cross-posted from: https://lemmy.ml/post/1895271

FYI!!! In case you start getting re-directed to porn sites.

Maybe the admin got hacked?


edit: lemmy.blahaj.zone has also been hacked. beehaw.org is also down, possibly intentionally by their admins until the issue is fixed.

Post discussing the point of vulnerability: https://lemmy.ml/post/1896249

You are viewing a single thread.
View all comments View context

If itā€™s onload then simply viewing the image runs that script. Yikes.

permalink
report
parent
reply
14 points

Thatā€™s even worse, if Lemmy has a vulnerability like that it needs to get fixed ASAPā€¦ Also if that code actually works, I am going to have to secure my account.

permalink
report
parent
reply

Iā€™d wager youā€™re likely fine if youā€™re using a mobile app when the affected image loads. Also, it appears theyā€™re stealing auth tokensā€¦ not passwords or anything. At worst they could impersonate you until your token expiresā€¦ but youā€™re not a high value target unless youā€™re an admin of an instance.

permalink
report
parent
reply
5 points
*

the thing is right now lemmy by defaultNEVER expires the tokensā€¦ oops. Right now servers are manually expiring all their userā€™s tokens by changing the secret in the database because of this attack.

permalink
report
parent
reply
12 points

I used Firefoxā€¦ So I definitely reset my password. Thing is I do not see an option for Lemmy where you can ā€œsign out everywhereā€ which is the counter to Auth token stealing.

So I had to change it so that the Auth token would expire. Whilst I am not an admin I wonā€™t take the chance. It could compromise other users and I do not want to take that risk.

permalink
report
parent
reply

Android

!android@lemdro.id

Create post

The new home of /r/Android on Lemmy and the Fediverse!

Android news, reviews, tips, and discussions about rooting, tutorials, and apps.

šŸ”—Universal Link: !android@lemdro.id


šŸ’”Content Philosophy:

Content which benefits the community (news, rumours, and discussions) is generally allowed and is valued over content which benefits only the individual (technical questions, help buying/selling, rants, self-promotion, etc.) which will be removed if itā€™s in violation of the rules.


Support, technical, or app related questions belong in: !askandroid@lemdro.id

For fresh communities, lemmy apps, and instance updates: !lemdroid@lemdro.id

šŸ’¬Matrix Chat

šŸ’¬Telegram channels / chats

šŸ“°Our communities below


Rules

  1. Stay on topic: All posts should be related to the Android OS or ecosystem.

  2. No support questions, recommendation requests, rants, or bug reports: Posts must benefit the community rather than the individual. Please post to !askandroid@lemdro.id.

  3. Describe images/videos, no memes: Please include a text description when sharing images or videos. Post memes to !androidmemes@lemdro.id.

  4. No self-promotion spam: Active community members can post their apps if they answer any questions in the comments. Please do not post links to your own website, YouTube, blog content, or communities.

  5. No reposts or rehosted content: Share only the original source of an article, unless itā€™s not available in English or requires logging in (like Twitter). Avoid reposting the same topic from other sources.

  6. No editorializing titles: You can add the author or websiteā€™s name if helpful, but keep article titles unchanged.

  7. No piracy or unverified APKs: Do not share links or direct people to pirated content or unverified APKs, which may contain malicious code.

  8. No unauthorized polls, bots, or giveaways: Do not create polls, use bots, or organize giveaways without first contacting mods for approval.

  9. No offensive or low-effort content: Donā€™t post offensive or unhelpful content. Keep it civil and friendly!

  10. No affiliate links: Posting affiliate links is not allowed.

Quick Links

Our Communities
Lemmy App List
Chat and More

Community stats

  • 1.5K

    Monthly active users

  • 2.8K

    Posts

  • 34K

    Comments