this post was submitted on 10 Jul 2023
3318 points (99.9% liked)
Lemmy.World Announcements
29079 readers
190 users here now
This Community is intended for posts about the Lemmy.world server by the admins.
Follow us for server news ๐
Outages ๐ฅ
https://status.lemmy.world/
For support with issues at Lemmy.world, go to the Lemmy.world Support community.
Support e-mail
Any support requests are best sent to info@lemmy.world e-mail.
Report contact
- DM https://lemmy.world/u/lwreport
- Email report@lemmy.world (PGP Supported)
Donations ๐
If you would like to make a donation to support the cost of running this platform, please do so at the following donation URLs.
If you can, please use / switch to Ko-Fi, it has the lowest fees for us
Join the team
founded 2 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
How? I kept trying it yesterday without any luck, even with manual POST requests. The markdown (at least in the comments) seems to be properly escaped.
I just figured out how: https://github.com/LemmyNet/lemmy-ui/issues/1895#issuecomment-1629326627
Yeah, an admin account is absolutely not necessary.
So, simply viewing a comment thread with a maliciously-altered emoji (on an unpatched instance) was enough to compromise your account?
Pretty much. The hacker sent me a DM with the emoji which contained the malicious code. All I did was open and read it. Iโm proud of the team that worked until 2 AM to not only revert the changes, but fix the exploit.
Damn. This is why Adkins should have separate admin tools that aren't part of there main Lemmy usage
yes: https://github.com/LemmyNet/lemmy-ui/issues/1895#issuecomment-1629326627
AlmightySnoo is posting in Github a lot. I'm assuming that the user above has been trying it on the older, unpacked, docker instance.
@AlmightySnoo Correct me if I'm wrong of course.