cross-posted from: https://sh.itjust.works/post/923025

lemmy.world is a victim of an XSS attack right now and the hacker simply injected a JavaScript redirection into the sidebar.

It appears the Lemmy backend does not escape HTML in the main sidebar. Not sure if this is also true for community sidebars.

  • Gamingodcat@2dl.eu
    link
    fedilink
    English
    arrow-up
    33
    arrow-down
    1
    ·
    edit-2
    1 year ago

    This has nothing to do with XSS, it is a simple HTML injection vulnerability, and it can only be exploited by instance admins.

    Also Lemmy.world appears to have been running a custom frontend so it’s hard to say how widespread the affects of this are.

    • TruckBCMA
      link
      fedilink
      English
      arrow-up
      9
      ·
      1 year ago

      You seem to be following the situation closely. Could you please DM me on Matrix?

    • pazukaza@lemmy.ml
      link
      fedilink
      English
      arrow-up
      2
      arrow-down
      1
      ·
      edit-2
      1 year ago

      Worst case scenario, they can steal your Lemmy session, right?

      Which isn’t super bad for a service like Lemmy. This isn’t a social network, so most contact list scams would be useless.

      Edit: just read the targets were admins. That IS bad.

      • Auli
        link
        fedilink
        English
        arrow-up
        3
        ·
        1 year ago

        Lemmy isn’t a social network? Seems to be one to me.

        • pazukaza@lemmy.ml
          link
          fedilink
          English
          arrow-up
          3
          ·
          1 year ago

          I mean, not in the traditional sense. You don’t have your family and friends as Lemmy contacts and share posts with them. It’s more anonymous.