Lemmy.world and lemmy.blahaj.zone have been hit with a JavaScript injection attack it seems.

  • 0xtero@kbin.social
    link
    fedilink
    arrow-up
    14
    ·
    1 year ago

    Looks like Lemmy code has a security vulnerability, persistent XSS, that allows injection of Javascript into the sidebar and comments. That allowed the attacker to force load NSFW content even after lemmy.world admins cleaned up the first attack.

    Looks like the injected JS code also steals login tokens from your browser, seems some admin accounts got compromised this way.
    Probably a good idea to not visit Lemmy sites for time being (or block execution of Javascript in your browser, which is always a good idea).