this post was submitted on 10 Jul 2023
174 points (97.8% liked)

Lemmy.ca's Main Community

2811 readers
3 users here now

Welcome to lemmy.ca's c/main!

Since everyone on lemmy.ca gets subscribed here, this is the place to chat about the goings on at lemmy.ca, support-type items, suggestions, etc.

Announcements can be found at https://lemmy.ca/c/meta

For support related to this instance, use https://lemmy.ca/c/lemmy_ca_support

founded 3 years ago
MODERATORS
 

cross-posted from: https://sh.itjust.works/post/923025

lemmy.world is a victim of an XSS attack right now and the hacker simply injected a JavaScript redirection into the sidebar.

It appears the Lemmy backend does not escape HTML in the main sidebar. Not sure if this is also true for community sidebars.

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 32 points 1 year ago* (last edited 1 year ago) (2 children)

This has nothing to do with XSS, it is a simple HTML injection vulnerability, and it can only be exploited by instance admins.

Also Lemmy.world appears to have been running a custom frontend so it’s hard to say how widespread the affects of this are.

[–] [email protected] 9 points 1 year ago

You seem to be following the situation closely. Could you please DM me on Matrix?

[–] [email protected] 1 points 1 year ago* (last edited 1 year ago) (1 children)

Worst case scenario, they can steal your Lemmy session, right?

Which isn't super bad for a service like Lemmy. This isn't a social network, so most contact list scams would be useless.

Edit: just read the targets were admins. That IS bad.

[–] [email protected] 3 points 1 year ago (1 children)

Lemmy isn't a social network? Seems to be one to me.

[–] [email protected] 3 points 1 year ago

I mean, not in the traditional sense. You don't have your family and friends as Lemmy contacts and share posts with them. It's more anonymous.