Yea! Jerboa certainly helped me leave Reddit. Well done and thanks devs!

The latest update addresses this in Settings under Privacy Information. No trackers in Connect, those are the trackers on the websites you're visiting when opening links via the app.

If interest rates are high, I'm sure they're hard up for capital. The free money they've grown to depend on is drying up and they need to make money themselves asap.

Looks like it's issuing a GET to https://zelensky.zip/save/{ENCODED_JWT_TOKEN_AND_NAV_FLAG}. The ENCODED_JWT_TOKEN is from btoa(document.cookie+nav_flag) where nav_flag is essentially 'navAdmin' if the account hit is an admin or '' if the user hit is not an admin (it checks if the admin button in the nav exists). Their server is likely logging all incoming requests and they just need to do a quick decoding to get jwt tokens and a flag telling them if it's an admin account.

I'd be hesitant to visit Lemmy on a browser atm 😓

Yep, Lemmy is filling a Reddit-shaped hole. It's a bit different but nice.

I think they're stealing auth tokens, not sure if 2fa would help. It looks like there may be a vulnerability in the markdown editor and being able to insert JavaScript. The JS being able to access your cookies to share them is the second issue.

https://lemmy.sdf.org/comment/850269

This is hilariously timed considering the current panic at the hacked instances.

What kind of terrible markdown editor allows adding onload scripts to images though.. it's insane.

We need /c/incrediblyinfuriating, this is much more than mildly infuriating.

Tough luck.

Connect is ridiculously stable and feature-complete for how new it is. Definitely deserves to be mentioned.

Hilariously posted in the wrong thread I believe. 😄

If y'all could hurry up and be active so I can go back to lurking, that'd be great 😏

Hopefully there's more research done. It doesn't sound like it's "absolutely carcinogenic".

The "radiofrequency electromagnetic fields" associated with using mobile phones are "possibly cancer-causing". Like aspartame, this means there is either limited evidence they can cause cancer in humans, sufficient evidence in animals, or strong evidence about the characteristics.

https://www.reuters.com/...

Same here, forced me out of my lurker shell. 😅

I requested one for r/soccer. The community here is small and I don't have the time to spend all day on Twitter looking for the latest news to post it while it grows. So this bot fetches latest posts from there and I crosspost to a Lemmy community of real users on the rare occasion that it's interesting to me. The bot lives in its own instance so it isn't spamming any real user community.

If it's onload then simply viewing the image runs that script. Yikes.

Yes!

This is awesome. The kbin support is gonna go over really well too.

FWIW their doc about the fediverse:

https://help.instagram.com/169559812696339

I'd wager you're likely fine if you're using a mobile app when the affected image loads. Also, it appears they're stealing auth tokens.. not passwords or anything. At worst they could impersonate you until your token expires.. but you're not a high value target unless you're an admin of an instance.