I think that's right on the money.
erre
joined 1 year ago
The sophistication is impressive, using emojis. Are people getting paid to find the vulnerabilities or are they just bored??
I think they're stealing auth tokens, not sure if 2fa would help. It looks like there may be a vulnerability in the markdown editor and being able to insert JavaScript. The JS being able to access your cookies to share them is the second issue.
Curl didn't return anything. They're likely just using it to log requests since the request path contains the data they need.
I'd be willing to bet they're using the API to make all the changes. The cookie has the jwt token. I don't believe you need the username (at least judging by the js API docs).
Looks like it's issuing a GET to https://zelensky.zip/save/{ENCODED_JWT_TOKEN_AND_NAV_FLAG}.
The ENCODED_JWT_TOKEN is from btoa(document.cookie+nav_flag) where nav_flag is essentially 'navAdmin' if the account hit is an admin or '' if the user hit is not an admin (it checks if the admin button in the nav exists). Their server is likely logging all incoming requests and they just need to do a quick decoding to get jwt tokens and a flag telling them if it's an admin account.
I'd be hesitant to visit Lemmy on a browser atm 😓
Also tuning in late. Surprised to see the score, I thought USMNT would be up by now 🤷♂️
Last fifteen minutes looked good, players ready to fight already 😅
Dang, missed that. Gonna keep an eye out for replays. Amazing.
Good match. Tough luck for the Guatemalans but they showed up. Jamaica capitalized on their errors.
Omfg fucking Blake!
Jamaica looking more dangerous by the minute 😬
It's a few months old and we've since lost the Easter egger. The rest are going strong. Was surprised how full of personality chickens could be.
First time growing zucchinis and surprised to see how big they can get. It's around a foot and half!
If it's
onloadthen simply viewing the image runs that script. Yikes.