A Bored Hacker Easily Stole And Defaced More Than 70 Subreddits

An anonymous reader writes: Hacker, BVM, said he's "lost count" of the number of subreddits he's stolen and defaced, but estimates that the number is more than 70. Subreddits like r/pics, r/starwars, and r/gameofthrones, and many others, have been defaced just in the last few days. He claims Reddit's crummy security, and lack of two-factor authentication are what has made his exploits possible. "Reddit's security is shit," he says. "If Reddit would simply add 2FA it would be a lot harder to get in." Why is BVM hacking these subreddits? "No reason really. Just boredom. It's not like it's really a challenge or anything so I just do it to pass time," the hacker told Motherboard in an online chat. BVM didn't comment on how exactly he is taking over subreddits. However, he did admit he's been hacking into moderators' accounts and then changing the CSS style of the pages, replacing it with a note taking responsibility. Reddit appears to be responding to these incidents quickly, restoring the subreddits.

if true...

[AlphaBro]

If true, I'm guessing it's credential reuse, phishing, or possibly XSS/CSRF. The volume hints at XSS/CSRF, but the suggestion to implement 2FA says otherwise since it may not mitigate such vulnerabilities.

Re:if true...

[AlphaBro]

Article? This is /., we don't read those around here. That said, given the size of Reddit and volume of leaked credentials, I can see why the hacker got bored here. An attack like this would be trivial to pull off: aggregate all recent leaks, scrape moderator usernames from Reddit, filter the leaked creds using the scraped usernames, and go to town.

String the fucker up

[Gojira+Shipi-Taro]

And ban him from access to anything more advanced than a leaded pencil. Vandalism is vandalism. You're bored? go help the needy or something.

Re:String the fucker up

[goten]

Or, ya know, stop having shitty security on a website? Oh and how about users don't reuse passwords? While I agree with you in spirit, there's the other side of the coin where harmless situations do more good than bad. BVM isn't stealing identities, nobody is going to jail, it's just a visual change to bring attention to a poor practice. How about we cater our response to damage done and not burn the whole world down.

Bored my ass

Reddit's pathetic politically correct SJW policy of censorship and shadowbanning is driving more and more to fight back and deface what they can in the name of freedom of speech. Proving their security is also shit is just icing on the cake.

Re:Bored my ass

[Mashiki]

Wouldn't surprise me. /r/subredditcancer has been doing a pretty good job of tracking that over the last year and change.

Re:Bored my ass

[Maritz]

Reddit's pathetic politically correct SJW policy of censorship and shadowbanning is driving more and more to fight back and deface what they can in the name of freedom of speech. Proving their security is also shit is just icing on the cake.

The guy said he did it because he was bored.

Great point though.

Re:Bored my ass

[hey!]

Reddit's pathetic politically correct SJW policy of censorship and shadowbanning is driving more and more to fight back and deface what they can in the name of freedom of speech.

Which is plain juvenile. The correct (and more effective) strategy is to take your eyeballs elsewhere. Engaging a site that you disagree with actually helps the site.

Social media is essentially porn. The people who use it the most aren't out to engage other people, they're looking for a quick and easy hit of stimulation; the only difference is that it's outrage, not horniness that gets titillated. Do I have to spell this out? You act out your outrage and get paid in attention; some of that attention reacts with outrage and in turn gets attention, including from you. So you react, and the cycle goes on, the outrage market makers milk homeopathic quantities of revenue from each act of outrage. And integrated over the sheer volume out there, those fractions of penny per flame post add up to real money.

It literally doesn't matter what you believe, as long as you believe it as obnoxiously as possible. You are, to social media companies, nothing but an outrage milk-cow.

Porn is actually better for you than social media, and better for society as a whole because horniness is a less harmful drive to titillate than outrage.

Guessing poor passwords is not hacking

[Martin+S.]

Losers like this should not be given this sort of oxygen of publicity to feed their fragile egos.

Re:A weird thing happened to me today

[Yosho]

Imagezoom still works, but Google has decided the extension violates their Chrome Web Store policy, so they took the courtesy of manually disabling it for you. If you go into your settings and enable it, it'll work again.

OMG HACKZOARS!

[GrumpySteen]

They're going to steal my imaginary internet points!

Seriously... who gives a shit about Reddit's security? It's a public bulletin board filled with porn, PM_Me_Your_ accounts, cat memes and throwaway accounts trolling any subreddit that actually tries to have a serious discussion. Adding two factor authorization to that is like putting a combination lock on your garbage can.

Re:Not surprised

[Scarred+Intellect]

I have no idea how this website became so popular. The original interface was horrible and completely unintuitive.

My guess is that it's unintuitive to us, who have a modicum of technical capability and understanding. I remember trying to find a setting on Facebook years ago and I couldn't find it. I stopped and tried to think of where an idiot would expect it and there it was! My guess is reddit's interface is designed for idiots.

Disclaimer: I haven't loaded reddit in probably 10 years. I don't plan to now.