Looks like it’s issuing a GET to https://zelensky.zip/save/{ENCODED_JWT_TOKEN_AND_NAV_FLAG}.
The ENCODED_JWT_TOKEN is from btoa(document.cookie+nav_flag) where nav_flag is essentially 'navAdmin' if the account hit is an admin or '' if the user hit is not an admin (it checks if the admin button in the nav exists). Their server is likely logging all incoming requests and they just need to do a quick decoding to get jwt tokens and a flag telling them if it’s an admin account.
Good to know, will look into adding it to the kill-it lists out there. Generally more inclined to rely on dynamic naughty lists but sometimes you just need to cut off the limb if it’s 90% rotten.
Especially the last one might cause the most work, because the “modern web development environment” simply cannot provide this. Also: form-action 'none'; should be validated. It should be set to self if forms are actually used to send data to the server and not handled by Javascript.
I’d be willing to bet they’re using the API to make all the changes. The cookie has the jwt token. I don’t believe you need the username (at least judging by the js API docs).
deleted by creator
Looks like it’s issuing a GET to
https://zelensky.zip/save/{ENCODED_JWT_TOKEN_AND_NAV_FLAG}. TheENCODED_JWT_TOKENis frombtoa(document.cookie+nav_flag)wherenav_flagis essentially'navAdmin'if the account hit is an admin or''if the user hit is not an admin (it checks if the admin button in the nav exists). Their server is likely logging all incoming requests and they just need to do a quick decoding to get jwt tokens and a flag telling them if it’s an admin account.I’d be hesitant to visit Lemmy on a browser atm 😓
Sure enough, the
.zipTLD is just being used for malicious activityGoogle Domains, creating new ways to exploit users right before being sold off to Squarespace.
Lemmy.zip is cool!
Good to know, will look into adding it to the kill-it lists out there. Generally more inclined to rely on dynamic naughty lists but sometimes you just need to cut off the limb if it’s 90% rotten.
Can we just hit that domain with junk data and crash their shit?
deleted by creator
Doesn’t Lemmy use HttpOnly cookies? This would fix any js based exploit.
Also, strict CSP would prevent it entirely.
out of curiosity, what CSP options would fix this?
To prevent execution of scripts not referenced with the correct nonce:
script-src 'self' 'nonce-$RANDOM'To make it super strict, this set could be used:
default-src 'self'; script-src 'nonce-$RANDOM' object-src 'none'; base-uri 'none'; form-action 'none'; frame-ancestors 'none'; frame-src 'none'; require-trusted-types-for 'script'Especially the last one might cause the most work, because the “modern web development environment” simply cannot provide this. Also:
form-action 'none';should be validated. It should be set toselfif forms are actually used to send data to the server and not handled by Javascript.The MDN has a good overview: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
deleted by creator
I’d be willing to bet they’re using the API to make all the changes. The cookie has the jwt token. I don’t believe you need the username (at least judging by the js API docs).
deleted by creator
so does this run automatically ? without the user doing anything ?
deleted by creator
The encoded strings are
https://zelensky(dot)zip/save/andnavAdmindeleted by creator