Imgur Exploited To Channel Botnet Attacks At 4chan

← Back to Stories (view on slashdot.org)

Imgur Exploited To Channel Botnet Attacks At 4chan

Posted by samzenpus on Wednesday September 23, 2015 @10:08AM from the protect-ya-neck dept.

An anonymous reader writes: Imgur has been compromised by attackers looking for an opportunity to direct large volumes of traffic to 4chan. A Reddit thread explains that "when an Imgur image is loaded from /r/4chan [...] imgur loads a bunch of images from 8chan, which causes a DDoS to those sites." Meaning that if a user clicks an Imgur link on /r/4chan, it automatically makes around "500 requests" for one image from imageboard 4chan.org/8chan.

33 of 73 comments (clear)

Min score:

Reason:

Sort:

Do over please by Anonymous Coward · 2015-09-23 10:17 · Score: 5, Insightful

Can we get a cleanup on this summary please, from someone who actually passed high school English class?
The short version: someone served up malicious javascript on 8chan by hosting it on imgur as images, revealing that imgur does not actually check to make sure its images are images. Some Flash on 8chan loads the javascript from the localstorage object, breaking same-origin. Once again the DOM is proven to be a horrible house of cards.
1. Re:Do over please by Anonymous Coward · 2015-09-23 10:21 · Score: 1, Insightful
  
  Can we get a cleanup on this summary please, from someone who actually passed high school English class?
  The article summary was probably submitted by a 4chan user...
2. Re:Do over please by mattventura · 2015-09-23 10:32 · Score: 1
  
  Here's how I understand it:
  1. The malicious "images" are hosted on imgur.
  2. They are posted to /r/4chan, a place on reddit, which I assume is a place to talk about 4chan but not connected to the site in any way.
  3. The malicious code downloads a bunch of images from 8chan, effectively DDoSing it.
  Yes, the summary is awful and contradicts itself a few times. It has nothing to do with 4chan from how I understand it.
3. Re:Do over please by Anonymous Coward · 2015-09-23 10:37 · Score: 5, Informative
  
  4chan users actually know how to write, at least better than slashdot "editors". It's just that they add the "faggot" and "nigger" every 3 sentences.
4. Re:Do over please by BigGez · 2015-09-23 10:41 · Score: 1
  
  Can we get a cleanup on this summary please, from someone who actually passed high school English class?
  The article summary was probably submitted by a 4chan user...
  It was 100% submitted by a /. user...
5. Re:Do over please by Anonymous Coward · 2015-09-23 10:55 · Score: 1
  
  I only came to read the comments because the description was horse shit.
  God damn... Slashdot is becoming more depressing by the day.
  "News for idiots. Shit doesn't matter."
6. Re:Do over please by jest3r · 2015-09-23 11:14 · Score: 4, Insightful
  
  I think I read that Imgur was inlining images with data urls when viewing the raw image.
  
  So if you visited www.imgur.com/image.jpg the source code would look like:
  img src="data:image/jpg;base64,R0lGODlhEALMAAOazToeHh0tLS/7LZv/0jvb2 ...... etc.
  
  When uploading an image to Imgur someone figured out how to append code to the end of the raw data to break out of the data url data and append some Javascript to it.
  
  The Javascript pulled down images from 8chan among other things.
7. Re:Do over please by Anonymous Coward · 2015-09-23 11:16 · Score: 1
  
  The submitter copypasted the summary from thestack.com. It makes no god damned sense there, either.
8. Re:Do over please by Austerity+Empowers · 2015-09-23 11:19 · Score: 1
  
  3 sentences? Maybe 3 letters...
9. Re:Do over please by _KiTA_ · 2015-09-23 11:37 · Score: 1
  
  Can we get a cleanup on this summary please, from someone who actually passed high school English class?
  The short version: someone served up malicious javascript on 8chan by hosting it on imgur as images, revealing that imgur does not actually check to make sure its images are images. Some Flash on 8chan loads the javascript from the localstorage object, breaking same-origin. Once again the DOM is proven to be a horrible house of cards.
  Also, the DDoS was at the very least also targeted at 8ch. There was a pretty big teardown of it -- someone registered a similar name to 4ch's image host, the malware SWF specifically mentions the founder of 8ch and something that sounds like it's related to /pol/, the server hosting up the malware was replying to specific referrers and IP addresses, etc etc.
10. Re:Do over please by Anonymous Coward · 2015-09-23 11:38 · Score: 1
  
  As I understand it, this is correct. Imgur does this so that http://i.imgur.com/qP4c9f8.gif and http://i.imgur.com/qP4c9f8.png both point to the same file, despite the difference in filetypes in the urls.
11. Re:Do over please by Anonymous Coward · 2015-09-23 12:36 · Score: 3, Insightful
  
  Well then they're doing it wrong. URL rewriting at the httpd engine level (or the cache level, or whatever serves as the frontmost layer) can handle that without embedding the binary data inside of an IMG tag. Inlining binary data is also contrary to how HTTP is supposed to work, as it breaks the renderer's ability to choose whether or not to retrieve certain media. A user who is browsing with images disabled in their browser has expressly opted not to retrieve that data. When a site inlines images in this way, the user will still be sent the entire base64-encoded image contents as part of the main document. That's not how any of this is supposed to work; the renderer is supposed to determine whether or not it wants to fetch those images.
  tl;dr kids and their "web 2.5" are breaking shit, again.
12. Re: Do over please by Anonymous Coward · 2015-09-23 12:55 · Score: 1
  
  mods have never visited /b/. Parent is insightful if anything.
13. Re:Do over please by youngone · 2015-09-23 15:30 · Score: 2
  
  They only know words that can be typed with one hand... I'll let your dirty mind figure out why
  I'm guessing industrial accidents.
14. Re:Do over please by KGIII · 2015-09-23 16:38 · Score: 1
  
  I am not 100% certain of the nomenclature but I believe it goes like this:
  "oldfag is oldfag. teh cancer that iz killin /b/ haz been here since tiem immemorial. lulz will be had by all - except u cuz u is newfag w/knickerz in knotz! lulz. now tits or gtfo, newfag. also ur mom"
  Promptly followed with, "stfu, ur mom iz teh cancerz. fgt!"
  A witty riposte will be sure to follow and it will, quite likely, be akin to, "no u!" (Accompanied with a picture of gore or the OP's penis.)
  I am not entirely fluent, yet, but I've been parsing the language for a while. There are a number of colloquialisms and dialects with much variance. In short, they're mostly harmless and doing much the same what any of us curious folks did when we were young. Lulz, it's an important subject. I'm not in the field but I'd be interested in writing a paper on it if I weren't so damned lazy.
  Q. What did Abraham Lincoln say after he freed the slaves?
  A. I did it for the lulz. trollface.jpg
  Sometimes I think that /b/ should be the front page of the internet. Why? Because it would really, really, piss them off. What good is a hornet's nest if you can't kick it once in a while? Bears sleep just so the curious can poke them, after all.
  
  --
  "So long and thanks for all the fish."
15. Re:Do over please by meta-monkey · 2015-09-24 03:06 · Score: 1
  
  I was on /b/ back when it was good.
  
  --
  We don't have a state-run media we have a media-run state.
16. Re:Do over please by Impy+the+Impiuos+Imp · 2015-09-24 03:24 · Score: 2
  
  Can we get a cleanup on this summary please, from someone who actually passed high school English class?
  4chan and 8chan, which fancies itself a wilder 4chan, are like Moe and Curly. Imgur is like Larry and his violin. Reddit just tossed a quarter on the floor, and Larry, Moe, and Curly all went to grab it, yielding the crisp, clean sound of coconuts knocking together.
  
  --
  (-1: Post disagrees with my already-settled worldview) is not a valid mod option.
17. Re:Do over please by KGIII · 2015-09-24 04:44 · Score: 1
  
  > implying /b/ was ever good
  I was first exposed to the site back in the early 2000s. It's never really been a hangout though I've had some interesting conversations there. They're not all retarded children. The signal to noise ratio is pretty high, currently, but it's dieing down to a dull roar now that the kids have gone back to school and it is losing favor in the media. I think it can be summed up, sort of, as Eternal September(ish) but with fluctuations in the signal to noise ratio.
  I'm still wondering if the sale is a hoax or not. Moot's made claims to getting rid of the site a number of times. So, we'll see. Trust nothing!!!
  
  --
  "So long and thanks for all the fish."
18. Re:Do over please by meta-monkey · 2015-09-24 11:29 · Score: 1
  
  Now I'm curious if you've ever been on /b/. The correct response to "when /b/ was good" is "/b/ was never good."
  
  --
  We don't have a state-run media we have a media-run state.
19. Re:Do over please by KGIII · 2015-09-24 15:16 · Score: 1
  
  Disregard that. I suck cocks.
  
  --
  "So long and thanks for all the fish."
Old news? by BlckAdder · 2015-09-23 10:20 · Score: 5, Informative

This was patched yesterday.
old CIA trick involving hidden i-frames by Anonymous Coward · 2015-09-23 10:52 · Score: 1

Some posted how the code worked on Voat a few days ago, word seemed to spread from there. Mentioned it was an old hack developed by the CIA, something about creating off-screen i-frames. My code-fu is very rusty these days but it seemed to make sense. Can't seem to find the post now, forgot which sub it was.
1. Re:old CIA trick involving hidden i-frames by guruevi · 2015-09-23 11:04 · Score: 1
  
  CIA? Really? This kind of crap has been around since the late 90's and is well described in books dating back decades ago.
  
  --
  Custom electronics and digital signage for your business: www.evcircuits.com
2. Re:old CIA trick involving hidden i-frames by GiganticLyingMouth · 2015-09-23 11:52 · Score: 1
  
  That is not some CIA trick -- it's decades old and quite well understood. I even learned about it back in at Uni years ago in our intro to computer security class
Comment removed by account_deleted · 2015-09-23 11:44 · Score: 3, Insightful

Comment removed based on user account deletion
Re: "Patched" by myowntrueself · 2015-09-23 12:30 · Score: 1

Are you a fucking moron? That shit happens all the time. I'll answer my question for you: yes, you are a fucking moron.
Martin Shkreli, is that you???

--
In the free world the media isn't government run; the government is media run.
Re:New attack by PopeRatzo · 2015-09-23 12:58 · Score: 1

Think of the children..

No, that would be 8chan.

--
You are welcome on my lawn.
HOLY HECK, Batman! by tlambert · 2015-09-23 13:52 · Score: 1

Some posted how the code worked on Voat a few days ago, word seemed to spread from there. Mentioned it was an old hack developed by the CIA, something about creating off-screen i-frames.
Those dastardly devils at the Culinary Institute of America are so cunning, with their JavaScript kung-fu!
Re:New attack by Mashiki · 2015-09-23 15:00 · Score: 1

No, that would be 8chan.
I think you mean that would be Sarah Nyberg or perhaps Dan Olson.

--
Om, nomnomnom...
Re:And... by Anonymous Coward · 2015-09-23 15:42 · Score: 1

Getting pretty hard to find places where you can speak uncensored. That seems pretty valuable IMO. Especially when bad actors of major websites are doing what they can to take down a low budget server run by a disabled dude.
Awful summary, this was a backdoor targeting 8chan by gnaarly · 2015-09-23 21:04 · Score: 2

Imgur for some reason ran malicious javascript.

The javascript downloaded further obfuscated javascript from several servers, registered behind anonymity in Panama and using hacked cloud instances. One of those was 4cdns.org, imitating 4chan's 4cdn.org.

This inserted code into the localStorage object for 8chan, 8ch.net. 8chan was set up to include localStorage on every page.

The code was one that periodically requested further code from a command and control server. The C&C server was inactive when this was discovered. In the minutes this was tracked down, the "further javascript" was changed on the fly - the person doing this was basically responding to the investigation as it happened.

The end result was that every user of 8chan had a rudimentary back door, which through the localFavorties object requested code to run at every page refresh from a C&C server to be activated at some time in the future.
Re:"Patched" by Khyber · 2015-09-24 01:03 · Score: 1

"It seems likely that the malicious Javascript was added by some SJW that works for imgur."
No, this was done by a notorious furfag on 8ch by the name of Bui. The fact that the originating SWF url comes from the /pokepaws/ board is pretty much the dead trigger, since Bui owns that board.

--
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
Re:And... by Anonymous Coward · 2015-09-24 01:27 · Score: 1

This. It amazes me that so many people attack fullchan.
Pro-censorship folks cannot stand the fact that 8chan has relatively lax moderation while still quickly removing things that are actually illegal.
The feelings of SJWs are not protected by law. The real world isn't a safe space.