'How I Hacked Imgur for Fun and Profit'

A security researcher describes gaining full access to the production database for Imgur's image-sharing site -- and then successfully lobbying the company for a higher bug bounty of $5,000. Nathan Malcolm says he exploited a remote-access vulnerability in one of Imgur's unprotected development servers to read their /etc/passwd file, and also keys.php, which contained the credentials for their MySQL servers. An anonymous Slashdot reader quotes Nathan's article on Medium: An important part of security research is knowing when to stop. I went far enough to prove how serious the issue is, and demonstrate what a malicious attacker could do, while not being overly careless or intrusive... I hope other teams can learn from Imgur's willingness to take on feedback and improve, as communication around security is so very important.
Imgur's founder and CEO sent him a personal e-mail along with the bounty, which ended "Thanks so much for protecting us and properly reporting it to us." The author of the article reports that "I've continued to participate in Imgur's bug bounty program, and while it's not perfect, it's responded and paid out nicely to myself and others." And the $5,000 bounty? "Half of that went to people in need, including Lauri Love, a hacker facing extradition to the United States, and a close friend who was recently made homeless. Various charities and researchers also benefited from it."

This is digusting

Imgur uses PHP? Gross.

Re: This is digusting

+1

That's the real news here, PHP is garbage for huge, professional sites.

Re: This is digusting

Yes... like facebook.

Re: This is digusting

Facebook uses a in-house version of it, not the same. Boy you're a fucking moron.

Re: This is digusting

So, the in-house version is different how?

Other than the obvious name calling part of it.

Re: This is digusting

Gross seeing something written in anything other than Ruby makes my cheeks sweat

Re: This is digusting

Learn how to use Google idiot.

https://kinsta.com/blog/hhvm-vs-php-7/

Look, someone even did a comparison of these two completely different setups!

Re: This is digusting

Ruby is still a thing?

Re: This is digusting

So Facebook does not use PHP.. is that you are insisting? Don't confuse language with engine, idiot!

and then successfully lobbying the company

Was it really lobbying? Or was it rather extortion?

Important Data

I just wish companies that had important data like SSNs, money, health records, and other personal information took security just as seriously. If Anthem did, I wouldn't have to worry that one day, some fucker is going to use my information to my detriment. And the way it works, I'll be stuck with the costs and legal problems - all thanks to their incompetence and stupidity.

Re: Important Data

Shut the fuck up Bill Weatherson of Portland, Oregon! Or I'll make more purchases in your name!

Imgur, eh

[JustAnotherOldGuy]

Imgur is an okay image sharing spot, but it's infested with pansy-ass SJW types who take exception to the smallest of slights or imagined insults. Special snowflakes abound, and if you don't hew to their extreme form of social justice groupthink then your account will be maliciously downvoted and reported until it's banned.

Even the littlest departure from their SJW mindset will trigger them into fits of outrage. I've seen this happen to many, many people, and when I dared to speak out about this abusive "tyranny of the intolerant", they banned me too. Frankly, nothing of value was lost on either side. lol

Re:Imgur, eh

[sittingnut]

"... infested with pansy-ass SJW types who take exception to the smallest of slights or imagined insults. Special snowflakes abound, and if you don't hew to their extreme form of social justice groupthink ..."

that is true of western countries in general not just imgur.

Re: Imgur, eh

I must say, this post sure takes the tone of a troll post that was spammed on story after story a few days ago. Maybe we've found the troll responsible for the "millennial snowflakes" spam? And even if the site has a community you'd rather not associate with, there's always value in closing vulnerabilities on sites and systems with a legitimate purpose.

Re:Imgur, eh

[djinn6]

It's funny because they always make fun of Tumblr for being SJW, and yet they turn around and downvote anything not 100% PC.

Re:Imgur, eh

It's because a huge chunk of their users come from reddit.

Re:Imgur, eh

This comment is incredibly offensive. Take it down and delete your account or I'll rant about you on tumblr, you ugly cis white male!

Re:Imgur, eh

[JustAnotherOldGuy]

It's funny because they always make fun of Tumblr for being SJW, and yet they turn around and downvote anything not 100% PC.

Bingo. It's a serious case of pot-meets-kettle...the hypocrisy and groupthink there makes Scientology look like a haven for free thinkers.

Re:Imgur, eh

Yeah...somehow I knew that little story was going to end with you happening to have been banned as well.

Tell you what, post the content that got you banned from Reddit and let everyone else be the judge of what kind of an asshole you are.

Re: Imgur, eh

I've used Imgur for years and never had any problems. But then I use it to store images, not fight over imaginary internet points.

Re:Imgur, eh

I know, right?!? It's like, fuck them for not wanting to have their community inundated with racist, homophobic, x-rated, or KP material!!! Back in the day, you used to be able to upload all of that in one go. Now, you have to be careful, because, for some fucked up reason, other people have feelings today.

Re:Imgur, eh

[kaizendojo]

Maybe you need to spend more time in usersub instead of the 'front page'. I found imgur to be pretty open to arguments and discussions form all sides and not overly pansy-ass... but then again I spend all my time in usersub. Viral groups like the 'front page' and other category groups may be different; honestly wouldn't know. But in general I've found imgur to be a great community.

Re:Imgur, eh

who's chopping onions in here?

Re:Imgur, eh

[antdude]

What are alternative good image sharing hosts then?

Re:Imgur, eh

[JustAnotherOldGuy]

Maybe you need to spend more time in usersub instead of the 'front page'.

Usersub was literally the only place I ever went.

Re: Imgur, eh

[JustAnotherOldGuy]

Maybe we've found the troll responsible for the "millennial snowflakes" spam?

And maybe you haven't. I don't have the time or the interest to spam anyone, especially not Imgur.

-

And even if the site has a community you'd rather not associate with, there's always value in closing vulnerabilities on sites and systems with a legitimate purpose.

And no one, including me, said there wasn't.

Re:Imgur, eh

[JustAnotherOldGuy]

Yeah...somehow I knew that little story was going to end with you happening to have been banned as well.

Maybe the reason you knew it would end that way is because I came right out and said so.
-

Tell you what, post the content that got you banned from Reddit and let everyone else be the judge of what kind of an asshole you are.

I've never been banned from Reddit because I've never been a member there.

Re:Imgur, eh

[JustAnotherOldGuy]

I know, right?!? It's like, fuck them for not wanting to have their community inundated with racist, homophobic, x-rated, or KP material!!!

Right, except nothing I ever said there was racist, homophobic, x-rated, or KP material. I simply dared to disagree with the groupthink there and said so.

Re:Imgur, eh

[JustAnotherOldGuy]

What are alternative good image sharing hosts then?

Hell if I know. I've used Photobucket in the past. You can still use Imgur for image sharing, just don't make your images show up in the gallery.

Re:Imgur, eh

then your account will be maliciously downvoted and reported until it's banned.

So, er, why do you need an account there? It allows anonymous uploading, you know.

Re:Imgur, eh

Maybe if you were less viscous nasty and unable to appreciate that others don't see the world your way, you wouldn't get banned. Perhaps try social skills 101.

Re:Imgur, eh

[radarskiy]

Clearly you should be given a safe space away from SJWs

Re:Imgur, eh

[JustAnotherOldGuy]

Clearly you should be given a safe space away from SJWs

You triggered me with your cisgender white male heteronormative comment.

Re:Imgur, eh

[kaizendojo]

Wow, sorry you had such a bad experience. Mine couldn't have been more different and continues to be so.

Good Response

This is how companies should respond to bug bounties. Good PR all around! Bounty paid, security team wins, company wins, everyone happy. If you're looking to hack, there are plenty of legitimate bug bounty programs out there for you to have fun with. Defacement is so 1990's, get paid for your efforts.

/etc/passwd

[fph+il+quozientatore]

/etc/passwd? Wow. Big deal. Probably contains no passwords (because who doesn't use /etc/shadow in 2016?) and no local users (because who uses local authentication in industry in 2016?).

Re:/etc/passwd

[alvarogmj]

I agree with the first statement, but only because no modern OS uses /etc/passwd alone.

Regarding local accounts, there is no technical reason for them to exist in production environments, but when you are outsourcing your datacenter management to another company which hires incompetent/inexperienced sysadmins and surrounds them with outdated procedures, you better bet there will be local accounts, because doing something else needs to go thru 50 layers of "security" procedures seemingly designed to keep the company in the '80s.

Source: the company I work for :)

Safe space

Sounds like you're looking for a safe space where you can say whatever you want and have no social ramifications. Sorry to be the first one to tell you that life isn't fair, and 'free speech' does not mean 'action without consequence'.

Lauri Love?

lol...if she did something to warrant being extradited to the US, well, perhaps she should have thought better of her life choices.