UPDATE: Thanks to the analysis of other instance admins, it has been determined that instances without custom emojis (which includes dormi.zone) should be safe. As such, dormi.zone is now available on the web again. Expect another pinned post later today.

Below you’ll find the original post.


Hello everyone,

There is currently a security vulnerability being exploited across Lemmy. Comments and other content on an instance containing custom emojis may steal your login session, see here: https://lemmy.ml/post/1895271

Due to this I have decided to partially take down dormi.zone.

Since the exploit takes place on the web UI of Lemmy, dormi.zone will be unavailable for the time being when visiting through https://dormi.zone/.

Remote users will continue to be able to interact with dormi.zone communities as normal. Users registered on dormi.zone may continue to access it using a third-party app such as Jerboa or Liftoff.

This instruction will be unavailable to anyone who isn’t already using one. I’m aware that it’s counterintuitive and I’m sorry. If I wasn’t currently at work, I would have set up a proper status page when visiting dormi.zone. I’ll make sure it’s there the next time it’s needed.

Expect to see a follow-up post where I share the assessed damages and next steps.