Lemmy.world and lemmy.blahaj.zone have been hit with a JavaScript injection attack it seems.

    • forpeace
      link
      fedilink
      72 years ago

      Please go back to reddit and stop bothering people here.

    • wetnoodle
      link
      fedilink
      142 years ago

      that’s not the issue bruh they literally used a JavaScript injection to redirect all other posts to whatever nsfw stuff they wanted

      • techno156
        link
        fedilink
        72 years ago

        And if they could do that, someone else could use the same trick to do worse things, since they’re just running bare JavaScript.

    • ZILtoid1991
      link
      fedilink
      12 years ago

      If you don’t like Lemmy/Kbin, then you can just go back to Reddit…

  • metaStatic
    link
    fedilink
    252 years ago

    you are being redirected to a porn site. sorry for the convenience.

    • wetnoodle
      link
      fedilink
      92 years ago

      it’s also preventing all other content and (hopefully) temporarily killing the instance, I know you’re probably just joking but this ain’t good

      • metaStatic
        link
        fedilink
        32 years ago

        oh hell no, I mean heck no, this is totally bad news bears. They just got clowned and if you don’t laugh at yourself someone will do it for you.

      • Midnitte
        link
        fedilink
        22 years ago

        I used to watch porn. I still do, but I used to, too.

    • TimeSquirrel
      link
      fedilink
      22 years ago

      The self-replicating javascript friend-adding worm! I remember that.

  • IHeartBadCode
    link
    fedilink
    112 years ago

    Issue 1895 opened and patch purposed for the core issue. The markdown editor does no escaping input on custom emojis. This is likely why users on app were seeing text and not getting the redirect.

  • 0xtero
    link
    fedilink
    132 years ago

    Looks like Lemmy code has a security vulnerability, persistent XSS, that allows injection of Javascript into the sidebar and comments. That allowed the attacker to force load NSFW content even after lemmy.world admins cleaned up the first attack.

    Looks like the injected JS code also steals login tokens from your browser, seems some admin accounts got compromised this way.
    Probably a good idea to not visit Lemmy sites for time being (or block execution of Javascript in your browser, which is always a good idea).

  • ImaginaryFox
    link
    fedilink
    12 years ago

    Any recommendations on how to mitigate risks like this when it comes to browsing lemmy? Any lite version to see lemmy through without Javascript?

    • techno156
      link
      fedilink
      32 years ago

      No. The existing Lemmy-Lite that was advertised on join-Lemmy.org appears to be massively out of date, and no longer actively maintained.

      It was a bug with Lemmy-UI, so you might be able to get away using an app or site that isn’t vulnerable. Whether that is Wefwef, one of the apps, like Jerboa, or something that is Federated, but not Lemmy, like Kbin, or Mastodon (things might be a bit clunky if you do, since Lemmy threads aren’t well handled by Mastodon).