FYI!!! In case you start getting re-directed to porn sites.
Maybe the admin got hacked?
edit: lemmy.blahaj.zone has also been hacked. beehaw.org is also down, possibly intentionally by their admins until the issue is fixed.
Post discussing the point of vulnerability: https://lemmy.ml/post/1896249
Github Issue created here: https://github.com/LemmyNet/lemmy-ui/issues/1895
GitHub PR fixing the bug: https://github.com/LemmyNet/lemmy-ui/pull/1897/files
If your instance has custom emojis defined, this is exploitable everywhere Markdown is available. It is NOT restricted to admins, but can be used to steal an admin’s JWT, which then lets the attacker get into that admin’s account which can then spread the exploit further by putting it somewhere where it’s rendered on every single page and then deface the site.
If your instance doesn’t have any custom emojis, you are safe, the exploit requires custom emojis to trigger the bad code branch.
But won’t custom emojis from remote instances still trigger the exploit?
Apparently the custom emojis are rendered as static images when federated to outside instances so it’s clean.
Compromised in what way? Can you post proof?
Just go to lemmy.world and see for yourself. (Or don’t actually, might give you a virus or something idk)
Yeah I would like someone to post a screenshot i dont want to leak my ip
Just go to https://lemmy.world and see for yourself, although be careful it’s nasty.
As of now it looks like this:
And then it randomly redirects to gore sites like lemonparty or chaturbate or some pedo shit. It’s pretty bad.
Alright thanks
