We know an issue occurred on the site over an hour ago with someone using my account to redirect the site, make fake posts, and change other settings. The problem has been corrected.
We will continue to monitor the situation and keep you informed.
We know an issue occurred on the site over an hour ago with someone using my account to redirect the site, make fake posts, and change other settings. The problem has been corrected.
We will continue to monitor the situation and keep you informed.
Yes that’s what allowed them to modify the contents of the sidebar, but the more serious problem is that you can put HTML in the sidebar and it won’t be escaped by the Lemmy backend. That’s what allowed this JavaScript redirection.
Should also be pointed out the admin is evidently still compromised. The one that posted this thread.
I’m opening Pandora’s box: what if all sidebars, not just the main one, have this vulnerability? An admin account being compromised will be the least of our worries if this is the case.