As you might have noticed, there are a couple of other instances, which went dark. This is because of an active exploit in the user user frontend, through custom emojis.
The attacker can than put custom javascript code into custom emojis and publish a post or a comment. Then, for everyone that opens that post/comment (currently on browser only), will then upload their JWT token to the attacker, which is used for the site to know, you are authenticated.
This token can then be used from the attacker to use your user account and do whatever they want with it - they have then gained your session.
Right now, feddit.ch does not have any form of custom emojis implemented, which are used through this attack.
A fix for this issue seems on the way. https://github.com/LemmyNet/lemmy-ui/pull/1900
The fix will be implement, when fully approved.
Here is some info on that regards Lemmy.ml posts with info regarding the issue: https://lemmy.ml/post/1896249 https://lemmy.ml/post/1895271
What does this mean to you? For the current attack, normal users are not in the main focus, since they try to “troll” the instances while using the admin accounts to gain access to the site and spread the information on sidebar, taglines, etc.
If your scared someone would take over your account - log out and lurk for some time. The fix will be there soon.
The admin account will go offline until the issue has been fixed.
I’ll update you as soon as i know more.
Update 10.07.2023 14.52h
The lemmy-ui has been patched by the devs, the vulnerability should be fixed for now. The UI-Version is now v.0.18.2-rc1, as you can see at the bottom of the page.
You should now be able to normally continue with your user account. If you concerned, please reset your password and login again with your new credentials.
Info about the PR for the lemmy-ui https://github.com/LemmyNet/lemmy-ui/pull/1897
Thank you for keeping up informed and sharing the tip. This is all very much appreciated.