Slashdot Mirror

← Back to Stories (view on slashdot.org)

Imgur Exploited To Channel Botnet Attacks At 4chan

Posted by samzenpus on from the protect-ya-neck dept.

An anonymous reader writes: Imgur has been compromised by attackers looking for an opportunity to direct large volumes of traffic to 4chan. A Reddit thread explains that "when an Imgur image is loaded from /r/4chan [...] imgur loads a bunch of images from 8chan, which causes a DDoS to those sites." Meaning that if a user clicks an Imgur link on /r/4chan, it automatically makes around "500 requests" for one image from imageboard 4chan.org/8chan.

6 of 73 comments (clear)

  1. Do over please by Anonymous Coward · · Score: 5, Insightful

    Can we get a cleanup on this summary please, from someone who actually passed high school English class?

    The short version: someone served up malicious javascript on 8chan by hosting it on imgur as images, revealing that imgur does not actually check to make sure its images are images. Some Flash on 8chan loads the javascript from the localstorage object, breaking same-origin. Once again the DOM is proven to be a horrible house of cards.

    1. Re:Do over please by Anonymous Coward · · Score: 1, Insightful

      Can we get a cleanup on this summary please, from someone who actually passed high school English class?

      The article summary was probably submitted by a 4chan user...

    2. Re:Do over please by jest3r · · Score: 4, Insightful

      I think I read that Imgur was inlining images with data urls when viewing the raw image.

      So if you visited www.imgur.com/image.jpg the source code would look like:
      img src="data:image/jpg;base64,R0lGODlhEALMAAOazToeHh0tLS/7LZv/0jvb2 ...... etc.

      When uploading an image to Imgur someone figured out how to append code to the end of the raw data to break out of the data url data and append some Javascript to it.

      The Javascript pulled down images from 8chan among other things.

    3. Re:Do over please by Anonymous Coward · · Score: 3, Insightful

      Well then they're doing it wrong. URL rewriting at the httpd engine level (or the cache level, or whatever serves as the frontmost layer) can handle that without embedding the binary data inside of an IMG tag. Inlining binary data is also contrary to how HTTP is supposed to work, as it breaks the renderer's ability to choose whether or not to retrieve certain media. A user who is browsing with images disabled in their browser has expressly opted not to retrieve that data. When a site inlines images in this way, the user will still be sent the entire base64-encoded image contents as part of the main document. That's not how any of this is supposed to work; the renderer is supposed to determine whether or not it wants to fetch those images.

      tl;dr kids and their "web 2.5" are breaking shit, again.

  2. 8chan, not 4chan by Anonymous Coward · · Score: 0, Insightful

    As I understand it the attack targets 8chan, not 4chan. That's a seperate site.

    On a side note, 8chan is a popular target for social "justice" types because it serves as a hub for things they hate, e.g. Gamergate discussions. They're frequently under attack.

    > imageboard 4chan.org/8chan

    Wut?

  3. Comment removed by account_deleted · · Score: 3, Insightful

    Comment removed based on user account deletion