17677 readers
24 users here now
A community dedicated to fediverse news and discussion.
Fediverse is a portmanteau of "federation" and "universe".
Getting started on Fediverse;
- What is the fediverse?
- Fediverse Platforms
- How to run your own community
founded 4 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
Yeah the "redirect somewhere else" attack definitely doesn't necessarily require any particular control of the site. Usually it's noticing that you can trick some text into being run as Javascript, instead of interpreted as text... And then you just stick in a cheeky little
<notarealscript>window.location = "https://www.badsite.horse"</notarealscript>
into that spot.Then every time that comment, username, (in this case apparently) custom emoji, etc. gets loaded, whoops, the code runs and off you go!
So no control of the site is required at all.