Chromium should be gucci though
malloc
joined 1 year ago
Based. Thanks for sharing these PRs. Will look over them.
This is the only way. Except some services don’t even accept those randomly generated ones. Only a slight inconvenience to add whatever special character they want or to trim the length.
In my opinion, the project would benefit from static vulnerability scanning. Low hanging fruit like this XSS would have definitely been flagged.
Most of those providers even give it out for free for open source projects. So it wouldn’t hurt.
Only in read only mode.
I just want to add a quick note:
From OPs screenshot, I noticed the JS code is attempting to extract the session cookie from the users that click on the link. If it’s successful, it attempts to exfiltrate to some server otherwise sends an empty value.
You can see the attacker/spammer obscures the url of the server using JS api as well.
May be how lemmy.world attackers have had access for a lengthy period of time. Attackers have been hijacking sessions of admins. The one compromised user opened up the flood gates.
Not a sec engineer, so maybe someone else can chime in.
Lemmy.world instance under attack right now. It was previously redirecting to 🍋 🎉 and the title and side bar changed to antisemitic trash.
They supposedly attributed it to a hacked admin account and was corrected. But the instance is still showing as defaced and now the page just shows it was “seized by reddit”.
Seems like there is much more going on right now and the attackers have much more than a single admin account.
Older scrum masters during the daily standup and trying to do live updates to the JIRA board
Turned 15 minute meeting into 30 minutes at times lol.
yea - same.
lemmy.world is not accessible for me
True story. Next car I own will be a manual. Won’t even bother setting up the electronic junk if it comes with it.