Today I Learned

3 readers

1 users here now

Today I Learned (TIL). You learn something new every day; what did you learn today?

founded 2 years ago

MODERATORS

submitted 2 years ago by melroy@kbin.melroy.org to c/til@kbin.melroy.org

0 comments fedilink hide all child comments

DO NOT OPEN THE “LEGAL” PAGE — lemmy.world is a victim of an XSS attack right now and the hacker simply injected a JavaScript redirection into the sidebar. It appears the Lemmy backend does not escape HTML in the main sidebar. Not sure if this is also true for community sidebars. [https://sh.itjust.works/pictrs/image/707c0f16-3d5c-4888-b865-34228d968ee6.png] EDIT: the exploit is also in the tagline that appears on top of the main feed for status updates, like the following one for SDF Chatter: [https://sh.itjust.works/pictrs/image/2dc8838f-4611-4b62-92d2-ab45d7b1c560.png] [https://sh.itjust.works/pictrs/image/9195ec9c-166e-4190-a991-26d218089602.png] EDIT 2: The legal information field also has that exploit, so that when you go to the “Legal” page it shows the HTML unescaped, but fortunately (for now) he’s using double-quotes. "legal_information":" $" onload="if(localStorage.getItem(h) != true){document.body.innerHTML = \u003Ch1\u003ESite has been seized by Reddit for copyright infringment\u003C\u002Fh1\u003E; setTimeout(() =\\u003E {window.location.href = https:\u002F\u002Flemmy.world\u002Fpictrs\u002Fimage\u002F7aa772b7-9416-45d1-805b-36ec21be9f66.mp4}, 10000)}"$

no comments (yet)

sorted by: hot top controversial new old

there doesn't seem to be anything here