Tuesday 22 September 2015

Imgur is doing something fishy with 4chan screencaps

http://ift.tt/1FbIW2a

/u/vinster271 writes

When an Imgur image is loaded from /r/4chan, imgur loads a bunch of images from 4chan's content delivery network or 8chan (unclear at this point, might be both), which causes a DDoS to those sites. See this picture: http://ift.tt/1V725E3 You should only see one image loaded in that list, not all of those. (This what a normal Imgur image looks like when it is loaded http://ift.tt/1KIT1DR. See that only the one image is loaded, not 500 random ones. The injected.js is just a chrome extension.) Basically, clicking on a Imgur link on /r/4chan ends up opening ~500 links from 4chan.org/8chan.

and /u/EnemyScoot provides an alternate explanation

What the fuuuuuck First the shady 2ch owner taking over 4chan and now this? What is happening EDIT: HOW TO FIX FROM NAMEFAG SKDL: Here is my write-up on the compromises: http://ift.tt/1LstRdm tl;dr Exploits XSS on 8 ch via Flash and probably a domain misconfiguration/oversight on 8 ch (SWFs can be uploaded by users + static content can be accessed through the "media." subdomain as well as the root domain). XSS places a persistent beacon on all 8 ch pages to wait for further JS to run, as issued by a server, though the new JS is yet to be sent. XSS is spreading to likely users of 8 ch by compromising imgur through unknown means. No DDoS, no attempt to exploit recent Flash CVEs (yet). Flash is only used for XSS purposes here. Mitigation: Visit any 8 ch board and type localStorage.favorites in dev console. If you see a string containing a bunch of \u0055 type numbers, then you fell victim to the XSS. Simply type localStorage.favorites = "" and refresh the page, and you're safe, as long as you don't load the compromised Flash again. Don't visit imgur in the near future, and install a Flash blocker like Flashcontrol, or a more robust blocker like NoScript or uMatrix.

TL;DR: Imgur is either deliberately or inadvertently DDOSing 8ch.net by opening several 8ch.net links with each screencap opening. Imgur has most likely been compromised through some sort of exploit by an outsider.



by lmpetus http://ift.tt/1KIY3jN

No comments:

Post a Comment