Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security

Imgur Exploited To Channel Botnet Attacks At 4chan 73

An anonymous reader writes: Imgur has been compromised by attackers looking for an opportunity to direct large volumes of traffic to 4chan. A Reddit thread explains that "when an Imgur image is loaded from /r/4chan [...] imgur loads a bunch of images from 8chan, which causes a DDoS to those sites." Meaning that if a user clicks an Imgur link on /r/4chan, it automatically makes around "500 requests" for one image from imageboard 4chan.org/8chan.
This discussion has been archived. No new comments can be posted.

Imgur Exploited To Channel Botnet Attacks At 4chan

Comments Filter:
  • Do over please (Score:5, Insightful)

    by Anonymous Coward on Wednesday September 23, 2015 @05:17PM (#50586043)

    Can we get a cleanup on this summary please, from someone who actually passed high school English class?

    The short version: someone served up malicious javascript on 8chan by hosting it on imgur as images, revealing that imgur does not actually check to make sure its images are images. Some Flash on 8chan loads the javascript from the localstorage object, breaking same-origin. Once again the DOM is proven to be a horrible house of cards.

    • Re: (Score:1, Insightful)

      by Anonymous Coward

      Can we get a cleanup on this summary please, from someone who actually passed high school English class?

      The article summary was probably submitted by a 4chan user...

      • Re:Do over please (Score:5, Informative)

        by Anonymous Coward on Wednesday September 23, 2015 @05:37PM (#50586153)

        4chan users actually know how to write, at least better than slashdot "editors". It's just that they add the "faggot" and "nigger" every 3 sentences.

      • by BigGez ( 692965 )

        Can we get a cleanup on this summary please, from someone who actually passed high school English class?

        The article summary was probably submitted by a 4chan user...

        It was 100% submitted by a /. user...

    • Here's how I understand it:
      1. The malicious "images" are hosted on imgur.
      2. They are posted to /r/4chan, a place on reddit, which I assume is a place to talk about 4chan but not connected to the site in any way.
      3. The malicious code downloads a bunch of images from 8chan, effectively DDoSing it.
      Yes, the summary is awful and contradicts itself a few times. It has nothing to do with 4chan from how I understand it.
    • by Anonymous Coward

      I only came to read the comments because the description was horse shit.

      God damn... Slashdot is becoming more depressing by the day.

      "News for idiots. Shit doesn't matter."

    • Re:Do over please (Score:5, Insightful)

      by jest3r ( 458429 ) on Wednesday September 23, 2015 @06:14PM (#50586345)
      I think I read that Imgur was inlining images with data urls when viewing the raw image.

      So if you visited www.imgur.com/image.jpg the source code would look like:
      img src="data:image/jpg;base64,R0lGODlhEALMAAOazToeHh0tLS/7LZv/0jvb2 ...... etc.

      When uploading an image to Imgur someone figured out how to append code to the end of the raw data to break out of the data url data and append some Javascript to it.

      The Javascript pulled down images from 8chan among other things.
      • by Anonymous Coward
        As I understand it, this is correct. Imgur does this so that http://i.imgur.com/qP4c9f8.gif [imgur.com] and http://i.imgur.com/qP4c9f8.png [imgur.com] both point to the same file, despite the difference in filetypes in the urls.
        • Re: (Score:3, Insightful)

          by Anonymous Coward

          Well then they're doing it wrong. URL rewriting at the httpd engine level (or the cache level, or whatever serves as the frontmost layer) can handle that without embedding the binary data inside of an IMG tag. Inlining binary data is also contrary to how HTTP is supposed to work, as it breaks the renderer's ability to choose whether or not to retrieve certain media. A user who is browsing with images disabled in their browser has expressly opted not to retrieve that data. When a site inlines images in this

          • by KGIII ( 973947 )

            I am not 100% certain of the nomenclature but I believe it goes like this:

            "oldfag is oldfag. teh cancer that iz killin /b/ haz been here since tiem immemorial. lulz will be had by all - except u cuz u is newfag w/knickerz in knotz! lulz. now tits or gtfo, newfag. also ur mom"

            Promptly followed with, "stfu, ur mom iz teh cancerz. fgt!"

            A witty riposte will be sure to follow and it will, quite likely, be akin to, "no u!" (Accompanied with a picture of gore or the OP's penis.)

            I am not entirely fluent, yet, but I

            • I was on /b/ back when it was good.

              • by KGIII ( 973947 )

                > implying /b/ was ever good

                I was first exposed to the site back in the early 2000s. It's never really been a hangout though I've had some interesting conversations there. They're not all retarded children. The signal to noise ratio is pretty high, currently, but it's dieing down to a dull roar now that the kids have gone back to school and it is losing favor in the media. I think it can be summed up, sort of, as Eternal September(ish) but with fluctuations in the signal to noise ratio.

                I'm still wonderin

    • by _KiTA_ ( 241027 )

      Can we get a cleanup on this summary please, from someone who actually passed high school English class?

      The short version: someone served up malicious javascript on 8chan by hosting it on imgur as images, revealing that imgur does not actually check to make sure its images are images. Some Flash on 8chan loads the javascript from the localstorage object, breaking same-origin. Once again the DOM is proven to be a horrible house of cards.

      Also, the DDoS was at the very least also targeted at 8ch. There was a pretty big teardown of it -- someone registered a similar name to 4ch's image host, the malware SWF specifically mentions the founder of 8ch and something that sounds like it's related to /pol/, the server hosting up the malware was replying to specific referrers and IP addresses, etc etc.

    • Can we get a cleanup on this summary please, from someone who actually passed high school English class?

      4chan and 8chan, which fancies itself a wilder 4chan, are like Moe and Curly. Imgur is like Larry and his violin. Reddit just tossed a quarter on the floor, and Larry, Moe, and Curly all went to grab it, yielding the crisp, clean sound of coconuts knocking together.

  • Old news? (Score:5, Informative)

    by BlckAdder ( 18469 ) on Wednesday September 23, 2015 @05:20PM (#50586065)

    This was patched yesterday [imgur.com].

  • by Anonymous Coward

    Some posted how the code worked on Voat a few days ago, word seemed to spread from there. Mentioned it was an old hack developed by the CIA, something about creating off-screen i-frames. My code-fu is very rusty these days but it seemed to make sense. Can't seem to find the post now, forgot which sub it was.

    • by guruevi ( 827432 )

      CIA? Really? This kind of crap has been around since the late 90's and is well described in books dating back decades ago.

    • That is not some CIA trick -- it's decades old and quite well understood. I even learned about it back in at Uni years ago in our intro to computer security class
    • Some posted how the code worked on Voat a few days ago, word seemed to spread from there. Mentioned it was an old hack developed by the CIA, something about creating off-screen i-frames.

      Those dastardly devils at the Culinary Institute of America are so cunning, with their JavaScript kung-fu!

  • Comment removed (Score:4, Insightful)

    by account_deleted ( 4530225 ) on Wednesday September 23, 2015 @06:44PM (#50586483)
    Comment removed based on user account deletion
    • by Anonymous Coward

      Getting pretty hard to find places where you can speak uncensored. That seems pretty valuable IMO. Especially when bad actors of major websites are doing what they can to take down a low budget server run by a disabled dude.

      • by Anonymous Coward

        This. It amazes me that so many people attack fullchan.

        Pro-censorship folks cannot stand the fact that 8chan has relatively lax moderation while still quickly removing things that are actually illegal.

        The feelings of SJWs are not protected by law. The real world isn't a safe space.

  • Imgur for some reason ran malicious javascript.

    The javascript downloaded further obfuscated javascript from several servers, registered behind anonymity in Panama and using hacked cloud instances. One of those was 4cdns.org, imitating 4chan's 4cdn.org.

    This inserted code into the localStorage object for 8chan, 8ch.net. 8chan was set up to include localStorage on every page.

    The code was one that periodically requested further code from a command and control server. The C&C server was inactive whe

"All the people are so happy now, their heads are caving in. I'm glad they are a snowman with protective rubber skin" -- They Might Be Giants

Working...