cross-posted from: https://lemmy.ml/post/1895271

FYI!!! In case you start getting re-directed to porn sites.

Maybe the admin got hacked?


edit: lemmy.blahaj.zone has also been hacked. beehaw.org is also down, possibly intentionally by their admins until the issue is fixed.

Post discussing the point of vulnerability: https://lemmy.ml/post/1896249

Avatar
cole@lemdro.idA
15 points
*

Hey everyone, this exploit is present in the custom emoji feature of Lemmy. Because lemdro.id does not use custom emojis, we are not vulnerable at this time.

permalink
report
reply
47 points

Swear this is the same guy that did the trending community spam a few days ago, he was angry about being banned for squatting on known subreddit names here on Lemmy, even the compromised admin account said something about it in her comments before this happened 🤦‍♂️

permalink
report
reply
12 points

Time to move from banning to contacting authorities then… spam is one thing. This is criminal.

permalink
report
parent
reply
11 points

Wait, was that the one that had a community list well into the twenties? Or was that someone else? I don’t think all that stuff reached me, but I did hear about a wannabe powermod like a week and a half ago. Much good that does anyone in a defederated system.

permalink
report
parent
reply
12 points
*

His username at the time was “LMAO” and I think so… he did it again on another Lemmy instance but used a different username that time as well 😂

permalink
report
parent
reply
35 points

Deeply unfortunate that something like this could happen, you always hope that code injection vulnerabilities are found before someone is hacked. With that in mind, this shows the importance of two security principles: always parse and clean user input and don’t click links (including images) before checking where they are going to send you.

permalink
report
reply
17 points

This used an onLoad which isn’t generally shown when you hover over a link in a browser. Most people, even devs, aren’t going to jump on the console to check every link.

NoScript would probably have helped though.

permalink
report
parent
reply
30 points

What kind of terrible markdown editor allows adding onload scripts to images though… it’s insane.

permalink
report
parent
reply
16 points

Also doesn’t help when using mobile and there’s no hover over

permalink
report
parent
reply
4 points

You can usually click and hold on mobile and an popup will appear showing the link (I think) - or you can click and hold and copy the link and paste it somewhere to see where it’s going to go.

permalink
report
parent
reply
33 points
*

Some information I have posted to Lemmy.World:

I am not a super code-literate person so bare with me on this… But. Still please becareful. There appears to be a vulnerability.

Users are posting images like the following:

https://imgur.com/a/RS4iAeI

And inside hidden is JavaScript code that when executed can take cookie information and send it to a URL address.

Among other things. At this time if you see an image please click the icon circled before clicking the link. DO NOT CLICK THE IMAGE. If you see anything suspicious, please report it immediately. It is better a false report than a missed one.

I have seen multiple posts by these people during the attack. It is most certainly related to JS.

permalink
report
reply
19 points
*

If it’s onload then simply viewing the image runs that script. Yikes.

permalink
report
parent
reply
14 points

That’s even worse, if Lemmy has a vulnerability like that it needs to get fixed ASAP… Also if that code actually works, I am going to have to secure my account.

permalink
report
parent
reply
15 points
*

I’d wager you’re likely fine if you’re using a mobile app when the affected image loads. Also, it appears they’re stealing auth tokens… not passwords or anything. At worst they could impersonate you until your token expires… but you’re not a high value target unless you’re an admin of an instance.

permalink
report
parent
reply
3 points

lmao I’m so stupid I pressed on that image and now my account is compromised. oh well it forced to create another and this is my first hack yayyyyy!

permalink
report
parent
reply
9 points

Clicking the image isn’t the issue, scrolling by it will nab your Auth tokens. Resetting your password will reset the Auth tokens protecting your account. A sign out everywhere button would fix it but that isn’t an option yet. It really needs to be.

permalink
report
parent
reply
8 points

There’s so many things wrong with this I don’t even know where to start

permalink
report
parent
reply
-9 points

Wtf how is this even possible? Are the Lemmy devs smoking crack? If you’re going to run a reddit alternative, it may be wise to sanitize the fuck out of everything posted on there.

permalink
report
parent
reply
21 points

Please feel free to perform a full security audit.

permalink
report
parent
reply
10 points

You are free to open a PR

permalink
report
parent
reply
6 points

Not really helpful though is it? It’s like going to a friend’s house and asking why there is a sink hole in the middle of the floor that everyone is walking around, and they say “feel free get a hammer out”.

permalink
report
parent
reply
5 points
*

Little Bobby Tables strikes again

Now seriously, people forget that Lemmy is alpha software, and Kbin is even younger

permalink
report
parent
reply
2 points

People have said the platform is years old, but it didn’t really get tested until June. I wouldn’t be surprised if more issues like this are found.

permalink
report
parent
reply
1 point

¯_(ツ)_/¯ Lemmy.

permalink
report
parent
reply
1 point

well Reddit was hacked so lemmy is still on track

permalink
report
parent
reply
1 point

the threadiverse wasn’t exactly popular until the reddit exodus

id probably flip it: are lemmy users smoking crack? if you’re going to run to a reddit alternative, it’d be wise not to choose alpha software!

permalink
report
parent
reply
28 points

Script kiddies. insert eyeroll emoji here

permalink
report
reply
6 points

Here take this: 🙄

permalink
report
parent
reply

Android

!android@lemdro.id

Create post

The new home of /r/Android on Lemmy and the Fediverse!

Android news, reviews, tips, and discussions about rooting, tutorials, and apps.

🔗Universal Link: !android@lemdro.id


💡Content Philosophy:

Content which benefits the community (news, rumours, and discussions) is generally allowed and is valued over content which benefits only the individual (technical questions, help buying/selling, rants, self-promotion, etc.) which will be removed if it’s in violation of the rules.


Support, technical, or app related questions belong in: !askandroid@lemdro.id

For fresh communities, lemmy apps, and instance updates: !lemdroid@lemdro.id

💬Matrix Chat

💬Telegram channels / chats

📰Our communities below


Rules

  1. Stay on topic: All posts should be related to the Android OS or ecosystem.

  2. No support questions, recommendation requests, rants, or bug reports: Posts must benefit the community rather than the individual. Please post to !askandroid@lemdro.id.

  3. Describe images/videos, no memes: Please include a text description when sharing images or videos. Post memes to !androidmemes@lemdro.id.

  4. No self-promotion spam: Active community members can post their apps if they answer any questions in the comments. Please do not post links to your own website, YouTube, blog content, or communities.

  5. No reposts or rehosted content: Share only the original source of an article, unless it’s not available in English or requires logging in (like Twitter). Avoid reposting the same topic from other sources.

  6. No editorializing titles: You can add the author or website’s name if helpful, but keep article titles unchanged.

  7. No piracy or unverified APKs: Do not share links or direct people to pirated content or unverified APKs, which may contain malicious code.

  8. No unauthorized polls, bots, or giveaways: Do not create polls, use bots, or organize giveaways without first contacting mods for approval.

  9. No offensive or low-effort content: Don’t post offensive or unhelpful content. Keep it civil and friendly!

  10. No affiliate links: Posting affiliate links is not allowed.

Quick Links

Our Communities
Lemmy App List
Chat and More

Community stats

  • 1.3K

    Monthly active users

  • 2.8K

    Posts

  • 34K

    Comments