Malicious Code Injected Into Some Imgur Pages

[Xyllon]

EDIT 4: It seems they have disabled HTML in descriptions now, hopefully this is the last of the issues.

 

If you saw the edits I removed, ignore them. Apparently I'm just doing it wrong. Everything that gets filtered can be bypassed with junk, the only way for this to be completely fixed is for Imgur to disable HTML in descriptions.

EDIT 3: Turns out it's as simple as pasting HTML code into the description.

EDIT 2: IT HAPPENED AGAIN. We need an Imgur alternative ASAP.
EDIT 2.A: The link to the image went down as soon as I posted it here, someone had injected a Harlem Shake JavaScript onto the page. Either way, this goes to show that they aren't actually trying to fix the main problem, just taking down the hacked links when they occur.

EDIT: It has been patched. You can now use Imgur as normal, but I suggest being careful and still disabling Flash and possibly JavaScript.

PSA: IF YOU WANT TO USE IMGUR BUT AVOID THIS (AND ONLY THIS) PROBLEM, INSTALL FLASHBLOCK FOR FIREFOX OR FLASHCONTROL FOR CHROME.

It appears some imgur links that have been posted to /r/4chan (and possibly others) contain malicious JavaScript that also requests hundreds of images from 4chan's content host as well as embed a flash that will cause another script to phone home when the user visits 8chan. Even though this probably won't affect you if you're not a 4/8chan user, it shows that imgur has problems that could be exploited again if they haven't been already.

 

http://arstechnica.com/security/2015/09/serious-imgur-bug-exploited-to-execute-worm-like-attack-on-8chan-users/ (better article)
https://venturebeat.com/2015/09/22/hackers-are-using-imgur-to-launch-attacks-on-4chan/ (only article I can find right now, if you find a better one please let me know)
https://www.reddit.com/r/technology/comments/3lw2g6/imgur_is_being_used_to_create_a_botnet_and_ddos/
https://www.reddit.com/r/4chan/comments/3lutoo/imgur_is_doing_fishy_things_with_4chan_screencaps/


Initially it was thought to be just a DDoS method:

"When an Imgur image is loaded from /r/4chan , imgur loads a bunch of images from 4chan's content delivery network or 8chan (unclear at this point, might be both), which causes a DDoS to those sites.
See this picture: https://www.reddit.com/r/4chan/comments/3lutoo/imgur_is_doing_fishy_things_with_4chan_screencaps/cv9j7n0
You should only see one image loaded in that list, not all of those."

Then it was found to also be targeting 8chan users:

“This isn’t a DDOS. It’s targeting 8chan users and leaving javascript code in their local storage that causes their browsers ping back to a command and control server each time they hit an 8chan page. Thus far the C&C server hasn’t sent out any commands (or stopped issuing commands before this was discovered). Over the evening whoever authored this has been updating and changing their code. It only effects very specific imgur images/pages. Why is not yet known.”
 

The rest of this comment with a lot more detailed information can be found here: https://www.reddit.com/r/technology/comments/3lw2g6/imgur_is_being_used_to_create_a_botnet_and_ddos/cv9tzzm

Imgur has acknowledged this issue: https://twitter.com/imgur/status/646109824342593536

[Muz]

Fuck, I was just on /g/

[Akolyte]

Fuck, I was just on /g/

Should have used noscript mate.  

Or an anti-exploit solution, although that probably wouldn't stop malicious javascript. 

 

One thing everyone should understand is that in the eyes of a criminal or i guess a hacker even, browsers are gateways.  Code can be run on any computer automatically, this is why I advise security software and a script blocking solution. 

Antiviruses aren't needed but the good ones do actual good stuff, such as block malicious code executing commands on your system, this is done by behaviour analysis, cloud analysis in realtime and also certain technologies that are also incorporated into EMET and other anti-exploit solutions.  

[LAwLz]

Fuck, I was just on /g/

4chan is not affected.

You get infected if you visit one of the malicious images hosted on imgur and then visits 8chan.

 

It seems like imgur has some major vulnerability which allows scripts to be injected into the page. This attack seems to target 8chan but if I understand it correctly it could be used to execute any harmful script on your computer.

Some say that the admins on Reddit are trying to keep the news from spreading as well (by manipulating how many votes threads about it has).

 

From what I can tell you are safe if you don't have Flash installed, but that will only protect you from this particular attack. Imgur itself could be used to do other attacks which don't rely on Flash. Not even blocking all JavaScript will protect you.

Here is all the info so far:

Version 2

tl;dr at bottom.

This is not a DDoS attempt. This exploits an XSS against 8ch and is being spread through an imgur compromise, and is very similar to another XSS against 8ch found and exploited by the same entity back in January.

I'm still collecting more info, but here are the various stages:

There's a lot of JS, but most of it is for misdirection and obfuscation. The real code does very little.

1. Upload malicious SWF to any 8ch board that allows Flash files. SWF uses ExternalInterface to execute arbitrary JS. In this case the SWF is http://media.8ch.net/pokepaws/src/1442859661665.swf.

1a. For some reason, 8ch allows static content to be accessed with or without the "media." subdomain. If the SWF sees it's on "media.", it redirects to the root domain (that's what the ng=1 check is for).

I believe this is the actual XSS exploit.

If the SWF could only be accessed via "media.", same origin policy would only allow JS to be executed in the context of media.8ch.net rather than 8ch.net. Allowing users to upload arbitrary Flash SWFs which can be accessed via a domain essentially gives everyone arbitrary JS execution privileges to that domain. In other words, it's like letting people upload arbitrary HTML files (which would then contain script tags etc.).

Edit: It looks like 8ch.net is now the default for static content, rather than media.8ch.net. So this was an intentional change, but it unintentionally introduced an XSS vector when combined with SWF uploads.

2. Embed that SWF on any other site. In this case the site is imgur (loaded indirectly through JS hosted on 4cdns.org first). Based on what I see, this is very likely a serious breach of imgur. They're routing a file with an image extension to an HTML file. This would imply they can control imgur's nginx config or a similar routing system. There's a chance there's just some critical vuln with imgur's API or something that lets you upload HTML files and for some reason it retains the image extension. Either way, imgur is hosed.

2a. SWF checks to make sure it's currently hosted on either 4cdn.org (legit 4chan CDN), 8ch.net, or 4cdns.org (their malicious site). I suspect 4cdns was just for their testing. I do not know why 4cdn is there at all. There are other references in the code that make it seem like it was intended to exploit both 4chan and 8ch, though the main payload only makes any sense for 8ch. It's possible the 4chan stuff is there for misdirection, or they possibly seriously thought 4chan may be vulnerable to the same exploit (though I'm not sure how or why).

3. Through various roundabout ways, in the context of 8ch.net, the SWF sets localStorage.favorites to a JSON array containing HTML with a script tag loading more Javascript. This Javascript ends up being loaded on every 8ch page because localStorage.favorites is automatically written directly to every 8ch page as HTML. (https://github.com/ctrlcctrlv/infinity/blob/85f7e8e2458e55b4fb4e3d89fb6fe58041229064/js/favorites.js#L41) It's normally used to show a favorite boards list. It's only being taken advantage of here because it allows for an easy persistent XSS across all 8ch pages via local storage.

4. The Javascript makes an AJAX GET request to 8chan.pw/a_[randomgibberish].js. (8chan.pw and 4cdns.org are on the same server and owned by the same actor.) The response is presumed to be encrypted, and decrypted with a simple homemade arithmetic algorithm, and then eval'd. This is basically just more basic obfuscation and is trivial to decrypt if you have access to the code. It runs this only once (no loop), but it runs every time you open another 8ch page since it's embedded on every page. So, this is basically a C&C beacon which waits for new Javascript from 8chan.pw, the C&C, and then runs it.

Edit: They updated the beacon payload to hit a new URL, 8chan.pw/nbr.js. The code was changed to use JSONP instead of Ajax as well.

4a. At this time, I have not seen the C&C actually respond with any JS yet. They're likely waiting for the XSS worm (not really a true worm in this case since it doesn't self-propagate, but since they hijacked a major site, it's going to spread far) to spread further before sending out more JS.

So basically, anyone who visited one of several imgur pages and then visits 8ch at least once is now a sitting duck for whatever they have planned next. At least, as long as they don't shut down their infrastructure now that they've been exposed.

=================================================================

Mitigation:

Recommended mitigation is to clear all your browsing data in the past 72 hours for 8ch.net, or for every website if your browser doesn't do fine-grained clearing.

Alternatively, visit a static 8ch link like http://8ch.net/meta/src/1429927327047.jpg. Open a dev console and type "localStorage". If you see strings like "\u0055\u0055" repeated, you fell victim to the XSS. Whether you see those or not, to be safe, type "localStorage.clear()" to remove the payload if it's there. Refresh the page and you're safe, as long as you don't load the compromised Flash again. Don't visit imgur in the near future, and install a Flash blocker like Flashcontrol, or a more robust blocker like NoScript or uMatrix.

=================================================================

Open questions:

-How did they compromise imgur? This may just be a vulnerability that lets you upload HTML files, or the actor may have control of one or more of imgur's edge servers.

-What JS do they plan to spread to 8ch users?

-The JS loaded on imgur also loads an iframe to this image, but doesn't seem to do anything anything with it: http://4cdns.org/image/title/14.jpg. Looks like a banner. Might just be a joke/reference or something.

=================================================================

Attribution:

This is very very similar to an XSS zero-day in vichan and infinity that was exploited on 8ch back in January, also using the 8chan.pw domain. In my next post, I'll show the similarities and discuss potential motives.

=================================================================

tl;dr Exploits XSS on 8ch via Flash (arbitrary SWFs are uploadable and accessible through 8ch.net root domain). SWF places a persistent JS beacon on all 8ch pages to wait for further JS to run, as issued by a server, though no payload has been seen yet from the server. XSS is spreading to likely users of 8ch by compromising imgur through unknown means, and loading the SWF in certain imgur submissions (4chan screenshots). No DDoS, no attempt to exploit recent Flash CVEs (yet).

=================================================================

-There is no evidence Bui is responsible. He likely isn't.

-There is no evidence this is related to Hiroyuki Nishimura in any way.

 

How to disinfect yourself in Firefox (thanks 4chan for the tutorial):

1) Open up history (click show all history)

2) search for 8ch.net

3) Right click on one of the links and then press "Forget About This Site".

4) Done! Now don't visit imgur or 8chan until this is fixed. This attack seems to be aimed at 8chan but we don't know if someone else uses this exploit to target other sites. And no, don't even visit direct links to images hosted on imgur. Just don't do it. Treat everything hosted on imgur as malware for the short foreseeable future.

[AlexGoesHigh]

God fucking dammit, imgur is such a good time killer, now wtf am i suppose to go to procrastinate. -.-

[Entropy]

God fucking dammit, imgur is such a good time killer, now wtf am i suppose to go to procrastinate. -.-

Endlessly refresh the news section.

[Xyllon]

God fucking dammit, imgur is such a good time killer, now wtf am i suppose to go to procrastinate. -.-

I just updated the OP, it appears that using Flashcontrol on Chrome or Flashblock on Firefox will prevent the problem. NoScript is also a good idea but can take a lot of configuration.

 

EDIT: For this particular attack only.

[Chasem121]

I visit 8chan and imgur often, but as I understand it, the only real thing they would be able to gain from me is any information I've entered onto Imgur or 8chan correct?

If so, I don't have much to worry about. Still avoid it in the future

[LAwLz]

I just updated the OP, it appears that using Flashcontrol on Chrome or Flashblock on Firefox will prevent the problem. NoScript is also a good idea but can take a lot of configuration.

That will only stop this particular attack. The exploit itself in imgur could be used to do other malicious things which does not involve Flash. The attacker just chose to use flash because it ties very well into another security issue on 8chan.

imgur is not a safe website to use until they fix this, no matter if you block flash or not.

 

 

 

I visit 8chan and imgur often, but as I understand it, the only real thing they would be able to gain from me is any information I've entered onto Imgur or 8chan correct?

If so, I don't have much to worry about. Still avoid it in the future

No, we don't know what it will do. It calls home and tries to fetch something, but the person behind the attack has not sent out the payload yet.

We don't know when that will happen or what it does. The attack seems pretty sophisticated though so it could be really bad, or maybe it is harmless.

I recommend that you clear all the imgur and 8chan data stored in your browser and then avoid both sites for a while.

[cesrai]

This is amazing.

[lightningterror]

Damn and i was just on 4chan ...

[LAwLz]

Damn and i was just on 4chan ...

4chan is not affected. It's imgur and 8chan you should stay away from.

[AlexGoesHigh]

imgur has patched the exploit, we can now return to normal browsing habits

http://imgur.com/blog/2015/09/22/imgur-vulnerability-patched/

[JerkyMcDilerino]

Source: >>>> Click Here <<<<< 

 

A Reddit user has uncovered a covert method of carrying DDOS attacks on 4chan's infrastructure using images hosted on Imgur, via Reddit.
According to Reddit user rt4nyp, who discovered the vulnerability, every time an Imgur image was loaded on the /r/4chan sub-reddit, over 500 other images were also loaded in the background, images hosted on 4chan's CDN.

Since traffic on 4chan is quite huge as is, getting some extra connections from Reddit pushed 4chan's servers over the edge, crashing them several times during the day. Additionally, 8chan, a smaller 4chan spin-off, was also affected and suffered some downtime as well.

[PlayStation 2]

it goes to show

reddit and 4chan are communities of bigoted idiots

[soaringchicken]

Because 4chan going down is such a loss to society.

[kunal445]

wtf is 4chan?

[Necrodead]

wtf is 4chan?

If you don't know, back away slowy and be glad you never found out.

[SImoHayha]

Interesting. What a strange thing they overlooked. Funny how people notice this lol.

[The Cool n00B]

wtf is 4chan?

http://www.urbandictionary.com/define.php?term=4chan

http://www.urbandictionary.com/define.php?term=%2Fb%2F

[HumbleMobo]

wtf is 4chan?

Oh my god...Lord GabeN is not pleased... how do you not know what 4 Chan is...in brief it's a forum that was originally meant for Otaku and anime lovers alike but now it's a host of mischief and other topics.  I think you can also be anonymous or something on their, but I don't fancy myself with such forums.

[kunal445]

Oh my god...Lord GabeN is not pleased... how do you not know what 4 Chan is...in brief it's a forum that was originally meant for Otaku and anime lovers alike but now it's a host of mischief and other topics.  I think you can also be anonymous or something on their, but I don't fancy myself with such forums.

oh ok i don't watch that much anime anymore so i don't know 

[HumbleMobo]

Source: >>>> Click Here <<<<< 

 

A Reddit user has uncovered a covert method of carrying DDOS attacks on 4chan's infrastructure using images hosted on Imgur, via Reddit.

According to Reddit user rt4nyp, who discovered the vulnerability, every time an Imgur image was loaded on the /r/4chan sub-reddit, over 500 other images were also loaded in the background, images hosted on 4chan's CDN.

Since traffic on 4chan is quite huge as is, getting some extra connections from Reddit pushed 4chan's servers over the edge, crashing them several times during the day. Additionally, 8chan, a smaller 4chan spin-off, was also affected and suffered some downtime as well.

Lol but that's pretty simple when you look at it.  Hell it could have been a DOS, all the guy had to do was wait and have someone visit the picture and collect the IP and stress it!

[TopWargamer]

wtf is 4chan?

This, basically

(Go to 1 minute 46 seconds)

[BigDay]

if there's one thing i've learned, it's this:

 

do not f*** with 4chan