Someone Was Abusing an Imgur Bug to Target 8chan Users

Bug allowed attackers to upload malicious code to the site.

by Lorenzo Franceschi-Bicchierai
Sep 22 2015, 9:25pm

Image: McIe/Shutterstock

A previously unknown vulnerability in the popular photo-sharing site Imgur was recently exploited in an apparent attempt to hack users of the internet message board 8chan—an offshoot of 4chan—via images posted on Reddit.

According to several analyses, the bug allowed anyone to hide potentially malicious JavaScript code inside images uploaded to Imgur that would run when viewed. Such a bug could have potentially been used to hack millions of users, but in this case, the attacker only targeted those specifically visiting 8chan.

It's not clear what the malicious code—which appeared to do little damage when run—was ultimately meant to do.

Multiple users on Reddit and 4chan first spotted the attack on Monday, which Imgur confirmed on Tuesday. The photo-sharing site also said it had patched the bug. Alan Schaaf, the CEO of Imgur wrote on Reddit that "serving JavaScript code from our is now impossible."

According to one analysis, the attacker—whose identity and motives are currently unknown—uploaded several images containing malicious code to Imgur, and then posted those images to Reddit's 4chan subreddit.

When viewed, the images then loaded a malicious Flash file—a "trippy Pikachu animation" hosted on 8chan—which was invisible to the user. That flash file then ran more JavaScript code, which modified the user's browser, so that whenever the user visited 8chan, it would ping a command and control server controlled by the attacker, according to Reddit user ItsMeCaptainMurphy, who wrote an analysis of the attack.

The server didn't issue any commands, but, potentially, the attacker or attackers, "could have had full control over anything done or seen on 8chan by infected users," ItsMeCaptainMurphy told Motherboard in an online chat, allowing them to steal login credentials, for example.

"Basically, someone exploited a vulnerability in Imgur to inject code into your browser, to then exploit a vulnerability in 8chan, to then inject more code," Jesus Higueras, a game developer who reported the attack to Imgur, told Motherboard.

It's not clear why the attack was so convoluted, or what the attacker hoped to achieve, but some theorize that the goal could have merely been a denial of service attack, since the Flash file was also programmed to cause more load on 8chan's servers, according to security researcher Darren Martyn.

8chan responded to the attack by disabling the ability to access and upload Flash files on the site.

"We have done all we can to respond to the Imgur hack. All SWF file access and upload is disabled (it may not come back)," 8chan tweeted. "A patch has also been entered to clear localStorage of affected users on their next visit to the site."

When someone asked if that meant no more Flash on the site, 8chan's administrator responded: "Fuck Flash."

Hiroyuki Nishimura, the new owner of 4chan, told Motherboard that "as far as I know, there's no affect on 4chan."

At this point it's unclear what was the real goal of this attack, but the good news is that Imgur has apparently patched a vulnerability that would've allowed attackers with more nefarious goals to exploit visitors of Imgur with malicious code.