cross-posted from: https://lemmy.ml/post/1895271

FYI!!! In case you start getting re-directed to porn sites.

Maybe the admin got hacked?


edit: lemmy.blahaj.zone has also been hacked. beehaw.org is also down, possibly intentionally by their admins until the issue is fixed.

Post discussing the point of vulnerability: https://lemmy.ml/post/1896249

  • NotAFuckingBot
    link
    fedilink
    English
    12
    edit-2
    1 year ago

    When I wanted to do some lemmying earlier, the LemmyWorld logo said ‘Israel’, and when I put my cursor over it, it said 'N***a Style. Then when I clicked the logo (stupid me, no doubt), it redirected me to a pic of some dude with a cigar, with the caption (iirc) “I r * pe kids in the woods”. I did a virus scan which came up clear. Dunno what else to do when shit like that happens, as I am not the brightest bulb in the chandelier.

    • tal
      link
      fedilink
      6
      edit-2
      1 year ago

      I have not seen any notice as to how either users or admins should mitigate the problem so far. Obviously, admins should update once a new release is out, but beyond that…

      From an end-user standpoint, I would guess – I have not looked at the code and have not been working on the security hole – the following:

      • This basically allows the attacker to masquerade as a currently-logged-in user who has viewed their link.

      • Viewing content on a lemmy server while logged in as an admin right now is probably a particularly bad idea.

      • I don’t know what the full impact is for a regular user account, but it’s probably possible for at minimum posts to be deleted, and posts to be made as someone. In kbin, my account shows my email address, so if lemmy does the same, it would be possible to link an email account used for registration with a username. If you used a throw-away email account that is publicly-accessible – as I did – that could allow for full account compromise.

      • Viewing content while not logged in is probably safe – maybe they can make Javascript run from a link, but without you being logged in, there isn’t anything interesting that the attacker can do. If I were going to be viewing content on lemmy servers right now, and okay with being limited to lurking, I might do that for a few days until the issue is resolved and lemmy servers update.

      • I don’t know if kbin is vulnerable. It didn’t accept the URL given in the bug as an example of a malicious URL when I tested submitting one, but it’s possible that it trusts URLs coming from federated servers, which I did not check.