A previously unknown vulnerability in the popular photo-sharing site Imgur was recently exploited in an apparent attempt to hack users of the internet message board 8chan—an offshoot of 4chan—via images posted on Reddit.
It's not clear what the malicious code—which appeared to do little damage when run—was ultimately meant to do.
According to one analysis, the attacker—whose identity and motives are currently unknown—uploaded several images containing malicious code to Imgur, and then posted those images to Reddit's 4chan subreddit.
The server didn't issue any commands, but, potentially, the attacker or attackers, "could have had full control over anything done or seen on 8chan by infected users," ItsMeCaptainMurphy told Motherboard in an online chat, allowing them to steal login credentials, for example.
"Basically, someone exploited a vulnerability in Imgur to inject code into your browser, to then exploit a vulnerability in 8chan, to then inject more code," Jesus Higueras, a game developer who reported the attack to Imgur, told Motherboard.
It's not clear why the attack was so convoluted, or what the attacker hoped to achieve, but some theorize that the goal could have merely been a denial of service attack, since the Flash file was also programmed to cause more load on 8chan's servers, according to security researcher Darren Martyn.
8chan responded to the attack by disabling the ability to access and upload Flash files on the site.
"We have done all we can to respond to the Imgur hack. All SWF file access and upload is disabled (it may not come back)," 8chan tweeted. "A patch has also been entered to clear localStorage of affected users on their next visit to the site."
When someone asked if that meant no more Flash on the site, 8chan's administrator responded: "Fuck Flash."
Hiroyuki Nishimura, the new owner of 4chan, told Motherboard that "as far as I know, there's no affect on 4chan."At this point it's unclear what was the real goal of this attack, but the good news is that Imgur has apparently patched a vulnerability that would've allowed attackers with more nefarious goals to exploit visitors of Imgur with malicious code.