cross-posted from: https://lemmy.ml/post/1895271

FYI!!! In case you start getting re-directed to porn sites.

Maybe the admin got hacked?


edit: lemmy.blahaj.zone has also been hacked. beehaw.org is also down, possibly intentionally by their admins until the issue is fixed.

Post discussing the point of vulnerability: https://lemmy.ml/post/1896249

  • 𝙚𝙧𝙧𝙚
    link
    fedilink
    English
    19
    edit-2
    1 year ago

    If it’s onload then simply viewing the image runs that script. Yikes.

    • Aer
      link
      fedilink
      English
      141 year ago

      That’s even worse, if Lemmy has a vulnerability like that it needs to get fixed ASAP… Also if that code actually works, I am going to have to secure my account.

      • 𝙚𝙧𝙧𝙚
        link
        fedilink
        English
        15
        edit-2
        1 year ago

        I’d wager you’re likely fine if you’re using a mobile app when the affected image loads. Also, it appears they’re stealing auth tokens… not passwords or anything. At worst they could impersonate you until your token expires… but you’re not a high value target unless you’re an admin of an instance.

        • Aer
          link
          fedilink
          English
          121 year ago

          I used Firefox… So I definitely reset my password. Thing is I do not see an option for Lemmy where you can “sign out everywhere” which is the counter to Auth token stealing.

          So I had to change it so that the Auth token would expire. Whilst I am not an admin I won’t take the chance. It could compromise other users and I do not want to take that risk.

        • @[email protected]
          link
          fedilink
          English
          5
          edit-2
          1 year ago

          the thing is right now lemmy by defaultNEVER expires the tokens… oops. Right now servers are manually expiring all their user’s tokens by changing the secret in the database because of this attack.