cross-posted from: https://sh.itjust.works/post/923025

lemmy.world is a victim of an XSS attack right now and the hacker simply injected a JavaScript redirection into the sidebar.

It appears the Lemmy backend does not escape HTML in the main sidebar. Not sure if this is also true for community sidebars.

  • darkcalling
    link
    fedilink
    English
    arrow-up
    9
    ·
    edit-2
    1 year ago

    So the take-away so far is that lemmy.world including admin accounts may be compromised. XSS attacks are being used, perhaps in a targeted, perhaps generalized fashion to steal session cookies which is pretty bad as it allows the attacker to gain the login session of any victims. In the case of an admin they could do anything an admin could which is pretty bad as far as being able to steal user information, plant further malware, escalate the attack, etc.

    Do not visit lemmy.world, be wary of any and all links you click.

    Saw a claim on hexbear that the instance doing the attacks is zelensky dot zip which is definitely something though what I don’t know.

    You should be able to invalidate any active login sessions by changing your password.