Fediverse

17538 readers

3 users here now

A community dedicated to fediverse news and discussion.

Fediverse is a portmanteau of "federation" and "universe".

Getting started on Fediverse;

What is the fediverse?
- Short ver.
- Full ver.
Fediverse Platforms
How to run your own community

founded 4 years ago

MODERATORS

deadsuperhero@lemmy.ml

wakest@lemmy.ml

392

PSA: Lemmy.world has been compromised! (lemmy.ml)

submitted 1 year ago* (last edited 1 year ago) by G59@lemmy.ml to c/fediverse@lemmy.ml

134 comments fedilink hide all child comments

FYI!!! In case you start getting re-directed to porn sites.

Maybe the admin got hacked?

edit: lemmy.blahaj.zone has also been hacked. beehaw.org is also down, possibly intentionally by their admins until the issue is fixed.

Post discussing the point of vulnerability: https://lemmy.ml/post/1896249

you are viewing a single comment's thread
view the rest of the comments

[–] StudioLE@programming.dev 2 points 1 year ago* (last edited 1 year ago)

I'm not particularly familiar with XSS but I'm curious how a frontend exploit can compromise an instance?

Presumably the injected XSS stores the admin's JWT somewhere for the exploiter?

Then using that JWT they can effectively login as the admin which gives them access to whatever admin dashboard there is, but does that actually compromise the backend at all?

edit: for anyone curious there's a bit of a breakdown of how it works here: https://feddit.win/comment/244427