Imgur Exploited To Channel Botnet Attacks At 4chan

An anonymous reader writes: Imgur has been compromised by attackers looking for an opportunity to direct large volumes of traffic to 4chan. A Reddit thread explains that "when an Imgur image is loaded from /r/4chan [...] imgur loads a bunch of images from 8chan, which causes a DDoS to those sites." Meaning that if a user clicks an Imgur link on /r/4chan, it automatically makes around "500 requests" for one image from imageboard 4chan.org/8chan.

Do over please

Can we get a cleanup on this summary please, from someone who actually passed high school English class?

The short version: someone served up malicious javascript on 8chan by hosting it on imgur as images, revealing that imgur does not actually check to make sure its images are images. Some Flash on 8chan loads the javascript from the localstorage object, breaking same-origin. Once again the DOM is proven to be a horrible house of cards.

Re:Do over please

4chan users actually know how to write, at least better than slashdot "editors". It's just that they add the "faggot" and "nigger" every 3 sentences.

Re:Do over please

[jest3r]

I think I read that Imgur was inlining images with data urls when viewing the raw image.

So if you visited www.imgur.com/image.jpg the source code would look like:
img src="data:image/jpg;base64,R0lGODlhEALMAAOazToeHh0tLS/7LZv/0jvb2 ...... etc.

When uploading an image to Imgur someone figured out how to append code to the end of the raw data to break out of the data url data and append some Javascript to it.

The Javascript pulled down images from 8chan among other things.

Re:Do over please

Well then they're doing it wrong. URL rewriting at the httpd engine level (or the cache level, or whatever serves as the frontmost layer) can handle that without embedding the binary data inside of an IMG tag. Inlining binary data is also contrary to how HTTP is supposed to work, as it breaks the renderer's ability to choose whether or not to retrieve certain media. A user who is browsing with images disabled in their browser has expressly opted not to retrieve that data. When a site inlines images in this way, the user will still be sent the entire base64-encoded image contents as part of the main document. That's not how any of this is supposed to work; the renderer is supposed to determine whether or not it wants to fetch those images.

tl;dr kids and their "web 2.5" are breaking shit, again.

Re:Do over please

[youngone]

They only know words that can be typed with one hand... I'll let your dirty mind figure out why

I'm guessing industrial accidents.

Re:Do over please

[Impy+the+Impiuos+Imp]

Can we get a cleanup on this summary please, from someone who actually passed high school English class?

4chan and 8chan, which fancies itself a wilder 4chan, are like Moe and Curly. Imgur is like Larry and his violin. Reddit just tossed a quarter on the floor, and Larry, Moe, and Curly all went to grab it, yielding the crisp, clean sound of coconuts knocking together.

Old news?

[BlckAdder]

This was patched yesterday.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Awful summary, this was a backdoor targeting 8chan

[gnaarly]

Imgur for some reason ran malicious javascript.

The javascript downloaded further obfuscated javascript from several servers, registered behind anonymity in Panama and using hacked cloud instances. One of those was 4cdns.org, imitating 4chan's 4cdn.org.

This inserted code into the localStorage object for 8chan, 8ch.net. 8chan was set up to include localStorage on every page.

The code was one that periodically requested further code from a command and control server. The C&C server was inactive when this was discovered. In the minutes this was tracked down, the "further javascript" was changed on the fly - the person doing this was basically responding to the investigation as it happened.

The end result was that every user of 8chan had a rudimentary back door, which through the localFavorties object requested code to run at every page refresh from a C&C server to be activated at some time in the future.