An attacker, or attackers, could have pulled off massive pwnage – such as secretly installing keyloggers on PCs belonging to thousands of unsuspecting visitors of the popular image-sharing site Imgur; instead, the attacker targeted users of 4chan and 8chan via images shared on the r/4chan sub-reddit.
On the subreddit 4chan, Reddit user rt4nyp first spotted that Imgur was “doing fishy things” with “some 4chan screencaps.” In case you don’t know, Imgur is often featured on Reddit’s “front page” of the Internet and receives who knows how many millions of daily visitors. WunderWeasal, another Reddit user, posted a screenshot of “over 453 requests” made covertly in the background when an Imgur image was opened on r/4chan. It was eventually reported that clicking on an affected Imgur link would secretly open about 500 other images in the background.
Listening to music while watching the story unfold and clicking on related links caused Malwarebytes Anti-Malware blocker to pop up so fast and so often that it was actually flashing warnings in time with the beat.
As Ars Technica’s Dan Goodin explained, “From then on, every time one of these people visited an 8chan page, their browser would report to an attacker-controlled server and await instructions. In the process, the infected browser would bombard 8chan servers with hundreds of additional requests.” Goodin added, “The hack had the potential to take on worm-like properties, in which a handful of viral images could generate an endless stream of traffic and millions and millions of new infections.”
It is unknown why the attacker “had a delivery mechanism on one of the most popular sites on the Internet,” but chose to use it “for a prank,” Arshan Dabirsiaghi, chief scientist at Contrast Security, told Goodin. The flaw “could have been used to expose people to off-the-shelf attack code that exploited vulnerabilities in browsers and browser plugins. Such exploits are one of the chief ways criminals surreptitiously install keyloggers and other types of malware on end user computers.” The attacker or attackers could have raked in some serious cash.
The only evidence gathered so far “shows the Imgur exploit interacting with booby-trapped Flash images hosted on 8chan,” Ars added. “Those SWF images, in turn, installed their own XSS-based attacks in the HTML5 local storage databases of users' browsers. From then on, infected browsers would contact a command and control server each time an 8chan page was loaded. And with each one, the browsers would ping 8chan hundreds more times.”
Imgur moved quickly and patched the vulnerability on the same day it was being exploited. The Imgur team’s analysis found the exploit was targeting “users of 4chan and 8chan via images shared to a specific sub-reddit” using “Imgur’s image hosting and sharing tools.”
“MrGrim,” a Redditor claiming to be from Imgur, explained:
No one really knows whether the attack was meant as a prank, or if it was meant to eventually turn into something more sinister, but there are plenty of theories about creating a botnet to DDoS 8chan. One of the more interesting theories proposed, according to The Stack, allegedly “involved an Imgur insider with access to the source code;” the insider supposedly could have manipulated the source code “to inflict damage on 4chan – a grudge perhaps against new owner Hiroyuki Nishimura.”
There’s no reason to currently believe that is true, but it is true that Nishimura is the new owner of 4chan. When announcing the change, Chris Poole, aka “moot,” called Nishimura the “great-grandfather of 4chan” since he created the Japanese image board 2channel in 1999 which served as the inspiration for the anonymous image board site 4chan. The change in ownership occurred on the “eve” of 4chan’s 2 billionth post and 12th birthday.
Yet 8chan is not the same thing as 4chan; it's a relatively small spin-off from 4chan.
Imgur said it would pass on anything new it learns about the attack.