this post was submitted on 10 Jul 2023
70 points (100.0% liked)

Fediverse

19 readers
2 users here now

This magazine is dedicated to discussions on the federated social networking ecosystem, which includes decentralized and open-source social media platforms. Whether you are a user, developer, or simply interested in the concept of decentralized social media, this is the place for you. Here you can share your knowledge, ask questions, and engage in discussions on topics such as the benefits and challenges of decentralized social media, new and existing federated platforms, and more. From the latest developments and trends to ethical considerations and the future of federated social media, this category covers a wide range of topics related to the Fediverse.

founded 2 years ago
70
Multiple lemmy instances are getting hit with a js injection (sh.itjust.works)
submitted 1 year ago by wetnoodle@sh.itjust.works to c/fediverse@kbin.social
22 comments fedilink hide all child comments
 

Lemmy.world and lemmy.blahaj.zone have been hit with a JavaScript injection attack it seems.

top 21 comments
sorted by: hot top controversial new old
[–] metaStatic@kbin.social 25 points 1 year ago (1 children)

you are being redirected to a porn site. sorry for the convenience.

[–] wetnoodle@kbin.social 9 points 1 year ago (2 children)

it's also preventing all other content and (hopefully) temporarily killing the instance, I know you're probably just joking but this ain't good

[–] metaStatic@kbin.social 3 points 1 year ago

oh hell no, I mean heck no, this is totally bad news bears. They just got clowned and if you don't laugh at yourself someone will do it for you.

[–] Midnitte@kbin.social 2 points 1 year ago

I used to watch porn. I still do, but I used to, too.

[–] 0xtero@kbin.social 13 points 1 year ago (1 children)

Looks like Lemmy code has a security vulnerability, persistent XSS, that allows injection of Javascript into the sidebar and comments. That allowed the attacker to force load NSFW content even after lemmy.world admins cleaned up the first attack.

Looks like the injected JS code also steals login tokens from your browser, seems some admin accounts got compromised this way.
Probably a good idea to not visit Lemmy sites for time being (or block execution of Javascript in your browser, which is always a good idea).

[–] IHeartBadCode@kbin.social 2 points 1 year ago

Not just sidebar or comments, but anywhere markdown is used. The issue is the markdown editor. This is the current proposed fix.

[–] IHeartBadCode@kbin.social 10 points 1 year ago (2 children)

Issue 1895 opened and patch purposed for the core issue. The markdown editor does no escaping input on custom emojis. This is likely why users on app were seeing text and not getting the redirect.

[–] 0xtero@kbin.social 2 points 1 year ago

🙃

[–] wetnoodle@sh.itjust.works 7 points 1 year ago

https://lemmy.ml/post/1895271

[–] reflex@kbin.social 6 points 1 year ago* (last edited 1 year ago)

Lemmy like: https://thumbs.gfycat.com/BruisedAfraidIridescentshark-size_restricted.gif

[–] fiat_lux@kbin.social 5 points 1 year ago

If you build it, they will come (to break it).

[–] dowath@kbin.social 4 points 1 year ago (1 children)

Takes me back to the myspace days.

[–] TimeSquirrel@kbin.social 2 points 1 year ago

The self-replicating javascript friend-adding worm! I remember that.

[–] ImaginaryFox@kbin.social 1 points 1 year ago (1 children)

Any recommendations on how to mitigate risks like this when it comes to browsing lemmy? Any lite version to see lemmy through without Javascript?

[–] techno156@kbin.social 3 points 1 year ago

No. The existing Lemmy-Lite that was advertised on join-Lemmy.org appears to be massively out of date, and no longer actively maintained.

It was a bug with Lemmy-UI, so you might be able to get away using an app or site that isn't vulnerable. Whether that is Wefwef, one of the apps, like Jerboa, or something that is Federated, but not Lemmy, like Kbin, or Mastodon (things might be a bit clunky if you do, since Lemmy threads aren't well handled by Mastodon).

load more comments
view more: next ›