Lemmy.World Announcements

29099 readers

30 users here now

This Community is intended for posts about the Lemmy.world server by the admins.

Follow us for server news 🐘

Outages 🔥

https://status.lemmy.world

For support with issues at Lemmy.world, go to the Lemmy.world Support community.

Support e-mail

Any support requests are best sent to [email protected] e-mail.

Report contact

DM https://lemmy.world/u/lwreport
Email [email protected] (PGP Supported)

Donations 💗

If you would like to make a donation to support the cost of running this platform, please do so at the following donation URLs.

If you can, please use / switch to Ko-Fi, it has the lowest fees for us

Join the team

founded 2 years ago

MODERATORS

118

Lemmy.world Site Redirects and More Removed (self.lemmyworld)

submitted 1 year ago by MichelleG to c/lemmyworld

93 comments fedilink hide all child comments

We know an issue occurred on the site over an hour ago with someone using my account to redirect the site, make fake posts, and change other settings. The problem has been corrected.

We will continue to monitor the situation and keep you informed.

you are viewing a single comment's thread
view the rest of the comments

[–] TheVampireSaga 42 points 1 year ago (11 children)

don't turn into reddit admins now, please answer this lol

[–] dezmd 46 points 1 year ago (9 children)

Give them some time to investigate maybe?

[–] AlmightySnoo 30 points 1 year ago* (last edited 1 year ago) (7 children)

Here's what I think happened: https://lemmy.world/comment/1059957

Basically it's Javascript that was injected in the main sidebar. That means that Lemmy doesn't escape HTML in the main sidebar (what about community sidebars?) and that Lemmy devs need to prioritize a security audit of the whole code base right now, I did this kind of shit when I was a kid and it's just insane that Lemmy has this vulnerability, this was not some sophisticated hack.

What it also means is that it's very unlikely that any personal data was compromised.

[–] Onlycats 3 points 1 year ago (1 children)

It's looks like an admin account got compromised.

[–] AlmightySnoo 11 points 1 year ago (1 children)

Yes that's what allowed them to modify the contents of the sidebar, but the more serious problem is that you can put HTML in the sidebar and it won't be escaped by the Lemmy backend. That's what allowed this JavaScript redirection.

[–] deweydecibel 9 points 1 year ago* (last edited 1 year ago) (1 children)

Should also be pointed out the admin is evidently still compromised. The one that posted this thread.

[–] AlmightySnoo 4 points 1 year ago

I'm opening Pandora's box: what if all sidebars, not just the main one, have this vulnerability? An admin account being compromised will be the least of our worries if this is the case.

load more comments (5 replies)

load more comments (6 replies)

load more comments (7 replies)