cross-posted from: https://lemmy.ml/post/1895271

FYI!!! In case you start getting re-directed to porn sites.

Maybe the admin got hacked?


edit: lemmy.blahaj.zone has also been hacked. beehaw.org is also down, possibly intentionally by their admins until the issue is fixed.

Post discussing the point of vulnerability: https://lemmy.ml/post/1896249

  • cole@lemdro.id
    shield
    link
    fedilink
    English
    arrow-up
    5
    ·
    edit-2
    1 year ago

    Hey everyone, this exploit is present in the custom emoji feature of Lemmy. Because lemdro.id does not use custom emojis, we are not vulnerable at this time.

  • alaxitoo@lemmy.world
    link
    fedilink
    English
    arrow-up
    3
    ·
    1 year ago

    Swear this is the same guy that did the trending community spam a few days ago, he was angry about being banned for squatting on known subreddit names here on Lemmy, even the compromised admin account said something about it in her comments before this happened 🤦‍♂️

    • Nepenthe@kbin.social
      link
      fedilink
      arrow-up
      2
      ·
      1 year ago

      Wait, was that the one that had a community list well into the twenties? Or was that someone else? I don’t think all that stuff reached me, but I did hear about a wannabe powermod like a week and a half ago. Much good that does anyone in a defederated system.

      • alaxitoo@lemmy.world
        link
        fedilink
        English
        arrow-up
        3
        ·
        edit-2
        1 year ago

        His username at the time was “LMAO” and I think so… he did it again on another Lemmy instance but used a different username that time as well 😂

    • bdonvr@thelemmy.club
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      Time to move from banning to contacting authorities then… spam is one thing. This is criminal.

    • T156@lemmy.world
      link
      fedilink
      English
      arrow-up
      2
      ·
      1 year ago

      If they changed their server token, which they would have done to reduce the chances of the hackers reusing the same account tokens, you need to refresh your browser cache/cookies.

      On desktop, you can do this by hitting CTRL-SHIFT-R, and on mobile, you probably just have to sign out and sign back in again.

  • Banana@kbin.social
    link
    fedilink
    arrow-up
    1
    ·
    1 year ago

    In all seriousness, no one is talking about this, but this is the one disadvantage of open source software being developed by volunteers, we don’t know exactly how the admin accounts were hacked but the XSS stuff is really basic stuff, none of those fields were sanatised at all, and it makes me concerned what else has been missed, obviously the advantage of open source is in time this stuff can get fixed, but this is what happens when loads of people who aren’t experts contribute to a site.

    In comparison to sites where there is a fully hired developer team the quality of the code is significantly better. I really hope the passwords were hashed on these instances and the hackers didn’t get plain text passwords or anything really bad like this.

    One thing and credit to Ernest, as I’ve contributed there he does very thorough code reviews and his quality of code is very good, its why im confident kbin won’t be hacked.

  • Aer@lemmy.world
    link
    fedilink
    English
    arrow-up
    0
    ·
    edit-2
    1 year ago

    Some information I have posted to Lemmy.World:

    I am not a super code-literate person so bare with me on this… But. Still please becareful. There appears to be a vulnerability.

    Users are posting images like the following:

    https://imgur.com/a/RS4iAeI

    And inside hidden is JavaScript code that when executed can take cookie information and send it to a URL address.

    Among other things. At this time if you see an image please click the icon circled before clicking the link. DO NOT CLICK THE IMAGE. If you see anything suspicious, please report it immediately. It is better a false report than a missed one.

    I have seen multiple posts by these people during the attack. It is most certainly related to JS.

    • Hairypooper@lemmy.world
      link
      fedilink
      English
      arrow-up
      0
      ·
      1 year ago

      Wtf how is this even possible? Are the Lemmy devs smoking crack? If you’re going to run a reddit alternative, it may be wise to sanitize the fuck out of everything posted on there.

    • TheFrirish@jlai.lu
      link
      fedilink
      English
      arrow-up
      0
      ·
      1 year ago

      lmao I’m so stupid I pressed on that image and now my account is compromised. oh well it forced to create another and this is my first hack yayyyyy!

      • Fal@yiffit.net
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        There’s so many things wrong with this I don’t even know where to start

  • darrsil@lemdro.id
    link
    fedilink
    English
    arrow-up
    0
    ·
    edit-2
    1 year ago

    Did this result in Lemmy.world being defederated from Lemdro.id?

    Lemmy.world is back up and the hack is over, but when I view !android@lemdro.id using my lemmy.world account I can’t see anything.

    EDIT: In case anyone else is having this problem, the issue was my language settings. Despite having “Undetermined” set as a language, that was the problem - I clicked the little “X” to unselect all languages and then saved, and now it’s working again.

  • mutant@kbin.social
    link
    fedilink
    arrow-up
    0
    arrow-down
    3
    ·
    1 year ago

    I think it’s hilarious that Reddit protesters were redirected to NSFW content, karma is coming around lmfao

    • XiELEd@kbin.social
      link
      fedilink
      arrow-up
      1
      ·
      1 year ago

      What karma? Spez started it by being a liar 🤷‍♂️ so I say it is natural that people stop supporting him.

      • thayer@lemmy.ca
        link
        fedilink
        arrow-up
        1
        ·
        1 year ago

        Dude’s got 44 comments and every single one is a complaint about the reddit protest or protestors. Might just be spez himself lol