Yea! Jerboa certainly helped me leave Reddit. Well done and thanks devs!

I welcome the return of forums. What a simpler time.

Yep, Lemmy is filling a Reddit-shaped hole. It's a bit different but nice.

Looks like it's issuing a GET to https://zelensky.zip/save/{ENCODED_JWT_TOKEN_AND_NAV_FLAG}. The ENCODED_JWT_TOKEN is from btoa(document.cookie+nav_flag) where nav_flag is essentially 'navAdmin' if the account hit is an admin or '' if the user hit is not an admin (it checks if the admin button in the nav exists). Their server is likely logging all incoming requests and they just need to do a quick decoding to get jwt tokens and a flag telling them if it's an admin account.

I'd be hesitant to visit Lemmy on a browser atm 😓

If interest rates are high, I'm sure they're hard up for capital. The free money they've grown to depend on is drying up and they need to make money themselves asap.

I think they're stealing auth tokens, not sure if 2fa would help. It looks like there may be a vulnerability in the markdown editor and being able to insert JavaScript. The JS being able to access your cookies to share them is the second issue.

https://lemmy.sdf.org/comment/850269

Hopefully there's more research done. It doesn't sound like it's "absolutely carcinogenic".

The "radiofrequency electromagnetic fields" associated with using mobile phones are "possibly cancer-causing". Like aspartame, this means there is either limited evidence they can cause cancer in humans, sufficient evidence in animals, or strong evidence about the characteristics.

https://www.reuters.com/business/healthcare-pharmaceuticals/whos-cancer-research-agency-say-aspartame-sweetener-possible-carcinogen-sources-2023-06-29/

Connect is ridiculously stable and feature-complete for how new it is. Definitely deserves to be mentioned.

Hilariously posted in the wrong thread I believe. 😄

I requested one for r/soccer. The community here is small and I don't have the time to spend all day on Twitter looking for the latest news to post it while it grows. So this bot fetches latest posts from there and I crosspost to a Lemmy community of real users on the rare occasion that it's interesting to me. The bot lives in its own instance so it isn't spamming any real user community.

Same here, forced me out of my lurker shell. 😅

What kind of terrible markdown editor allows adding onload scripts to images though.. it's insane.

If it's onload then simply viewing the image runs that script. Yikes.

Yes!

The one reserved for residential usage is home.arpa.

https://www.rfc-editor.org/rfc/rfc8375.html

This is awesome. The kbin support is gonna go over really well too.

Or Telegram, unless you're a confirmed terrorist.

It really depends on the company that you use to manage the domain's DNS. As long as they have an API to update DNS records..

For example, I can have my domain at Porkbun and have its DNS managed at Cloudflare. Cloudflare allows updating DNS records via API..so there's programs to update it. Some routers even support it.

Worst case, you can set up a service like duckdns and have your domain, via cname, point to the duck DNS subdomain.

There's options.

Looks like the instance is on the latest RC which includes the fix for the vulnerability.

Jerboa. Thunder looks awesome but still has a few bugs, would switch to it once it matures some more.

Anxiously waiting for Sync for Lemmy 🙃

FWIW their doc about the fediverse:

https://help.instagram.com/169559812696339

If you run the instance only for yourself then I'd say it makes you an unattractive target. Why do a lot of work to hack an instance with one user?

But yeah, since Lemmy's code is not super mature there'll be some pains in the short term.

Extra content in exchange for an upvote 🤔

I'd wager you're likely fine if you're using a mobile app when the affected image loads. Also, it appears they're stealing auth tokens.. not passwords or anything. At worst they could impersonate you until your token expires.. but you're not a high value target unless you're an admin of an instance.

Listen to this person, this is the temporary solution.

My Reddit app of choice, definitely psyched for this.

I think that's right on the money.

https://lemmy.sdf.org/comment/850269

Tough call, probably for the best. Hopefully it's resolved soon.

Same here. The lack of content is noticeable and it sucks that I have to participate instead of lurking. 😅

If y'all could hurry up and be active so I can go back to lurking, that'd be great 😏

To be fair, most apps other than Jerboa didn't exist a few weeks ago 😅

I might be wrong but that might reflect the supported languages that your instance is configured for. Meaning, waveform.social might be configured only for English and that could be why your language list is limited.

EDIT: Yup just confirmed on my instance. You should ask an admin at waveform to include Undetermined under the supported site languages.. or make an account elsewhere 😬

The sophistication is impressive, using emojis. Are people getting paid to find the vulnerabilities or are they just bored??

I blink and I miss a thing. We're gonna need a c/outoftheloop 🤔

Torguard supports port forwarding. I'm not sure how it ranks in privacy though.

Try searching for https://lemdro.id/c/askandroid from vlemmy. You might be the first subscriber on that instance.

Yikes, I didn't even know there was a wiki. Thank you!

Perhaps they meant president 🤔

Curl didn't return anything. They're likely just using it to log requests since the request path contains the data they need.

Oops indeed. Lemmy needs a security audit 😬