lemmy.world is a victim of an XSS attack right now and the hacker simply injected a JavaScript redirection into the sidebar.
It appears the Lemmy backend does not escape HTML in the main sidebar. Not sure if this is also true for community sidebars.
EDIT: as a demo, your web browser is probably telling you that it’s blocked a popup or something, you should see an alert I’ve injected
Can someone ELI5 what this means? Do users need to be vigilant? Is information or malware being passed around? What can we expect going forward?
Lots of discussion happening over on kbin. It’s not clear if any user data has been stolen but some commenters are doubtful. The most important thing is we should not trust links on that site as they could be malware.
https://kbin.social/m/[email protected]/t/168272/PSA-LEMMY-WORLD-IS-COMPROMISED/newest
Thank you!