Fediverse

42 readers

5 users here now

This magazine is dedicated to discussions on the federated social networking ecosystem, which includes decentralized and open-source social media platforms. Whether you are a user, developer, or simply interested in the concept of decentralized social media, this is the place for you. Here you can share your knowledge, ask questions, and engage in discussions on topics such as the benefits and challenges of decentralized social media, new and existing federated platforms, and more. From the latest developments and trends to ethical considerations and the future of federated social media, this category covers a wide range of topics related to the Fediverse.

founded 1 year ago

Tf happened to lemmy.world? (kbin.social)

submitted 1 year ago* (last edited 1 year ago) by [email protected] to c/[email protected]

30 comments fedilink hide all child comments

Went there and got some… less than savory images. Do not recommend going there.

Did it get hacked or smth?

you are viewing a single comment's thread
view the rest of the comments

[–] [email protected] 10 points 1 year ago* (last edited 1 year ago) (1 children)

Looks like Lemmy code has a security vulnerability, persistent XSS, that allows injection of Javascript into the sidebar and comments. That allowed the attacker to force load NSFW content even after lemmy.world admins cleaned up the first attack.

There might have also been an admin account compromise at lemmy.world involved. Time will tell if these are related.

Edit: Looks like the injected JS code also steals login tokens from your browser, so that explains the admin compromise. Probably a good idea to not visit Lemmy sites for time being (or block Javascript in your browser, which is always a good idea).

[–] [email protected] 2 points 1 year ago

Gee, who could have thought that allowing html in posts could be bad idea? -Every developer that has ever looked a OWASP.