Slashdot Mirror

← Back to Stories (view on slashdot.org)

A Bored Hacker Easily Stole And Defaced More Than 70 Subreddits (vice.com)

Posted by BeauHD on from the twiddle-one's-thumbs dept.

An anonymous reader writes: Hacker, BVM, said he's "lost count" of the number of subreddits he's stolen and defaced, but estimates that the number is more than 70. Subreddits like r/pics, r/starwars, and r/gameofthrones, and many others, have been defaced just in the last few days. He claims Reddit's crummy security, and lack of two-factor authentication are what has made his exploits possible. "Reddit's security is shit," he says. "If Reddit would simply add 2FA it would be a lot harder to get in." Why is BVM hacking these subreddits? "No reason really. Just boredom. It's not like it's really a challenge or anything so I just do it to pass time," the hacker told Motherboard in an online chat. BVM didn't comment on how exactly he is taking over subreddits. However, he did admit he's been hacking into moderators' accounts and then changing the CSS style of the pages, replacing it with a note taking responsibility. Reddit appears to be responding to these incidents quickly, restoring the subreddits.

74 comments

  1. Re: Except he didn't by Anonymous Coward · · Score: 0

    This. That's why my ISP blocks reddit.com.

  2. Reddit down? by Anonymous Coward · · Score: 0

    I haven't been able to get reddit.com to load in firefox all day. get nothing but:
    500 Server Error
    An internal server error occured.

    1. Re: Reddit down? by Anonymous Coward · · Score: 0

      It's for the best

  3. Re: Except he didn't by Anonymous Coward · · Score: 0

    Even sadder was how MIT abandoned their principles in attacking Reddit.

  4. if true... by AlphaBro · · Score: 2

    If true, I'm guessing it's credential reuse, phishing, or possibly XSS/CSRF. The volume hints at XSS/CSRF, but the suggestion to implement 2FA says otherwise since it may not mitigate such vulnerabilities.

    1. Re:if true... by shri · · Score: 1

      Assuming reddit updates their git repo, the changes over the next few days should make the vulnerability more obvious.

    2. Re:if true... by Anonymous Coward · · Score: 0

      I had completely forgotten that individual subreddits have CSS, but I made a new account the other day, and I visited a subreddit with annoying CSS for the first time in a few years this morning, so I promptly turned the option off (see below).

              preferences > display options > [ ] allow subreddits to show me custom themes

      If AlphaBro is right, then I might be protecting myself by turning off subreddit CSS.

    3. Re:if true... by Anonymous Coward · · Score: 0

      It's credential re-use. The article was updated to mention r/OutOfTheLoop's moderator got owned that way. And yesterday the compromised moderator of r/pics said he uses the same username everywhere, and until yesterday used the same password everywhere.

      This BVM guy got ahold of a dump from some other site, and is trying the username/password combinations from that dump against matching reddit usernames. The more interesting story here is, what other site leaked? Voat maybe, lots of reddit power users have the same username on Voat.

      DON'T RE-USE YOUR PASSWORDS!

    4. Re:if true... by AlphaBro · · Score: 1

      Assuming this is in fact their fault. If the hacker is taking an out-of-band approach such as reusing passwords from other leaks, there isn't really a discrete vulnerability in Reddit's codebase. The fact that such passwords could be used to access accounts could be described as a weakness in Reddit's security, but the actual vulnerability exploited lies in whatever system was originally compromised. Same thing with phishing--it's not really Reddit's fault if users can be tricked into disclosing credentials via channels outside of their control.

      That Reddit's response has been to restore hacked subreddits seems to indicate it's something of this nature. Otherwise, they'd (hopefully) patch the issue immediately and publish an advisory.

    5. Re:if true... by AlphaBro · · Score: 1

      CSS is an oft forgotten vector for XSS, so regardless of this event, you're definitely reducing attack surface by blocking untrusted CSS.

    6. Re:if true... by AlphaBro · · Score: 2

      Article? This is /., we don't read those around here. That said, given the size of Reddit and volume of leaked credentials, I can see why the hacker got bored here. An attack like this would be trivial to pull off: aggregate all recent leaks, scrape moderator usernames from Reddit, filter the leaked creds using the scraped usernames, and go to town.

  5. two factor auth by Anonymous Coward · · Score: 1

    so now everything is because of lack of two factor auth? fuck off

    1. Re:two factor auth by Anonymous Coward · · Score: 0

      You first

    2. Re:two factor auth by OakDragon · · Score: 1

      so now everything is because of lack of two factor auth? fuck off

      You first

      Two fuck off authentication.

      --
      Dark Reflection
    3. Re: two factor auth by Anonymous Coward · · Score: 0

      Two fuck-auth

  6. String the fucker up by Gojira+Shipi-Taro · · Score: 3, Insightful

    And ban him from access to anything more advanced than a leaded pencil. Vandalism is vandalism. You're bored? go help the needy or something.

    --
    "Oh my God. This is terrible. This is the end of my Presidency. I'm fucked."; ~ Donald J. Trump
    1. Re:String the fucker up by goten · · Score: 2

      Or, ya know, stop having shitty security on a website? Oh and how about users don't reuse passwords? While I agree with you in spirit, there's the other side of the coin where harmless situations do more good than bad. BVM isn't stealing identities, nobody is going to jail, it's just a visual change to bring attention to a poor practice. How about we cater our response to damage done and not burn the whole world down.

    2. Re:String the fucker up by Anonymous Coward · · Score: 0

      Get off your fat lazy ass and build a house for someone you stupid fuck.

      Captcha: fuckyou

    3. Re:String the fucker up by Anonymous Coward · · Score: 0

      Blame the victim, why don't you. There is no law against "having shitty security". There is a law against "computer hacking", and so if he calls himself a "hacker" he must be guilty. Put him in jail already.

    4. Re: String the fucker up by cyber-vandal · · Score: 1

      Or, ya know, informing Reddit about their shitty security via one of the many messaging or social media platforms instead of being a dick and causing unnecessary work for someone.

    5. Re:String the fucker up by Anonymous Coward · · Score: 0

      There is no law against "having shitty security".

      Actually there is. Poor cyber security is considered an illegal business practice and the FTC has successfully sued companies on these grounds. Here is a recent ruling that was held up by an appeals court when the company with "shitty security" felt the need to appeal the lawsuit after the first court ruled against them https://www.ftc.gov/system/files/documents/cases/150824wyndhamopinion.pdf

      As far as you saying

      if he calls himself a "hacker" he must be guilty.

      I have to disagree, I'm identified as a hacker (one of my certifications actually uses the word "hacker" in the title) but I prefer the term "Security Engineer". Companies don't like to spend money unless they have to, without a perceived need to increase their security controls they won't; this one person could have done lots of fun and nasty things with the access he gained but he didn't, he simply changed the CSS and added a note that they need to increase their security. I for one tip my hat to him for not being a total asshat and removing the current mods/adding dummy accounts as mods/blocking under 18's from the subs/filling the sub with porn like many other people would have done.

    6. Re:String the fucker up by Anonymous Coward · · Score: 0

      if he calls himself a "hacker" he must be guilty.

      I have to disagree, I'm identified as a hacker (one of my certifications actually uses the word "hacker" in the title) but I prefer the term "Security Engineer".

      And you immediately know what that certificate is worth. It's bad for your rights, is what it is. And, of course, illegal, since it implies "computer hacking" and that's illegal, no matter what actually is going on. Maybe someone should tip the DA that this here "computer hacker certification company" (a/k/a legal front) is turning out "computer hackers" by the truckload and let's shut down that criminal organisation already.

      The point here of course is that the "computer security" s'kiddies did go and done fscked things up, along with mass media including hollywood, and now a) the term means nothing any longer except in the meta-sense as a scare-word and proof of being a poser*, or perhaps complete nitwit, typically both, and b) it has been criminalised in an overbroad and therefore bad law--that law doesn't actually define what it's criminalising so it's up to "expert" witnesses to bicker and argue in court, in front of a confused judge and/or functionally ("digitally", or "cyber", or what have you) illiterate jury, how white and ETHICAL this here hat is this week. And here you are, admitting you're eating out of the same through and are therefore part of the problem. Thank you so much for your contribution, citizen.

      * So indeed and exactly, you have a industry certificate marking you as a poser. Lucky you.

    7. Re:String the fucker up by Anonymous Coward · · Score: 0

      Looks like someone was mad his gameofthrones page was defaced.

      Face facts, this guy potentially saved a lot of chaos from happening by doing such a lax hack of the site.
      This guy is grey-hat, it could have easily been hacked by someone black-hat and absolutely shit on the site hard.

      Websites and services have a nasty habit of ignoring Issues in their devtrackers and mailboxes.
      Especially when they are serious ones, they tend to just pay people off and maybe, MAYBE, change a page URL at best.
      Moving targets is cheaper than fixing your shit.

    8. Re:String the fucker up by Anonymous Coward · · Score: 0

      I build houses and aquaponics farms for people, help them optimize their finances and generally improve their life, yet I agree with the guy.
      Your argument is as invalid as you are.

      This guy did petty vandalism that could easily be reversed.
      We aren't speaking any actual cost to reverse it either. Virtual vandalism is hardly criminal.

      He did it to highlight a very serious and ignored issue that could have been abused by a black-hat hacker to do far FAR worse damage to the site.
      Just imagine if he threw-up epilepsy-triggering gifs like 420chan did that one time (but as usual, was blamed on 4chan).
      Or use the information on accounts to hack emails, social networking, banking information, because let's face it, people will use the same passwords for things because they find it unimportant due to it being "only on the computer".

    9. Re:String the fucker up by Anonymous Coward · · Score: 0

      Err, "computer hacking" victims aren't generally victims in the classical sense. Usually it's about a computer being configured to deliver information, the hacker asking the computer for that information, and the computer voluntarily delivering it.

    10. Re: String the fucker up by Anonymous Coward · · Score: 0

      Gr8 b8

    11. Re:String the fucker up by tom229 · · Score: 1

      The torch and pitchfork parent is modded 4. The reasonable and level headed post you made is at 1. Seems about right for today's slashdot.

      You store your data on this website people. You store at least a small part of yourself - and for many it's a critical part of their identity (think pro gamers, or anyone that makes their living online). If your bank was potentially keeping your personal information in a box behind an unlocked door, accessible to the public, wouldn't you be upset? While he might not be doing it the right way, this man is mostly doing a public service and causing no real lasting harm.

      --
      If it ain't broke, don't fix it.
    12. Re:String the fucker up by Anonymous Coward · · Score: 0

      Or, ya know, stop having shitty security on a website? Oh and how about users don't reuse passwords? BVM isn't stealing identities, nobody is going to jail, it's just a visual change to bring attention to a poor practice.

      Or, ya know, stop breaking the law to make worthless points about "security"? Illegally accessing and defacing someone else's property is a "poor practice".

      Security in general is "shitty". The lock on your home's front door is "shitty". The anti-theft measures on your car are "shitty". Any determined attacker can compromise them. The world if full of things guarded by a "no trespassing" sign, or even simply a generally accepted understanding of who should and should not access them.

    13. Re:String the fucker up by Anonymous Coward · · Score: 0

      Idiot.

    14. Re:String the fucker up by Anonymous Coward · · Score: 0

      This guy did petty vandalism that could easily be reversed.
      We aren't speaking any actual cost to reverse it either. Virtual vandalism is hardly criminal.

      The Federal Bureau of Investigation (US) does not agree with your assertion that virtual vandalism is not a criminal offence.

    15. Re: String the fucker up by Anonymous Coward · · Score: 0

      Skittles thread

    16. Re: String the fucker up by Anonymous Coward · · Score: 0

      Funny you have that opinion with that user name. Please turn in your badge to be 0'd out.
      Thank you for playing.

    17. Re:String the fucker up by Anonymous Coward · · Score: 0

      I think you missed the part where this was reddit and nobody cared if /r/catmemes was vandalized or not

    18. Re: String the fucker up by cyber-vandal · · Score: 1

      Touché ðY

  7. Re:Except he didn't by Anonymous Coward · · Score: 0

    Really? Because reddit.com would seem to beg to differ.

    https://www.reddit.com/r/gameo...
    https://www.reddit.com/r/OutOf...
    https://www.reddit.com/r/OutOf...

    Or maybe the mod from r/pics/ is in on the hit-piece too, is that it?

  8. do what the NSA does.. by Anonymous Coward · · Score: 1

    Hire the bloke..

    1. Re:do what the NSA does.. by Anonymous Coward · · Score: 0

      A bloke getting hired at reddit, there's a laugh. Maybe if he identifies as a female narwhale.

  9. A weird thing happened to me today by Snotnose · · Score: 1

    I hit the reddit/funny daily, I also use imagezoom, so that when my mouse hovers over a thumbnail I get the whole pic. Yesterday about a third of the images did not zoom, Today it was 100%. Sucks to read reddit when I have to click on each link

    / hoverzoom also doesn;t work

    1. Re:A weird thing happened to me today by Yosho · · Score: 2

      Imagezoom still works, but Google has decided the extension violates their Chrome Web Store policy, so they took the courtesy of manually disabling it for you. If you go into your settings and enable it, it'll work again.

      --
      Karma: Terrifying (mostly affected by atrocities you've committed)
  10. Bored my ass by Anonymous Coward · · Score: 3, Interesting

    Reddit's pathetic politically correct SJW policy of censorship and shadowbanning is driving more and more to fight back and deface what they can in the name of freedom of speech. Proving their security is also shit is just icing on the cake.

    1. Re:Bored my ass by Mashiki · · Score: 3, Informative

      Wouldn't surprise me. /r/subredditcancer has been doing a pretty good job of tracking that over the last year and change.

      --
      Om, nomnomnom...
    2. Re:Bored my ass by Anonymous Coward · · Score: 0

      Looks more like they've tracked themselves being massive faggots.

    3. Re:Bored my ass by Maritz · · Score: 2, Interesting

      Reddit's pathetic politically correct SJW policy of censorship and shadowbanning is driving more and more to fight back and deface what they can in the name of freedom of speech. Proving their security is also shit is just icing on the cake.

      The guy said he did it because he was bored.

      Great point though.

      --
      I do not want your cheap brainburning drugs. They are useless for work. And I am a working man today.
    4. Re:Bored my ass by hey! · · Score: 4, Insightful

      Reddit's pathetic politically correct SJW policy of censorship and shadowbanning is driving more and more to fight back and deface what they can in the name of freedom of speech.

      Which is plain juvenile. The correct (and more effective) strategy is to take your eyeballs elsewhere. Engaging a site that you disagree with actually helps the site.

      Social media is essentially porn. The people who use it the most aren't out to engage other people, they're looking for a quick and easy hit of stimulation; the only difference is that it's outrage, not horniness that gets titillated. Do I have to spell this out? You act out your outrage and get paid in attention; some of that attention reacts with outrage and in turn gets attention, including from you. So you react, and the cycle goes on, the outrage market makers milk homeopathic quantities of revenue from each act of outrage. And integrated over the sheer volume out there, those fractions of penny per flame post add up to real money.

      It literally doesn't matter what you believe, as long as you believe it as obnoxiously as possible. You are, to social media companies, nothing but an outrage milk-cow.

      Porn is actually better for you than social media, and better for society as a whole because horniness is a less harmful drive to titillate than outrage.

      --
      Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
    5. Re:Bored my ass by Mashiki · · Score: 1

      Ahhh...the AC so butthurt by something and this is the best they can do. So which little authoritarian mod that got called out for their shit are you?

      --
      Om, nomnomnom...
  11. Why I stopped hacking by Anonymous Coward · · Score: 1

    It's really kind of pointless. I had no life at the time and nothing better to do than spend hours/days trying to infiltrate various websites. I was often successful. Once you get in you get a bit of an ego boost, poke through some data you weren't supposed to be seeing, then that's pretty much it. Most of the content was private/personal, and boring to me. I felt kind of bad sometimes. Then I got a real job and a life. All that said, I'm still shocked at how bad security is these days.

  12. Re: Except he didn't by Anonymous Coward · · Score: 0

    You misspelled 4chan there

  13. Re: Except he didn't by hackwrench · · Score: 1, Insightful

    How cute, a person who has just now noticed some people that have an affiliation with each other don't like it when things aren't slanted their way. There are many more people than just the right wing that don't like it when things aren't slanted their way, of all sorts of political backgrounds. Remember little miss "what difference does it make" and I don't know much about servers but I'll run my own anyways? I don't have much of a definitive list, just picking up things as I go along, and from what I've been told the generation currently in grade school are getting the understanding that if they don't like how they are treated by staff, (a substitute teacher, for example) they can go to the office and complain. I've had bad teachers and substitutes, but I had some understanding that being able to deal with the situation prepared me for things in the future. Many of the parents of such children don't like the lessons that are different, not slanted their way, but the lessons they rail against are not the ones that are making the kids have a low tolerance. If someone hasn't already bought them like me, Goodwill stores and thrift shops should have materials that state they are for teaching common core. If that fails, I don't find it unlikely to source the materials from some other place inexpensive, relatively speaking.

  14. Re: Except he didn't by hackwrench · · Score: 1

    But is the lockpicker inflating the count? Or from the way he talked about his exploits, letting the writer or readers' imaginations do the job for him.

  15. Re: Except he didn't by Z00L00K · · Score: 1, Insightful

    And who cares?

    Reddit, 4chan and similar are user-driven content sites that are and shall be easy to access. From time to time you will see things going wild on those sites and it's nothing to worry about. Better there than anywhere else.

    --
    If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
  16. Reddit: The Drama queen capitol of the Internet by Anonymous Coward · · Score: 0

    Oh yes, Reddit, the land of "-1, don't bother me with facts that contradict my world view" or "-1, I like wasting everyone's time making a bunch of drama." Slashdot has had its issues, but compared to Reddit, the current drama queen capitol of the Internet, it's paradise.

  17. dreddit by Anonymous Coward · · Score: 0

    And nothing of value was lost.

  18. Hacking Reddit is like hacking Usenet by Hey_Jude_Jesus · · Score: 1

    No one cares. Sheesh.

  19. Guessing poor passwords is not hacking by Martin+S. · · Score: 2

    Losers like this should not be given this sort of oxygen of publicity to feed their fragile egos.

    1. Re:Guessing poor passwords is not hacking by Anonymous Coward · · Score: 0

      What about all the losers who are on reddit?

  20. redditt... by Anonymous Coward · · Score: 0

    I hope he washed his hands, mouse and keyboard afterward.

  21. OMG HACKZOARS! by GrumpySteen · · Score: 3, Funny

    They're going to steal my imaginary internet points!

    Seriously... who gives a shit about Reddit's security? It's a public bulletin board filled with porn, PM_Me_Your_ accounts, cat memes and throwaway accounts trolling any subreddit that actually tries to have a serious discussion. Adding two factor authorization to that is like putting a combination lock on your garbage can.

    1. Re:OMG HACKZOARS! by Anonymous Coward · · Score: 0

      Funny, but you missed the deeper point. The moderation is the biggest value-add function of the site. MFA on moderator accounts is a good thing. Same for the admins who VPN or remote connect to manage infrastructure. Bad security will end up bashing the brand and the revenue stream.

  22. Easily Identified? by Anonymous Coward · · Score: 0

    How has he not been apprehended yet?

    His twitter has a photo with a game tag in it, which leads to https://twitter.com/tehdak

    Judging by posts, you're looking for a the owner of one these - https://twitter.com/TehBVM/status/684281301847900160 who plays CSGO. I doubt there are many.

  23. Not surprised by tom229 · · Score: 1

    I have no idea how this website became so popular. The original interface was horrible and completely unintuitive. Years later it's one of the most popular websites on the internet and it's only slightly better. Their servers go down constantly - unable to handle even slight spikes in traffic. And their simplistic mod system has ruined the community by rewarding a lowest common denominator hive-mind.

    In my mind, reddit is proof that there's no policy or formula to follow to have a successful website. Security, interface design, stability, community - none of it seems to matter. It seems to just be random what the world latches on to.

    --
    If it ain't broke, don't fix it.
    1. Re:Not surprised by Scarred+Intellect · · Score: 2

      I have no idea how this website became so popular. The original interface was horrible and completely unintuitive.

      My guess is that it's unintuitive to us, who have a modicum of technical capability and understanding. I remember trying to find a setting on Facebook years ago and I couldn't find it. I stopped and tried to think of where an idiot would expect it and there it was! My guess is reddit's interface is designed for idiots.

      Disclaimer: I haven't loaded reddit in probably 10 years. I don't plan to now.

    2. Re:Not surprised by Anonymous Coward · · Score: 0

      > unable to handle even slight spikes in traffic

      Except for tall the times it does.

  24. because he is an asshole by Anonymous Coward · · Score: 0

    He can't do anything useful so he has to crap on everyone else. The pussies let him get away with it. Some dick need to track him down and make it stop.

  25. Re:Jesus Christ by Anonymous Coward · · Score: 0

    Um, okay.