Imgur Exploited To Channel Botnet Attacks At 4chan

← Back to Stories (view on slashdot.org)

Imgur Exploited To Channel Botnet Attacks At 4chan

Posted by samzenpus on Wednesday September 23, 2015 @10:08AM from the protect-ya-neck dept.

An anonymous reader writes: Imgur has been compromised by attackers looking for an opportunity to direct large volumes of traffic to 4chan. A Reddit thread explains that "when an Imgur image is loaded from /r/4chan [...] imgur loads a bunch of images from 8chan, which causes a DDoS to those sites." Meaning that if a user clicks an Imgur link on /r/4chan, it automatically makes around "500 requests" for one image from imageboard 4chan.org/8chan.

73 comments

Min score:

Reason:

Sort:

Do over please by Anonymous Coward · 2015-09-23 10:17 · Score: 5, Insightful

Can we get a cleanup on this summary please, from someone who actually passed high school English class?
The short version: someone served up malicious javascript on 8chan by hosting it on imgur as images, revealing that imgur does not actually check to make sure its images are images. Some Flash on 8chan loads the javascript from the localstorage object, breaking same-origin. Once again the DOM is proven to be a horrible house of cards.
1. Re:Do over please by Anonymous Coward · 2015-09-23 10:21 · Score: 1, Insightful
  
  Can we get a cleanup on this summary please, from someone who actually passed high school English class?
  The article summary was probably submitted by a 4chan user...
2. Re:Do over please by mattventura · 2015-09-23 10:32 · Score: 1
  
  Here's how I understand it:
  1. The malicious "images" are hosted on imgur.
  2. They are posted to /r/4chan, a place on reddit, which I assume is a place to talk about 4chan but not connected to the site in any way.
  3. The malicious code downloads a bunch of images from 8chan, effectively DDoSing it.
  Yes, the summary is awful and contradicts itself a few times. It has nothing to do with 4chan from how I understand it.
3. Re:Do over please by Anonymous Coward · 2015-09-23 10:37 · Score: 5, Informative
  
  4chan users actually know how to write, at least better than slashdot "editors". It's just that they add the "faggot" and "nigger" every 3 sentences.
4. Re:Do over please by Anonymous Coward · 2015-09-23 10:41 · Score: 0
  
  The short version: someone served up malicious javascript on 8chan by hosting it on imgur as images, revealing that imgur does not actually check to make sure its images are images.
  
  That's not a bug, it's a feature.
  I was on a forum a couple of years ago and someone discovered that the shitty, horribly broken software would allow them to insert the URL to the site's logout code in an tag, and every time someone viewed that particular thread, they were logged out. Not harmful, just annoying.
  I filed a bug report with Firefox, since a browser shouldn't do that, but I was told "We have to load the file in order to know if it's an image".
5. Re:Do over please by BigGez · 2015-09-23 10:41 · Score: 1
  
  Can we get a cleanup on this summary please, from someone who actually passed high school English class?
  The article summary was probably submitted by a 4chan user...
  It was 100% submitted by a /. user...
6. Re:Do over please by Anonymous Coward · 2015-09-23 10:45 · Score: 0, Troll
  
  slashdot... where you can read reddit posts about 4chan 2 weeks after it's on fark.
  slashdot = stagnated
7. Re:Do over please by Anonymous Coward · 2015-09-23 10:47 · Score: -1
  
  Reads like they copy-pasted random sentences from the linked Reddit post, even the stuff that makes no sense.
8. Re: Do over please by Anonymous Coward · 2015-09-23 10:49 · Score: -1
  
  Logout shouldn't be a GET then, but a POST.
9. Re:Do over please by Anonymous Coward · 2015-09-23 10:55 · Score: 1
  
  I only came to read the comments because the description was horse shit.
  God damn... Slashdot is becoming more depressing by the day.
  "News for idiots. Shit doesn't matter."
10. Re:Do over please by Anonymous Coward · 2015-09-23 10:59 · Score: 0
  
  or at least 'edited' by a slashdot 'editor'.
11. Re:Do over please by Anonymous Coward · 2015-09-23 11:00 · Score: 0
  
  LOL. Stay mad slashdotters.
12. Re:Do over please by Anonymous Coward · 2015-09-23 11:05 · Score: 0
  
  I only came to read the comments because the description was horse shit.
  Global Rule 15. Now you've brought /mlp/ into it!
13. Re:Do over please by jest3r · 2015-09-23 11:14 · Score: 4, Insightful
  
  I think I read that Imgur was inlining images with data urls when viewing the raw image.
  
  So if you visited www.imgur.com/image.jpg the source code would look like:
  img src="data:image/jpg;base64,R0lGODlhEALMAAOazToeHh0tLS/7LZv/0jvb2 ...... etc.
  
  When uploading an image to Imgur someone figured out how to append code to the end of the raw data to break out of the data url data and append some Javascript to it.
  
  The Javascript pulled down images from 8chan among other things.
14. Re:Do over please by Anonymous Coward · 2015-09-23 11:16 · Score: 1
  
  The submitter copypasted the summary from thestack.com. It makes no god damned sense there, either.
15. Re:Do over please by Austerity+Empowers · 2015-09-23 11:19 · Score: 1
  
  3 sentences? Maybe 3 letters...
16. Re:Do over please by _KiTA_ · 2015-09-23 11:37 · Score: 1
  
  Can we get a cleanup on this summary please, from someone who actually passed high school English class?
  The short version: someone served up malicious javascript on 8chan by hosting it on imgur as images, revealing that imgur does not actually check to make sure its images are images. Some Flash on 8chan loads the javascript from the localstorage object, breaking same-origin. Once again the DOM is proven to be a horrible house of cards.
  Also, the DDoS was at the very least also targeted at 8ch. There was a pretty big teardown of it -- someone registered a similar name to 4ch's image host, the malware SWF specifically mentions the founder of 8ch and something that sounds like it's related to /pol/, the server hosting up the malware was replying to specific referrers and IP addresses, etc etc.
17. Re:Do over please by Anonymous Coward · 2015-09-23 11:38 · Score: 1
  
  As I understand it, this is correct. Imgur does this so that http://i.imgur.com/qP4c9f8.gif and http://i.imgur.com/qP4c9f8.png both point to the same file, despite the difference in filetypes in the urls.
18. Re: Do over please by Anonymous Coward · 2015-09-23 12:36 · Score: 0
  
  Up vote that comment. The article post is poorly written and leaves me shaking my head.
19. Re:Do over please by Anonymous Coward · 2015-09-23 12:36 · Score: 3, Insightful
  
  Well then they're doing it wrong. URL rewriting at the httpd engine level (or the cache level, or whatever serves as the frontmost layer) can handle that without embedding the binary data inside of an IMG tag. Inlining binary data is also contrary to how HTTP is supposed to work, as it breaks the renderer's ability to choose whether or not to retrieve certain media. A user who is browsing with images disabled in their browser has expressly opted not to retrieve that data. When a site inlines images in this way, the user will still be sent the entire base64-encoded image contents as part of the main document. That's not how any of this is supposed to work; the renderer is supposed to determine whether or not it wants to fetch those images.
  tl;dr kids and their "web 2.5" are breaking shit, again.
20. Re: Do over please by Anonymous Coward · 2015-09-23 12:55 · Score: 1
  
  mods have never visited /b/. Parent is insightful if anything.
21. Re:Do over please by Anonymous Coward · 2015-09-23 13:26 · Score: 0
  
  4chan users don't know english... They only know words that can be typed with one hand... I'll let your dirty mind figure out why.
22. Re:Do over please by Anonymous Coward · 2015-09-23 13:55 · Score: 0
  
  go back to reddit then, you faggot nigger.
23. Re:Do over please by youngone · 2015-09-23 15:30 · Score: 2
  
  They only know words that can be typed with one hand... I'll let your dirty mind figure out why
  I'm guessing industrial accidents.
24. Re:Do over please by KGIII · 2015-09-23 16:38 · Score: 1
  
  I am not 100% certain of the nomenclature but I believe it goes like this:
  "oldfag is oldfag. teh cancer that iz killin /b/ haz been here since tiem immemorial. lulz will be had by all - except u cuz u is newfag w/knickerz in knotz! lulz. now tits or gtfo, newfag. also ur mom"
  Promptly followed with, "stfu, ur mom iz teh cancerz. fgt!"
  A witty riposte will be sure to follow and it will, quite likely, be akin to, "no u!" (Accompanied with a picture of gore or the OP's penis.)
  I am not entirely fluent, yet, but I've been parsing the language for a while. There are a number of colloquialisms and dialects with much variance. In short, they're mostly harmless and doing much the same what any of us curious folks did when we were young. Lulz, it's an important subject. I'm not in the field but I'd be interested in writing a paper on it if I weren't so damned lazy.
  Q. What did Abraham Lincoln say after he freed the slaves?
  A. I did it for the lulz. trollface.jpg
  Sometimes I think that /b/ should be the front page of the internet. Why? Because it would really, really, piss them off. What good is a hornet's nest if you can't kick it once in a while? Bears sleep just so the curious can poke them, after all.
  
  --
  "So long and thanks for all the fish."
25. Re: Do over please by Anonymous Coward · 2015-09-23 18:28 · Score: 0
  
  *posts ponies*
26. Re: Do over please by Anonymous Coward · 2015-09-23 18:55 · Score: 0
  
  tits or gtfo
27. Re: Do over please by Anonymous Coward · 2015-09-24 01:28 · Score: 0
  
  *posts ponies*
  ... on /d/
28. Re:Do over please by meta-monkey · 2015-09-24 03:06 · Score: 1
  
  I was on /b/ back when it was good.
  
  --
  We don't have a state-run media we have a media-run state.
29. Re:Do over please by Impy+the+Impiuos+Imp · 2015-09-24 03:24 · Score: 2
  
  Can we get a cleanup on this summary please, from someone who actually passed high school English class?
  4chan and 8chan, which fancies itself a wilder 4chan, are like Moe and Curly. Imgur is like Larry and his violin. Reddit just tossed a quarter on the floor, and Larry, Moe, and Curly all went to grab it, yielding the crisp, clean sound of coconuts knocking together.
  
  --
  (-1: Post disagrees with my already-settled worldview) is not a valid mod option.
30. Re:Do over please by KGIII · 2015-09-24 04:44 · Score: 1
  
  > implying /b/ was ever good
  I was first exposed to the site back in the early 2000s. It's never really been a hangout though I've had some interesting conversations there. They're not all retarded children. The signal to noise ratio is pretty high, currently, but it's dieing down to a dull roar now that the kids have gone back to school and it is losing favor in the media. I think it can be summed up, sort of, as Eternal September(ish) but with fluctuations in the signal to noise ratio.
  I'm still wondering if the sale is a hoax or not. Moot's made claims to getting rid of the site a number of times. So, we'll see. Trust nothing!!!
  
  --
  "So long and thanks for all the fish."
31. Re:Do over please by Anonymous Coward · 2015-09-24 05:43 · Score: 0
  
  They only know words that can be typed with one hand... I'll let your dirty mind figure out why
  I'm guessing industrial accidents.
  Because they are surfing 4chan at work.
32. Re:Do over please by meta-monkey · 2015-09-24 11:29 · Score: 1
  
  Now I'm curious if you've ever been on /b/. The correct response to "when /b/ was good" is "/b/ was never good."
  
  --
  We don't have a state-run media we have a media-run state.
33. Re:Do over please by Anonymous Coward · 2015-09-24 15:15 · Score: 0
  
  That's what I said. I said it in green text and insinuated it. (in other words, that would be me saying that you had implied /b/ was ever good.) Sheesh... Newfag doesn't know how to green text? You probably can't even triforce. Worse, you're probably a namefag. When someone says something, and no - I've made quite a study of this but you can check it for yourself, regarding the post above, the response is green text it and it usually means you're due for either a really funny story or it is an 'insinuating/implying' something. It is a bit similar to "FTFY." In my usage it was the later.
  lern 2 greentxt fgt!
  (i'll post this as AC. I mean, it's painfully obvious who this is. But, damn it, anonymous really belongs here at this point.)
  If, for some reason, you feel like looking into a bunch of this stuff then Encyclopedia Dramatica is a really good place to start. I suspect you know this but probably just missed my ">" or are unfamiliar with its usage. It's quite common and I sometimes see it on sites other than the *chans. I doubt it even originated on the *chans but it probably did get its off-coloring. Also, it's not always green text. The color varies depending on the theme and the chan.
  Or u iz trollin for lulz and maed me type all that!!!eleventy!1 u iz trollin pl0x? my head asploded - wud be gud troll 4 u m8
34. Re:Do over please by KGIII · 2015-09-24 15:16 · Score: 1
  
  Disregard that. I suck cocks.
  
  --
  "So long and thanks for all the fish."
Boohoo by Anonymous Coward · 2015-09-23 10:20 · Score: -1

Does anyone really care?
What are you talking about by Anonymous Coward · 2015-09-23 10:20 · Score: -1

There is no such thing as 4chan.org/8chan.
It returns a 404.
1. Re:What are you talking about by Anonymous Coward · 2015-09-24 00:41 · Score: 0
  
  i lulz'd...once.
Old news? by BlckAdder · 2015-09-23 10:20 · Score: 5, Informative

This was patched yesterday.
1. Re:Old news? by Anonymous Coward · 2015-09-23 12:06 · Score: 0
  
  Don't be wise, faggot. We don't give a fuck about your bullshit. Go suck another junkie's dick.
2. Re:Old news? by Anonymous Coward · 2015-09-24 00:45 · Score: 0
  
  It's still news, though. Slashdot is just too shitty to be on time.
New attack by Anonymous Coward · 2015-09-23 10:30 · Score: -1

Can we please get a DDoS attack against 4chan using C4, SEMTEC, hydrogen bombs, or some other high explosive, please? Think of the children.. er.. the Internet, that is!
1. Re:New attack by PopeRatzo · 2015-09-23 12:58 · Score: 1
  
  Think of the children..
  
  No, that would be 8chan.
  
  --
  You are welcome on my lawn.
2. Re:New attack by Mashiki · 2015-09-23 15:00 · Score: 1
  
  No, that would be 8chan.
  I think you mean that would be Sarah Nyberg or perhaps Dan Olson.
  
  --
  Om, nomnomnom...
3. Re:New attack by Anonymous Coward · 2015-09-24 02:01 · Score: 0
  
  I assume you mean Semtex. Note that it's not capitalized since it's not an abbreviation.
"Patched" by Anonymous Coward · 2015-09-23 10:31 · Score: -1

They say they patched it, but it very likely isn't.
I won't even remotely be surprised to see it spring up again in the very near future.
Thanks GifV! Worst idea in history.
The people doing these hacks aren't stupid and Imgur are underestimating them.
Also, fun fact, this was also partly possible because 8chan allows ANY source to read it globally. There is literally no reason for that flag to even be set to *.
So many people think this is associated with the new 4chan takeover. Morons.
Then further stupid shit, like associations with the 8ch owner and him, military associations, FBI and other stupid stuff like that.
Hilarious.
1. Re:"Patched" by Anonymous Coward · 2015-09-23 10:38 · Score: -1
  
  It seems likely that the malicious Javascript was added by some SJW that works for imgur. Why would some external actor use a major vulnerability on one of the biggest websites on the Internet just to DDoS 8chan for a few hours?
2. Re:"Patched" by Anonymous Coward · 2015-09-23 11:31 · Score: 0
  
  The first comment explains how this was external to imgur.
3. Re: "Patched" by Anonymous Coward · 2015-09-23 11:35 · Score: 0
  
  Are you a fucking moron? That shit happens all the time. I'll answer my question for you: yes, you are a fucking moron.
4. Re: "Patched" by Anonymous Coward · 2015-09-23 11:36 · Score: 0
  
  Shhhh, let the InfoWars tinfoil hat crowd think there's a big SJW conspiracy for just a little bit longer.
5. Re: "Patched" by myowntrueself · 2015-09-23 12:30 · Score: 1
  
  Are you a fucking moron? That shit happens all the time. I'll answer my question for you: yes, you are a fucking moron.
  Martin Shkreli, is that you???
  
  --
  In the free world the media isn't government run; the government is media run.
6. Re:"Patched" by Anonymous Coward · 2015-09-23 15:38 · Score: 0
  
  -.-
  > tfw parent modded down by SJW with mod points.
7. Re:"Patched" by Khyber · 2015-09-24 01:03 · Score: 1
  
  "It seems likely that the malicious Javascript was added by some SJW that works for imgur."
  No, this was done by a notorious furfag on 8ch by the name of Bui. The fact that the originating SWF url comes from the /pokepaws/ board is pretty much the dead trigger, since Bui owns that board.
  
  --
  Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
8chan, not 4chan by Anonymous Coward · 2015-09-23 10:41 · Score: 0, Insightful

As I understand it the attack targets 8chan, not 4chan. That's a seperate site.
On a side note, 8chan is a popular target for social "justice" types because it serves as a hub for things they hate, e.g. Gamergate discussions. They're frequently under attack.
> imageboard 4chan.org/8chan
Wut?
1. Re:8chan, not 4chan by Anonymous Coward · 2015-09-23 10:48 · Score: -1
  
  Oh, don't forget all the kiddie porn, oh I'm sorry, """"child models"""" you guys are super fond of. Y'know, the shit that got 8chan de-listed from Google.
2. Re: 8chan, not 4chan by Anonymous Coward · 2015-09-23 10:59 · Score: 0
  
  lol at the kiddie diddlers and pedo sympathizers downmodding the truth. for all the fuss over Pedo Sarah you sure don't seem to mind with your cripple hero hosts it. Funny huh.
3. Re:8chan, not 4chan by Anonymous Coward · 2015-09-23 11:31 · Score: 0
  
  Wow, so 8chan is literally the only website on the internet that has shit like that? Masterchan is crawling with it, and is arguably far more focused on it, but they haven't been delisted (just checked--Google even helpfully lists their "kiddie porn" board first over all their other boards). No, something else is going on here. Whatever it is, I'm sure it's a step straight down a slippery slope of some sort.
  
  "I may disagree with what you say, but I will defend to the death your right to say it." It is always the scoundrels that are targeted first. Neo-nazis and pedophiles, in this case, it seems. It is only a matter of time before there is no-one left to speak out for you when they kick in your door and haul you away.
4. Re:8chan, not 4chan by Anonymous Coward · 2015-09-23 13:00 · Score: 0
  
  The chans and twitter/tumbler people or whatever are always fighting each other over inane shit. You know what they say, "Play stupid games; win stupid prizes!" It's hard to care when anything happens to either group as a result of internet fights.
old CIA trick involving hidden i-frames by Anonymous Coward · 2015-09-23 10:52 · Score: 1

Some posted how the code worked on Voat a few days ago, word seemed to spread from there. Mentioned it was an old hack developed by the CIA, something about creating off-screen i-frames. My code-fu is very rusty these days but it seemed to make sense. Can't seem to find the post now, forgot which sub it was.
1. Re:old CIA trick involving hidden i-frames by guruevi · 2015-09-23 11:04 · Score: 1
  
  CIA? Really? This kind of crap has been around since the late 90's and is well described in books dating back decades ago.
  
  --
  Custom electronics and digital signage for your business: www.evcircuits.com
2. Re:old CIA trick involving hidden i-frames by GiganticLyingMouth · 2015-09-23 11:52 · Score: 1
  
  That is not some CIA trick -- it's decades old and quite well understood. I even learned about it back in at Uni years ago in our intro to computer security class
3. Re:old CIA trick involving hidden i-frames by Anonymous Coward · 2015-09-23 11:56 · Score: 0
  
  Yea really, specifically it was the tool they used to capture pedophile's information online.
4. Re:old CIA trick involving hidden i-frames by Anonymous Coward · 2015-09-24 01:45 · Score: 0
  
  If you're talking about that thing that was used on Tor and reported all over the net as a "Tor exploit" that was the FBI and was hardly the first case of someone doing something like that. If anything it was about as simple an attack as you could come up with if you had access to the server (which they had), they just modified pages so that every visitor that had javascript enabled would make a unproxied connection to a host they had control over so they could gather the actual IP addresses of people visiting kiddie porn sites.
Comment removed by account_deleted · 2015-09-23 11:44 · Score: 3, Insightful

Comment removed based on user account deletion
HOLY HECK, Batman! by tlambert · 2015-09-23 13:52 · Score: 1

Some posted how the code worked on Voat a few days ago, word seemed to spread from there. Mentioned it was an old hack developed by the CIA, something about creating off-screen i-frames.
Those dastardly devils at the Culinary Institute of America are so cunning, with their JavaScript kung-fu!
Hrm by Anonymous Coward · 2015-09-23 14:11 · Score: 0

Actually I wonder if 4chan is really a botnet under the costume of a image forum.
Re:And... by Anonymous Coward · 2015-09-23 15:42 · Score: 1

Getting pretty hard to find places where you can speak uncensored. That seems pretty valuable IMO. Especially when bad actors of major websites are doing what they can to take down a low budget server run by a disabled dude.
Feminists should be killed. by Anonymous Coward · 2015-09-23 17:04 · Score: 0

>In the United States, as late as the 1880s most States set the minimum age at 10-12, (in Delaware it was 7 in 1895).[8] Inspired by the "Maiden Tribute" female reformers in the US initiated their own campaign[9] which petitioned legislators to raise the legal minimum age to at least 16, with the ultimate goal to raise the age to 18. The campaign was successful, with almost all states raising the minimum age to 16-18 years by 1920.
Feminists should be killed.
Awful summary, this was a backdoor targeting 8chan by gnaarly · 2015-09-23 21:04 · Score: 2

Imgur for some reason ran malicious javascript.

The javascript downloaded further obfuscated javascript from several servers, registered behind anonymity in Panama and using hacked cloud instances. One of those was 4cdns.org, imitating 4chan's 4cdn.org.

This inserted code into the localStorage object for 8chan, 8ch.net. 8chan was set up to include localStorage on every page.

The code was one that periodically requested further code from a command and control server. The C&C server was inactive when this was discovered. In the minutes this was tracked down, the "further javascript" was changed on the fly - the person doing this was basically responding to the investigation as it happened.

The end result was that every user of 8chan had a rudimentary back door, which through the localFavorties object requested code to run at every page refresh from a C&C server to be activated at some time in the future.
Re:And... by Anonymous Coward · 2015-09-24 00:48 · Score: 0

Excuse me? This could have had a huge impact on the entire Pepe economy. We're lucky it went by without much happening.
Re:And... by Anonymous Coward · 2015-09-24 01:27 · Score: 1

This. It amazes me that so many people attack fullchan.
Pro-censorship folks cannot stand the fact that 8chan has relatively lax moderation while still quickly removing things that are actually illegal.
The feelings of SJWs are not protected by law. The real world isn't a safe space.
Good by Anonymous Coward · 2015-09-24 01:29 · Score: 0

Enough said
Re:And... by Anonymous Coward · 2015-09-24 01:42 · Score: 0

christ, you neck beards have really gotten cantankerous in your old age.