cross-posted from: https://sh.itjust.works/post/923025

lemmy.world is a victim of an XSS attack right now and the hacker simply injected a JavaScript redirection into the sidebar.

It appears the Lemmy backend does not escape HTML in the main sidebar. Not sure if this is also true for community sidebars.

  • pazukaza
    link
    fedilink
    English
    arrow-up
    2
    arrow-down
    1
    ·
    edit-2
    1 year ago

    Worst case scenario, they can steal your Lemmy session, right?

    Which isn’t super bad for a service like Lemmy. This isn’t a social network, so most contact list scams would be useless.

    Edit: just read the targets were admins. That IS bad.

      • pazukaza
        link
        fedilink
        English
        arrow-up
        3
        ·
        1 year ago

        I mean, not in the traditional sense. You don’t have your family and friends as Lemmy contacts and share posts with them. It’s more anonymous.