FYI!!! In case you start getting re-directed to porn sites.
Maybe the admin got hacked?
edit: lemmy.blahaj.zone has also been hacked. beehaw.org is also down, possibly intentionally by their admins until the issue is fixed.
Post discussing the point of vulnerability: https://lemmy.ml/post/1896249
Github Issue created here: https://github.com/LemmyNet/lemmy-ui/issues/1895
deleted by creator
Just go to https://lemmy.world and see for yourself, although be careful it’s nasty.
As of now it looks like this:
And then it randomly redirects to gore sites like lemonparty or chaturbate or some pedo shit. It’s pretty bad.
deleted by creator
image here ![] (https://lemmy.ml/pictrs/image/0332b83a-ab01-4c99-9155-2a08b02fb652.png)
among several others
deleted by creator
How do you spoiler an image in Lemmy markdown?
deleted by creator
The image isn’t spoilered? lmao
deleted by creator
I can’t get it to work on an image. Is it 4 underscores?
deleted by creator
deleted by creator
3 underscores did not work in preview, I’ll just leave it as is now, a clickable link (not rendered inline)
deleted by creator
I don’t think it works on an image?!
deleted by creator
deleted by creator
deleted by creator
deleted by creator
GitHub PR fixing the bug: https://github.com/LemmyNet/lemmy-ui/pull/1897/files
If your instance has custom emojis defined, this is exploitable everywhere Markdown is available. It is NOT restricted to admins, but can be used to steal an admin’s JWT, which then lets the attacker get into that admin’s account which can then spread the exploit further by putting it somewhere where it’s rendered on every single page and then deface the site.
If your instance doesn’t have any custom emojis, you are safe, the exploit requires custom emojis to trigger the bad code branch.
But won’t custom emojis from remote instances still trigger the exploit?
Apparently the custom emojis are rendered as static images when federated to outside instances so it’s clean.
Yea, I switched to this alt. It appears to be one of the assistant admins accts. Seems like an old fashioned anon prank, to me, they’re mainly just trying to make stuff offensive and redirect people to lemonparty.
So, y’know, old school.
I don’t know if any data is actually in danger, but I doubt it. I don’t see why assistant admins would need access to it.
All the bean memes are in danger! On a serious note, old-skool or not, it’s a huge loss of trust in something the community-at-large is excited to see replace reddit.
On the other hand, look at where we are. This is proof that one hack can’t take down Lemmy.
True that. If you look at posts on lemmy.world though, it’s clear their users (which is like 50% of Lemmy) have zero clue they’re defederated ATM, and probably many that don’t know it’s compromised.
Federation and decentralization are not Web 2.0 concepts. Just like people who first learned what a tweet and a follow were and all the other concepts of those social media platforms, they’ll learn the new paradigm. Or they won’t and we’ll stick to 2.0 platforms.