I am not a super code-literate person so bare with me on this… But. Still please becareful. There appears to be a vulnerability.

Users are posting images like the following:

https://imgur.com/a/RS4iAeI

And inside hidden is JavaScript code that when executed can take cookie information and send it to a URL address.

Among other things. At this time if you see an image please click the icon circled before clicking the link. DO NOT CLICK THE IMAGE. If you see anything suspicious, please report it immediately. It is better a false report than a missed one.

  • @[email protected]
    link
    fedilink
    English
    9
    edit-2
    1 year ago

    In the interests of being wholesome and helpful, I used a secure method to retrieve the contents of that URL without providing my own cookie info.

    I accessed and extracted the .png image directly using a similar method, then dug through it with a hex editor. As best I can tell, there’s nothing particularly weird about the image itself or its metadata.

    The HTML file pointing to the image contains a bunch of trackers from imgur. Google analytics, Facebook, scorecard research, etc. Those are certainly things to be concerned about, but I didn’t specifically notice anything unusual beyond the ordinary corporate-surveillance crudware (which was indeed written in JavaScript). None of these were in the image itself though.

    Obviously it’s impossible to prove that anything is safe, and I only spent 10 minutes looking into this, so you should still follow the OP’s advice about not clicking on random links without thinking. However my quick analysis did not find anything particularly alarming.

    • Xylight (Photon dev)
      link
      fedilink
      English
      41 year ago

      It uses an onload event using a markdown parser bug to run JS and upload your JWT to a certain website.

      • @[email protected]
        link
        fedilink
        English
        1
        edit-2
        1 year ago

        That looks like something Imgur is doing then. Which is not surprising at all. If it’s a free service, you’re the product, right?

        Honestly the sketchiest thing I found was the use of BTLoader, a self-described ‘adblock revenue recovery service’.

    • AerOPM
      link
      English
      21 year ago

      When getting chatgpt to decode the js, it spoke about a URL that went to a website ending in .zip/save in the interests of security I will not be posting it.

      It wasn’t solely the image that drew redflags but the js that appears to come before it. There is more to that URL than the file. I won’t be posting the full details here. In a DM I can provide if you would like to see it and analyse it further

      • @[email protected]
        link
        fedilink
        English
        31 year ago

        Sure, send it my way. If it sufficiently malicious, I’ll maybe have fun dissecting it. You should know that messaging on Lemmy is not secure though.

        • @[email protected]
          link
          fedilink
          English
          01 year ago

          FYI if you have a Matrix account you can attach it to your Lemmy account in your profile settings on Lemmy. Then people should see an option to send a secure message when they visit your Lemmy profile, by going through Matrix.

          • @[email protected]
            link
            fedilink
            English
            21 year ago

            Ah yeah, I’ve heard about that! Sadly, I don’t have time to set it up presently. Thanks for the reminder though, I’ll add it to the list.