FYI!!! In case you start getting re-directed to porn sites.
Maybe the admin got hacked?
edit: lemmy.blahaj.zone has also been hacked. beehaw.org is also down, possibly intentionally by their admins until the issue is fixed.
Post discussing the point of vulnerability: https://lemmy.ml/post/1896249
Github Issue created here: https://github.com/LemmyNet/lemmy-ui/issues/1895
Compromised in what way? Can you post proof?
image here ![] (https://lemmy.ml/pictrs/image/0332b83a-ab01-4c99-9155-2a08b02fb652.png)
among several others
Could you spoiler that weirdo image
How do you spoiler an image in Lemmy markdown?
Are you on an app? It’s this symbol on lemmy
Looks like this if you need to do it yourself
I don’t think it works on an image?!
testing spoiling an image
Works like this
It works like this
spoiler test
Test
The image isn’t spoilered? lmao
I wasnt trying to spoiler that image
I can’t get it to work on an image. Is it 4 underscores?
It’s 3
3 underscores did not work in preview, I’ll just leave it as is now, a clickable link (not rendered inline)
sorry for this being so hectic, I was walking back to my apartment trying to do all this on my phone lol
Just go to https://lemmy.world and see for yourself, although be careful it’s nasty.
As of now it looks like this:
And then it randomly redirects to gore sites like lemonparty or chaturbate or some pedo shit. It’s pretty bad.
Alright thanks
Just go to lemmy.world and see for yourself. (Or don’t actually, might give you a virus or something idk)
Yeah I would like someone to post a screenshot i dont want to leak my ip
GitHub PR fixing the bug: https://github.com/LemmyNet/lemmy-ui/pull/1897/files
If your instance has custom emojis defined, this is exploitable everywhere Markdown is available. It is NOT restricted to admins, but can be used to steal an admin’s JWT, which then lets the attacker get into that admin’s account which can then spread the exploit further by putting it somewhere where it’s rendered on every single page and then deface the site.
If your instance doesn’t have any custom emojis, you are safe, the exploit requires custom emojis to trigger the bad code branch.
But won’t custom emojis from remote instances still trigger the exploit?
Apparently the custom emojis are rendered as static images when federated to outside instances so it’s clean.
Yea, I switched to this alt. It appears to be one of the assistant admins accts. Seems like an old fashioned anon prank, to me, they’re mainly just trying to make stuff offensive and redirect people to lemonparty.
So, y’know, old school.
I don’t know if any data is actually in danger, but I doubt it. I don’t see why assistant admins would need access to it.
All the bean memes are in danger! On a serious note, old-skool or not, it’s a huge loss of trust in something the community-at-large is excited to see replace reddit.
On the other hand, look at where we are. This is proof that one hack can’t take down Lemmy.
True that. If you look at posts on lemmy.world though, it’s clear their users (which is like 50% of Lemmy) have zero clue they’re defederated ATM, and probably many that don’t know it’s compromised.
Federation and decentralization are not Web 2.0 concepts. Just like people who first learned what a tweet and a follow were and all the other concepts of those social media platforms, they’ll learn the new paradigm. Or they won’t and we’ll stick to 2.0 platforms.
