this post was submitted on 10 Jul 2023
6 points (100.0% liked)

General

2 readers
1 users here now

Feel like you have something to post, but it's not really relevant to any of the current communities, and you don't feel like it's worth making an entirely new community just to post it? This is the place for that.

NSFW content is allowed in this community so long as you mark it as per site rules.

founded 1 year ago
MODERATORS
 

There's a JavaScript injection exploit going on. Apparently the exploit also works on comments, just by embedding an image and adding some JS code in it. I don't know if this could steal the entire cookies or just the website's, but just to be safe don't randomly click every link.

The post below is copy pasted from https://kbin.social/m/android@lemdro.id/t/168524/Lemmy-world-and-another-instance-have-been-compromised#entry-comment-661712

Some information I have posted to Lemmy.World:

I am not a super code-literate person so bare with me on this… But. Still please becareful. There appears to be a vulnerability.

Users are posting images like the following:

imgur.com/a/RS4iAeI

And inside hidden is JavaScript code that when executed can take cookie information and send it to a URL address.

Among other things. At this time if you see an image please click the icon circled before clicking the link. DO NOT CLICK THE IMAGE. If you see anything suspicious, please report it immediately. It is better a false report than a missed one.

I have seen multiple posts by these people during the attack. It is most certainly related to JS.

top 7 comments
sorted by: hot top controversial new old
[–] RA2lover@burggit.moe 5 points 1 year ago

I've found an input that achieves code injection on this instance. Sent it to this instance's admins, will hold on additional details to the public until a fix is widely deployed.

[–] Disabled@burggit.moe 4 points 1 year ago (1 children)

We're currently working on implementing a patch someone deployed to burggit. Stay tuned!~

[–] SmolSlime@burggit.moe 3 points 1 year ago

That's great news! I just made this post as an additional warning to other users who browse other instances, since the previous post only mentioned sidebar exploit.

[–] porn@burggit.moe 2 points 1 year ago (1 children)

It can only ever steal this pages cookies.

Imagine if any random page could read the cookies from your online banking...

[–] SmolSlime@burggit.moe 1 points 1 year ago (1 children)

Yeah that makes sense, as that'd be a huge vulnerability. I thought it's similar to your typical cookie stealer malware when you clicked on an infected exe.

[–] porn@burggit.moe 2 points 1 year ago (1 children)

injection attacks on websites means that someone managed to add some unintended part to the website, as if the webserver had sent a different page. So it does allow all things the website could do, no more - no less.
If I type *{display:none}, that is escaped. If this would get inserted into the website as "cleartext", it would be valid html that would hide the entire page, turning it blank. Ofc a comment should not be able to do that, so a > in text is changed to something like &⁤gt;
![alt text]⁤(http⁤s://link⁤.to/an/image.png) is a syntax to insert an image into the comment, so it is parsed into an <img src="http⁤s://link⁤.to/an/image.png" alt="alt text"> html element. In that insertion the contained text was not properly escaped in some cases, so you could have the image contain valid html which would continue on writing into the website. Basically for the alt text ⁤ ⁤ ⁤ " other attribute="attribute val ⁤ ⁤ ⁤ you would get <img src="http⁤s://link⁤.to/an/image.png" alt="" other attribute="attribute val"> instead of <img src="http⁤s://link⁤.to/an/image.png" alt="&⁤quot; other attribute=&⁤quot;attribute val"> which it should have been. And one of the attributes you can add is javascript that is executed at certain times, so you can inject javascript into the page which can do pretty much everything at that point

[–] SmolSlime@burggit.moe 1 points 1 year ago

Ahhh, that last part really helped me understand it. So they can add any additional attributes because the links are not escaped properly.