cross-posted from: https://lemmy.ml/post/1895271
FYI!!! In case you start getting re-directed to porn sites.
Maybe the admin got hacked?
edit: lemmy.blahaj.zone has also been hacked. beehaw.org is also down, possibly intentionally by their admins until the issue is fixed.
Post discussing the point of vulnerability: https://lemmy.ml/post/1896249
I have not seen any notice as to how either users or admins should mitigate the problem so far. Obviously, admins should update once a new release is out, but beyond that…
From an end-user standpoint, I would guess – I have not looked at the code and have not been working on the security hole – the following:
This basically allows the attacker to masquerade as a currently-logged-in user who has viewed their link.
Viewing content on a lemmy server while logged in as an admin right now is probably a particularly bad idea.
I don’t know what the full impact is for a regular user account, but it’s probably possible for at minimum posts to be deleted, and posts to be made as someone. In kbin, my account shows my email address, so if lemmy does the same, it would be possible to link an email account used for registration with a username. If you used a throw-away email account that is publicly-accessible – as I did – that could allow for full account compromise.
Viewing content while not logged in is probably safe – maybe they can make Javascript run from a link, but without you being logged in, there isn’t anything interesting that the attacker can do. If I were going to be viewing content on lemmy servers right now, and okay with being limited to lurking, I might do that for a few days until the issue is resolved and lemmy servers update.
I don’t know if kbin is vulnerable. It didn’t accept the URL given in the bug as an example of a malicious URL when I tested submitting one, but it’s possible that it trusts URLs coming from federated servers, which I did not check.
https://github.com/LemmyNet/lemmy-ui/issues/1895#issuecomment-1628270766
As for a user, I’d avoid using any Lemmy instances from the browser until they get updated.