Hacker exploited Imgur flaw to secretly load over 450 background images and attack 8chan

An attacker could have pulled off massive pwnage by abusing a bug on Imgur, which is often featured on Reddit’s “front page” of the Internet; instead the hacker targeted 8chan; 4chan and 8chan experienced some downtime. Imgur quickly issued a patch.

Imgur hacked
Credit: Imgur

An attacker, or attackers, could have pulled off massive pwnage – such as secretly installing keyloggers on PCs belonging to thousands of unsuspecting visitors of the popular image-sharing site Imgur; instead, the attacker targeted users of 4chan and 8chan via images shared on the r/4chan sub-reddit.

On the subreddit 4chan, Reddit user rt4nyp first spotted that Imgur was “doing fishy things” with “some 4chan screencaps.” In case you don’t know, Imgur is often featured on Reddit’s “front page” of the Internet and receives who knows how many millions of daily visitors. WunderWeasal, another Reddit user, posted a screenshot of “over 453 requests” made covertly in the background when an Imgur image was opened on r/4chan. It was eventually reported that clicking on an affected Imgur link would secretly open about 500 other images in the background.

Listening to music while watching the story unfold and clicking on related links caused Malwarebytes Anti-Malware blocker to pop up so fast and so often that it was actually flashing warnings in time with the beat.

A write up on Pastebin pointed out that the attack was exploiting a cross-site scripting (XSS) vulnerability to attack 8chan; the attacker was supposedly the same entity who exploited a similar flaw to attack 8chan in January. Another analysis by Redditor “ItsMeCaptainMurphy” explained that when people viewed an affected Imgur-hosted image, such as “an innocuous Pikachu animation,” their browser would execute the attacker’s malicious JavaScript code; users didn’t see the Iframes and embedded Flash file created by the code that was used to exploit “two additional but completely separate vulnerabilities” on 8chan.

As Ars Technica’s Dan Goodin explained, “From then on, every time one of these people visited an 8chan page, their browser would report to an attacker-controlled server and await instructions. In the process, the infected browser would bombard 8chan servers with hundreds of additional requests.” Goodin added, “The hack had the potential to take on worm-like properties, in which a handful of viral images could generate an endless stream of traffic and millions and millions of new infections.”

It is unknown why the attacker “had a delivery mechanism on one of the most popular sites on the Internet,” but chose to use it “for a prank,” Arshan Dabirsiaghi, chief scientist at Contrast Security, told Goodin. The flaw “could have been used to expose people to off-the-shelf attack code that exploited vulnerabilities in browsers and browser plugins. Such exploits are one of the chief ways criminals surreptitiously install keyloggers and other types of malware on end user computers.” The attacker or attackers could have raked in some serious cash.

The only evidence gathered so far “shows the Imgur exploit interacting with booby-trapped Flash images hosted on 8chan,” Ars added. “Those SWF images, in turn, installed their own XSS-based attacks in the HTML5 local storage databases of users' browsers. From then on, infected browsers would contact a command and control server each time an 8chan page was loaded. And with each one, the browsers would ping 8chan hundreds more times.”

Imgur moved quickly and patched the vulnerability on the same day it was being exploited. The Imgur team’s analysis found the exploit was targeting “users of 4chan and 8chan via images shared to a specific sub-reddit” using “Imgur’s image hosting and sharing tools.”

“MrGrim,” a Redditor claiming to be from Imgur, explained:

Someone managed to upload an HTML file with malicious JavaScript inside of it that targeted 8chan. We patched this bug and it's no longer possible to upload those files. We're also not serving those bad files anymore. From what we know now, the attack only target users of the /r/8chan subreddit if you viewed the bad image. As a precaution we recommend that you clear your browsing data, cookies, and localstorage, especially if you're also an 8chan user.

MrGrim, according to Motherboard, is not just some Imgur employee; he’s Imgur CEO Alan Schaaf. He said, “Serving JavaScript code from our i.imgur.com is now impossible.”

No one really knows whether the attack was meant as a prank, or if it was meant to eventually turn into something more sinister, but there are plenty of theories about creating a botnet to DDoS 8chan. One of the more interesting theories proposed, according to The Stack, allegedly “involved an Imgur insider with access to the source code;” the insider supposedly could have manipulated the source code “to inflict damage on 4chan – a grudge perhaps against new owner Hiroyuki Nishimura.”

There’s no reason to currently believe that is true, but it is true that Nishimura is the new owner of 4chan. When announcing the change, Chris Poole, aka “moot,” called Nishimura the “great-grandfather of 4chan” since he created the Japanese image board 2channel in 1999 which served as the inspiration for the anonymous image board site 4chan. The change in ownership occurred on the “eve” of 4chan’s 2 billionth post and 12th birthday.

Yet 8chan is not the same thing as 4chan; it's a relatively small spin-off from 4chan.

Imgur said it would pass on anything new it learns about the attack.

The brave new world of Windows 10 license activation
View Comments
Join the discussion
Be the first to comment on this article. Our Commenting Policies