Follow me on Twitter @KanthalaRaghu

Imgur Compromised through XSS exploit by Attacker

Soon after the news broke down that '4chan has been sold to Hiroyuki Nishimura, founder of 2chan' the platform started falling apart. Apparently the site has been compromised by an Attacker with XSS Exploit.
Soon after the news broke down that '4chan has been sold to Hiroyuki Nishimura, founder of 2chan' the platform started falling apart. Apparently the site has been compromised by an Attacker with XSS Exploit.

When an Imgur image is loaded from /r/4chan, imgur loads a bunch of images from 4chan's content delivery network or 8chan (unclear at this point, might be both), which causes a DDoS to those sites.

"Take a look at the network tab in the developer console when opening up one of the links. Over 453 requests made. Doesn't happen for other non-4chan images. Something fishy indeed:http://puu.sh/kjzzU/c926757f68.png"
' 8chan XSS/imgur breach' gives an explanation,

tl;dr This is not for DDoS. This is an XSS against 8 ch, being spread through some sort of imgur compromise, and is very similar to another XSS against 8 ch found and exploited by the same entity back in January.

The attacker exploits XSS on 8 ch via Flash and probably a domain misconfiguration/oversight on 8 ch (SWFs can be uploaded by users + static content can be accessed through the "media." subdomain as well as the root domain). XSS places a persistent beacon on all 8 ch pages to wait for further JS to run, as issued by a server, though the new JS is yet to be sent. 

XSS is spreading to likely users of 8 ch by compromising imgur through unknown means. No DDoS, no attempt to exploit recent Flash CVEs (yet). Flash is only used for XSS purposes here. 

Mitigation: Visit any 8 ch board and type 'localStorage.favorites' in dev console. If you see a string containing a bunch of '\u0055' type numbers, then you fell victim to the XSS. Simply type localStorage.favorites = "" and refresh the page, and you're safe, as long as you don't load the compromised Flash again. 

In the meantime don't visit imgur in the near future, and install a Flash blocker like Flash control, or a more robust blocker like NoScript or uMatrix.

Post a Comment