Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security Bug

'How I Hacked Imgur for Fun and Profit' (medium.com) 45

A security researcher describes gaining full access to the production database for Imgur's image-sharing site -- and then successfully lobbying the company for a higher bug bounty of $5,000. Nathan Malcolm says he exploited a remote-access vulnerability in one of Imgur's unprotected development servers to read their /etc/passwd file, and also keys.php, which contained the credentials for their MySQL servers. An anonymous Slashdot reader quotes Nathan's article on Medium: An important part of security research is knowing when to stop. I went far enough to prove how serious the issue is, and demonstrate what a malicious attacker could do, while not being overly careless or intrusive... I hope other teams can learn from Imgur's willingness to take on feedback and improve, as communication around security is so very important.
Imgur's founder and CEO sent him a personal e-mail along with the bounty, which ended "Thanks so much for protecting us and properly reporting it to us." The author of the article reports that "I've continued to participate in Imgur's bug bounty program, and while it's not perfect, it's responded and paid out nicely to myself and others." And the $5,000 bounty? "Half of that went to people in need, including Lauri Love, a hacker facing extradition to the United States, and a close friend who was recently made homeless. Various charities and researchers also benefited from it."
This discussion has been archived. No new comments can be posted.

'How I Hacked Imgur for Fun and Profit'

Comments Filter:
  • by Anonymous Coward

    Imgur uses PHP? Gross.

  • by Anonymous Coward

    I just wish companies that had important data like SSNs, money, health records, and other personal information took security just as seriously. If Anthem did, I wouldn't have to worry that one day, some fucker is going to use my information to my detriment. And the way it works, I'll be stuck with the costs and legal problems - all thanks to their incompetence and stupidity.

    • by Anonymous Coward

      Shut the fuck up Bill Weatherson of Portland, Oregon! Or I'll make more purchases in your name!

  • Imgur, eh (Score:2, Informative)

    Imgur is an okay image sharing spot, but it's infested with pansy-ass SJW types who take exception to the smallest of slights or imagined insults. Special snowflakes abound, and if you don't hew to their extreme form of social justice groupthink then your account will be maliciously downvoted and reported until it's banned.

    Even the littlest departure from their SJW mindset will trigger them into fits of outrage. I've seen this happen to many, many people, and when I dared to speak out about this abusive "ty

    • Re: (Score:3, Insightful)

      by sittingnut ( 88521 )

      "... infested with pansy-ass SJW types who take exception to the smallest of slights or imagined insults. Special snowflakes abound, and if you don't hew to their extreme form of social justice groupthink ..."

      that is true of western countries in general not just imgur.

    • by Anonymous Coward

      I must say, this post sure takes the tone of a troll post that was spammed on story after story a few days ago. Maybe we've found the troll responsible for the "millennial snowflakes" spam? And even if the site has a community you'd rather not associate with, there's always value in closing vulnerabilities on sites and systems with a legitimate purpose.

      • Maybe we've found the troll responsible for the "millennial snowflakes" spam?

        And maybe you haven't. I don't have the time or the interest to spam anyone, especially not Imgur.

        -

        And even if the site has a community you'd rather not associate with, there's always value in closing vulnerabilities on sites and systems with a legitimate purpose.

        And no one, including me, said there wasn't.

    • by djinn6 ( 1868030 )
      It's funny because they always make fun of Tumblr for being SJW, and yet they turn around and downvote anything not 100% PC.
      • It's funny because they always make fun of Tumblr for being SJW, and yet they turn around and downvote anything not 100% PC.

        Bingo. It's a serious case of pot-meets-kettle...the hypocrisy and groupthink there makes Scientology look like a haven for free thinkers.

    • by Anonymous Coward

      I've used Imgur for years and never had any problems. But then I use it to store images, not fight over imaginary internet points.

    • Maybe you need to spend more time in usersub instead of the 'front page'. I found imgur to be pretty open to arguments and discussions form all sides and not overly pansy-ass... but then again I spend all my time in usersub. Viral groups like the 'front page' and other category groups may be different; honestly wouldn't know. But in general I've found imgur to be a great community.
    • by antdude ( 79039 )

      What are alternative good image sharing hosts then?

      • What are alternative good image sharing hosts then?

        Hell if I know. I've used Photobucket in the past. You can still use Imgur for image sharing, just don't make your images show up in the gallery.

    • Clearly you should be given a safe space away from SJWs

  • by Anonymous Coward

    This is how companies should respond to bug bounties. Good PR all around! Bounty paid, security team wins, company wins, everyone happy. If you're looking to hack, there are plenty of legitimate bug bounty programs out there for you to have fun with. Defacement is so 1990's, get paid for your efforts.

  • /etc/passwd? Wow. Big deal. Probably contains no passwords (because who doesn't use /etc/shadow in 2016?) and no local users (because who uses local authentication in industry in 2016?).
    • I agree with the first statement, but only because no modern OS uses /etc/passwd alone.

      Regarding local accounts, there is no technical reason for them to exist in production environments, but when you are outsourcing your datacenter management to another company which hires incompetent/inexperienced sysadmins and surrounds them with outdated procedures, you better bet there will be local accounts, because doing something else needs to go thru 50 layers of "security" procedures seemingly designed to keep the

"The vast majority of successful major crimes against property are perpetrated by individuals abusing positions of trust." -- Lawrence Dalzell

Working...