lemmy.world is a victim of an XSS attack right now and the hacker simply injected a JavaScript redirection into the sidebar.

It appears the Lemmy backend does not escape HTML in the main sidebar. Not sure if this is also true for community sidebars.

EDIT: as a demo, your web browser is probably telling you that it’s blocked a popup or something, you should see an alert I’ve injected

  • Cyyy@lemmy.ml
    link
    fedilink
    English
    arrow-up
    2
    ·
    1 year ago

    the hacker could use a cookie stealer injected by the xss to steal the admin account.