cross-posted from: https://sh.itjust.works/post/923025

lemmy.world is a victim of an XSS attack right now and the hacker simply injected a JavaScript redirection into the sidebar.

It appears the Lemmy backend does not escape HTML in the main sidebar. Not sure if this is also true for community sidebars.

  • tarjeezy@lemmy.ca
    link
    fedilink
    English
    arrow-up
    6
    ·
    1 year ago

    Good luck, and thanks for all your hard work. I don’t know if you already saw this, but it looks like this might be the vector for the account compromise. If that’s the case, I don’t think 2FA is enough to protect, because it’s exfiltrating the session cookies of someone already logged in. Seems like the precaution is for admins to avoid clicking any suspicious links. I realize the irony of sharing a link about this, but at least it’s to a thread on this instance.

    https://lemmy.ca/post/1311411

    • TruckBC@lemmy.caM
      link
      fedilink
      English
      arrow-up
      8
      ·
      1 year ago

      I’m copying all links into a brand new incognito mode window for now.