Targeted attacks on 4Chan and 8Chan exploited bot code in Imgur
23.9.2015
Recently a serious vulnerability was discovered in the Imgur service that allowed the injection of malicious code into an image link on the popular website.
Is your website popular? Great you are a privileged target for crooks, just yesterday I reported the last malvertising campaign that hit Forbes and today I decide to present a different kind of attack that is equally dangerous and insidious.
Today we will speak about image boards web services that are very popular especially among youngsters, they are a sort of Internet forum that allows users to post images. Such kind of services is very popular targeting them it is possible to compromise large audience, now it has been reported that a serious vulnerability in the online image sharing community Imgur was exploited by hackers to hide malicious code in images, control visitors’ browsers, and take over the 4Chan and 8Chan image boards.
Imgur has already fixed the hole preventing the upload of malicious images, but anyway it confirmed that threat actors have used compromised pages in targeted attacks. According to Imgur, the attack is limited to these pages and not involved the site’s main gallery page.
“Yesterday a vulnerability was discovered that made it possible to inject malicious code into an image link on Imgur,” explained the Imgur community director Sarah Schaaf.
“From our team’s analysis, it appears the exploit was targeted specifically to users of 4chan and 8chan via images shared to a specific sub-reddit on Reddit.com using Imgur’s image hosting and sharing tools.”
“The vulnerability was patched yesterday evening and we’re no longer serving affected images, but as a precaution we recommend that you clear your browsing data, cookies, and local storage.”
4chan imgur attack
Which is the attack scenario?
The attack injected a JavaScript in the victims’ local storage that sent a ping to the attacker’s command and control servers every time the target visits 8Chan.
The images containing the malicious code were posted to 4Chan and a related Reddit subreddit page. It is not clear the intent of the attackers and according the information available the command and control servers weren’t used to send orders to the infected machines.
Reddit users report JavaScript created an off-screen iframe and embedded a flash file that ran alongside Imgur’s other Flash components making the attack less suspicious.
“This flash file injected more JavaScript into the page [which looked] like an innocuous Pikachu animation,” one Reddit user says.
“This JavaScript was stored to the user’s localstorage which, since the iframe was pointing at 8chan, allowed the attacker to attach JavaScript to 8chan’s localstorage. It’s functionality is to issue a GET request to 8chan.pw and then decrypted the response. So far no one has been able to see a response from that web service, meaning it likely wasn’t activated yet or has already been deactivated. The outcome is that every time a user visited an 8chan page, it would phone home to check for instructions and then execute more JavaScript code.’
As reported by TheRegister, The attacks were described also on various 4Chan boards.
The security team at Imgur has implemented more controls to allow the publication only of “valid” image files and blocked any JavaScript.
As reported in the official announcement made by Imgur, users are invited to clear browsing data, cookies, and localstorage.