A Bored Hacker Easily Stole And Defaced More Than 70 Subreddits (vice.com)

← Back to Stories (view on slashdot.org)

A Bored Hacker Easily Stole And Defaced More Than 70 Subreddits (vice.com)

Posted by BeauHD on Tuesday May 10, 2016 @01:47PM from the twiddle-one's-thumbs dept.

An anonymous reader writes: Hacker, BVM, said he's "lost count" of the number of subreddits he's stolen and defaced, but estimates that the number is more than 70. Subreddits like r/pics, r/starwars, and r/gameofthrones, and many others, have been defaced just in the last few days. He claims Reddit's crummy security, and lack of two-factor authentication are what has made his exploits possible. "Reddit's security is shit," he says. "If Reddit would simply add 2FA it would be a lot harder to get in." Why is BVM hacking these subreddits? "No reason really. Just boredom. It's not like it's really a challenge or anything so I just do it to pass time," the hacker told Motherboard in an online chat. BVM didn't comment on how exactly he is taking over subreddits. However, he did admit he's been hacking into moderators' accounts and then changing the CSS style of the pages, replacing it with a note taking responsibility. Reddit appears to be responding to these incidents quickly, restoring the subreddits.

29 of 74 comments (clear)

Min score:

Reason:

Sort:

if true... by AlphaBro · 2016-05-10 14:00 · Score: 2

If true, I'm guessing it's credential reuse, phishing, or possibly XSS/CSRF. The volume hints at XSS/CSRF, but the suggestion to implement 2FA says otherwise since it may not mitigate such vulnerabilities.
1. Re:if true... by shri · 2016-05-10 14:22 · Score: 1
  
  Assuming reddit updates their git repo, the changes over the next few days should make the vulnerability more obvious.
2. Re:if true... by AlphaBro · 2016-05-10 16:04 · Score: 1
  
  Assuming this is in fact their fault. If the hacker is taking an out-of-band approach such as reusing passwords from other leaks, there isn't really a discrete vulnerability in Reddit's codebase. The fact that such passwords could be used to access accounts could be described as a weakness in Reddit's security, but the actual vulnerability exploited lies in whatever system was originally compromised. Same thing with phishing--it's not really Reddit's fault if users can be tricked into disclosing credentials via channels outside of their control.
  
  That Reddit's response has been to restore hacked subreddits seems to indicate it's something of this nature. Otherwise, they'd (hopefully) patch the issue immediately and publish an advisory.
3. Re:if true... by AlphaBro · 2016-05-10 16:14 · Score: 1
  
  CSS is an oft forgotten vector for XSS, so regardless of this event, you're definitely reducing attack surface by blocking untrusted CSS.
4. Re:if true... by AlphaBro · 2016-05-10 16:25 · Score: 2
  
  Article? This is /., we don't read those around here. That said, given the size of Reddit and volume of leaked credentials, I can see why the hacker got bored here. An attack like this would be trivial to pull off: aggregate all recent leaks, scrape moderator usernames from Reddit, filter the leaked creds using the scraped usernames, and go to town.
two factor auth by Anonymous Coward · 2016-05-10 14:02 · Score: 1

so now everything is because of lack of two factor auth? fuck off
1. Re:two factor auth by OakDragon · 2016-05-11 01:24 · Score: 1
  
  so now everything is because of lack of two factor auth? fuck off
  You first
  Two fuck off authentication.
  
  --
  Dark Reflection
String the fucker up by Gojira+Shipi-Taro · 2016-05-10 14:04 · Score: 3, Insightful

And ban him from access to anything more advanced than a leaded pencil. Vandalism is vandalism. You're bored? go help the needy or something.

--
"Oh my God. This is terrible. This is the end of my Presidency. I'm fucked."; ~ Donald J. Trump
1. Re:String the fucker up by goten · 2016-05-10 14:17 · Score: 2
  
  Or, ya know, stop having shitty security on a website? Oh and how about users don't reuse passwords? While I agree with you in spirit, there's the other side of the coin where harmless situations do more good than bad. BVM isn't stealing identities, nobody is going to jail, it's just a visual change to bring attention to a poor practice. How about we cater our response to damage done and not burn the whole world down.
2. Re: String the fucker up by cyber-vandal · 2016-05-10 18:43 · Score: 1
  
  Or, ya know, informing Reddit about their shitty security via one of the many messaging or social media platforms instead of being a dick and causing unnecessary work for someone.
3. Re:String the fucker up by tom229 · 2016-05-11 00:41 · Score: 1
  
  The torch and pitchfork parent is modded 4. The reasonable and level headed post you made is at 1. Seems about right for today's slashdot.
  
  You store your data on this website people. You store at least a small part of yourself - and for many it's a critical part of their identity (think pro gamers, or anyone that makes their living online). If your bank was potentially keeping your personal information in a box behind an unlocked door, accessible to the public, wouldn't you be upset? While he might not be doing it the right way, this man is mostly doing a public service and causing no real lasting harm.
  
  --
  If it ain't broke, don't fix it.
4. Re: String the fucker up by cyber-vandal · 2016-05-11 09:31 · Score: 1
  
  TouchÃ© ðY
do what the NSA does.. by Anonymous Coward · 2016-05-10 14:13 · Score: 1

Hire the bloke..
A weird thing happened to me today by Snotnose · 2016-05-10 14:20 · Score: 1

I hit the reddit/funny daily, I also use imagezoom, so that when my mouse hovers over a thumbnail I get the whole pic. Yesterday about a third of the images did not zoom, Today it was 100%. Sucks to read reddit when I have to click on each link

/ hoverzoom also doesn;t work
1. Re:A weird thing happened to me today by Yosho · 2016-05-11 00:29 · Score: 2
  
  Imagezoom still works, but Google has decided the extension violates their Chrome Web Store policy, so they took the courtesy of manually disabling it for you. If you go into your settings and enable it, it'll work again.
  
  --
  Karma: Terrifying (mostly affected by atrocities you've committed)
Bored my ass by Anonymous Coward · 2016-05-10 14:26 · Score: 3, Interesting

Reddit's pathetic politically correct SJW policy of censorship and shadowbanning is driving more and more to fight back and deface what they can in the name of freedom of speech. Proving their security is also shit is just icing on the cake.
1. Re:Bored my ass by Mashiki · 2016-05-10 17:27 · Score: 3, Informative
  
  Wouldn't surprise me. /r/subredditcancer has been doing a pretty good job of tracking that over the last year and change.
  
  --
  Om, nomnomnom...
2. Re:Bored my ass by Maritz · 2016-05-11 00:59 · Score: 2, Interesting
  
  Reddit's pathetic politically correct SJW policy of censorship and shadowbanning is driving more and more to fight back and deface what they can in the name of freedom of speech. Proving their security is also shit is just icing on the cake.
  The guy said he did it because he was bored.
  Great point though.
  
  --
  I do not want your cheap brainburning drugs. They are useless for work. And I am a working man today.
3. Re:Bored my ass by hey! · 2016-05-11 01:08 · Score: 4, Insightful
  
  Reddit's pathetic politically correct SJW policy of censorship and shadowbanning is driving more and more to fight back and deface what they can in the name of freedom of speech.
  Which is plain juvenile. The correct (and more effective) strategy is to take your eyeballs elsewhere. Engaging a site that you disagree with actually helps the site.
  Social media is essentially porn. The people who use it the most aren't out to engage other people, they're looking for a quick and easy hit of stimulation; the only difference is that it's outrage, not horniness that gets titillated. Do I have to spell this out? You act out your outrage and get paid in attention; some of that attention reacts with outrage and in turn gets attention, including from you. So you react, and the cycle goes on, the outrage market makers milk homeopathic quantities of revenue from each act of outrage. And integrated over the sheer volume out there, those fractions of penny per flame post add up to real money.
  It literally doesn't matter what you believe, as long as you believe it as obnoxiously as possible. You are, to social media companies, nothing but an outrage milk-cow.
  Porn is actually better for you than social media, and better for society as a whole because horniness is a less harmful drive to titillate than outrage.
  
  --
  Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
4. Re:Bored my ass by Mashiki · 2016-05-11 21:41 · Score: 1
  
  Ahhh...the AC so butthurt by something and this is the best they can do. So which little authoritarian mod that got called out for their shit are you?
  
  --
  Om, nomnomnom...
Why I stopped hacking by Anonymous Coward · 2016-05-10 14:27 · Score: 1

It's really kind of pointless. I had no life at the time and nothing better to do than spend hours/days trying to infiltrate various websites. I was often successful. Once you get in you get a bit of an ego boost, poke through some data you weren't supposed to be seeing, then that's pretty much it. Most of the content was private/personal, and boring to me. I felt kind of bad sometimes. Then I got a real job and a life. All that said, I'm still shocked at how bad security is these days.
Re: Except he didn't by hackwrench · 2016-05-10 14:57 · Score: 1, Insightful

How cute, a person who has just now noticed some people that have an affiliation with each other don't like it when things aren't slanted their way. There are many more people than just the right wing that don't like it when things aren't slanted their way, of all sorts of political backgrounds. Remember little miss "what difference does it make" and I don't know much about servers but I'll run my own anyways? I don't have much of a definitive list, just picking up things as I go along, and from what I've been told the generation currently in grade school are getting the understanding that if they don't like how they are treated by staff, (a substitute teacher, for example) they can go to the office and complain. I've had bad teachers and substitutes, but I had some understanding that being able to deal with the situation prepared me for things in the future. Many of the parents of such children don't like the lessons that are different, not slanted their way, but the lessons they rail against are not the ones that are making the kids have a low tolerance. If someone hasn't already bought them like me, Goodwill stores and thrift shops should have materials that state they are for teaching common core. If that fails, I don't find it unlikely to source the materials from some other place inexpensive, relatively speaking.
Re: Except he didn't by hackwrench · 2016-05-10 15:03 · Score: 1

But is the lockpicker inflating the count? Or from the way he talked about his exploits, letting the writer or readers' imaginations do the job for him.
Re: Except he didn't by Z00L00K · 2016-05-10 16:41 · Score: 1, Insightful

And who cares?
Reddit, 4chan and similar are user-driven content sites that are and shall be easy to access. From time to time you will see things going wild on those sites and it's nothing to worry about. Better there than anywhere else.

--
If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
Hacking Reddit is like hacking Usenet by Hey_Jude_Jesus · 2016-05-10 19:03 · Score: 1

No one cares. Sheesh.
Guessing poor passwords is not hacking by Martin+S. · 2016-05-10 19:51 · Score: 2

Losers like this should not be given this sort of oxygen of publicity to feed their fragile egos.
OMG HACKZOARS! by GrumpySteen · 2016-05-11 00:40 · Score: 3, Funny

They're going to steal my imaginary internet points!
Seriously... who gives a shit about Reddit's security? It's a public bulletin board filled with porn, PM_Me_Your_ accounts, cat memes and throwaway accounts trolling any subreddit that actually tries to have a serious discussion. Adding two factor authorization to that is like putting a combination lock on your garbage can.
Not surprised by tom229 · 2016-05-11 01:01 · Score: 1

I have no idea how this website became so popular. The original interface was horrible and completely unintuitive. Years later it's one of the most popular websites on the internet and it's only slightly better. Their servers go down constantly - unable to handle even slight spikes in traffic. And their simplistic mod system has ruined the community by rewarding a lowest common denominator hive-mind.

In my mind, reddit is proof that there's no policy or formula to follow to have a successful website. Security, interface design, stability, community - none of it seems to matter. It seems to just be random what the world latches on to.

--
If it ain't broke, don't fix it.
1. Re:Not surprised by Scarred+Intellect · 2016-05-11 01:40 · Score: 2
  
  I have no idea how this website became so popular. The original interface was horrible and completely unintuitive.
  My guess is that it's unintuitive to us, who have a modicum of technical capability and understanding. I remember trying to find a setting on Facebook years ago and I couldn't find it. I stopped and tried to think of where an idiot would expect it and there it was! My guess is reddit's interface is designed for idiots.
  Disclaimer: I haven't loaded reddit in probably 10 years. I don't plan to now.