Jump in the discussion.

No email address required.

looks like it's an exploit in the emojis or something. you know how in markdown image :marseymissing2: links you can provide alt text? well apparently the lemmy code just smacked the text into the HTML without doing any sort of check.

so you could do something like

![alt text" onload="evil();"](https://rdrama.net/e/marseyscared.webp)

and it'd essentially render :marseyraytraced: the HTML as

<img src="https://rdrama.net/e/marseyscared.webp" alt="alt text" onload="evil();">

this was used to send multiple requests to some website that is bitching about Ukraine :marseyukrainerentfree: (I'm not even joking :marseybeanwink: here, screenshot below) with your cookies.

https://i.imgur.com/lRYWRyD_d.webp?maxwidth=9999&fidelity=grand

it also apprently checks for a specific element in the page that would :marseymid: indicate the user is an admin. apparently they don't set HttpOnly on their cookies, so this script was able to just raid the user's cookie :marseygingerbread3: jar. all and all, seems pretty :marseyglam: bad.

Jump in the discussion.

No email address required.

lol of course emojis in lemmy need to have alt text

god forbid all the disabled blind lgbtqia+ members browsing lemmy in a text based browser can't understand a meme

Jump in the discussion.

No email address required.

Link copied to clipboard
Action successful!
Error, please refresh the page and try again.