There’s a JavaScript injection exploit going on. Apparently the exploit also works on comments, just by embedding an image and adding some JS code in it. I don’t know if this could steal the entire cookies or just the website’s, but just to be safe don’t randomly click every link.

The post below is copy pasted from https://kbin.social/m/android@lemdro.id/t/168524/Lemmy-world-and-another-instance-have-been-compromised#entry-comment-661712

Some information I have posted to Lemmy.World:

I am not a super code-literate person so bare with me on this… But. Still please becareful. There appears to be a vulnerability.

Users are posting images like the following:

imgur.com/a/RS4iAeI

And inside hidden is JavaScript code that when executed can take cookie information and send it to a URL address.

Among other things. At this time if you see an image please click the icon circled before clicking the link. DO NOT CLICK THE IMAGE. If you see anything suspicious, please report it immediately. It is better a false report than a missed one.

I have seen multiple posts by these people during the attack. It is most certainly related to JS.

  • RA2lover@burggit.moe
    5·
    1 year ago

    I’ve found an input that achieves code injection on this instance. Sent it to this instance’s admins, will hold on additional details to the public until a fix is widely deployed.

  • Disa@burggit.moeM
    4·
    1 year ago

    We’re currently working on implementing a patch someone deployed to burggit. Stay tuned!~

    • SmolSlime@burggit.moeOP
      3·
      1 year ago

      That’s great news! I just made this post as an additional warning to other users who browse other instances, since the previous post only mentioned sidebar exploit.