<pre style="background-color:#ffffff;">
<span style="color:#323232;"> UPDATE comment SET content = '<REMOVED BY ADMIN>' WHERE content LIKE '%![" onload%';
</span><span style="color:#323232;"> UPDATE private_message SET content = '<REMOVED BY ADMIN>' WHERE content LIKE '%![" onload%';
</span><span style="color:#323232;"> UPDATE post SET body = '<REMOVED BY ADMIN>' WHERE body LIKE '%![" onload%';
</span><span style="color:#323232;"> UPDATE post SET name = '<REMOVED BY ADMIN>' WHERE name LIKE '%![" onload%';
</span>
Note: this looks for all posts saying ![" onload and replaces them with <REMOVED BY ADMIN>. Adminitrators will want to run a “SELECT comment WHERE content LIKE '%![” onload%';" to preview all posts before removing them.
But due to the nature of the federation, the evil post will be stored across the fediverse. If the Evil-post was stored on kbin.social, does that mean that the evil Javascript still gets run? Questions for later…
Note: Even just opening a link to a vulnerable Lemmy instance could allow hackers to steal your cookies or sessions credentials. Therefore I will not share or allow people to share URLs of comprised / vulnerable instances.
FYI: the “evil post” that contained this exploit was shipping off the JWT + Account information to some evil server. The hacker fully knows who is compromised / vulnerable.
When you have a full Javascript escape like this, it allows web browsers to send information, including keyboard and mouse movements, within the compromised post. Fortunately, it looks like our “login page” is a separate page so I don’t think any passwords were stolen. And this is all Javascript so its just front-end control (ie: pretend someone suddenly grabbed your computer while you were away. It doesn’t mean they have your password, it just means that they can make posts / change your settings / etc. etc. That’s roughly the level of this hack).