cross-posted from: https://lemmy.ml/post/1895271
FYI!!! In case you start getting re-directed to porn sites.
Maybe the admin got hacked?
edit: lemmy.blahaj.zone has also been hacked. beehaw.org is also down, possibly intentionally by their admins until the issue is fixed.
Post discussing the point of vulnerability: https://lemmy.ml/post/1896249
Thatās even worse, if Lemmy has a vulnerability like that it needs to get fixed ASAPā¦ Also if that code actually works, I am going to have to secure my account.
Iād wager youāre likely fine if youāre using a mobile app when the affected image loads. Also, it appears theyāre stealing auth tokensā¦ not passwords or anything. At worst they could impersonate you until your token expiresā¦ but youāre not a high value target unless youāre an admin of an instance.
the thing is right now lemmy by defaultNEVER expires the tokensā¦ oops. Right now servers are manually expiring all their userās tokens by changing the secret in the database because of this attack.
I used Firefoxā¦ So I definitely reset my password. Thing is I do not see an option for Lemmy where you can āsign out everywhereā which is the counter to Auth token stealing.
So I had to change it so that the Auth token would expire. Whilst I am not an admin I wonāt take the chance. It could compromise other users and I do not want to take that risk.