Jump to content

Malwarebytes blocking Imgur?


Recommended Posts

It's blocked because the root cause of their issues has yet to be identified and resolved. Once this happens and is confirmed, the block will be removed.

It was fixed yesterday FYI.  http://imgur.com/blog/2015/09/22/imgur-vulnerability-patched/


What's interesting about it though, is that users need to do a full cleanup of the locally stored data.  Since it can still sit live on their machines and still send out information.


This is from one of the threads over on reddit about it:




Anyhow, I've been following this breach as it's developed over the night and was active in the threads on /g/ decompiling the code. I'm sure there are better explanations in the main thread, but here's a rough rundown on how the breach worked.

  1. Thanks to a security hole in imgur involving MIME magic, the hacker can inject JS. (Basically, thanks to imgur's code that lets you link to GIF's as PNG's, your browser renders an invisible HTML file containing your image and some invisible JS without telling you)

  2. The JS loads an iframe from 8chan, acting as part of a ddos. The iframe contains a Flash file. Flash can create and modify local storage for 8Chan, even if you've never visited it. It then flags the rest of the malicious file as a "favorite". (Because the hacker was a chan lurker, the file also contained easter eggs like dancing pokémon and a private key containing the string imsorrybrennan)

  3. The JS then causes your browser to ping 8Chan. 8Chan loads the content of your "favorites" on the page, no sanitization at all.

  4. This lets a div containing a script tag finish executing the JS.

  5. The JS then pings 8ch.pw, the hacker's domain, (not 8Chan) which can serve it any JS payload it wants.

  6. The JS then lies dormant in your local storage until it receives a go code, or a self destruct code that causes it to be replaced with another payload from 8ch.pw.

6A. The sheer amount of traffic this generated for 8Chan's servers also acts as a DDoS, just as a bonus!

It goes without saying that you NEED to clear your local storage if you've been on imgur. Open your browser console (while on imgur, thanks, /u/powerpiglet!) and enter localStorage.clear(). (EDIT: this may not work for some reason, see /u/lucben999's comment for a fix.) Since imgur is safe now, you should be OK. Until you do, attackers could be using your computer to:

  • Transmit your passwords to attackers

  • Become a piece of a giant DDoS

  • Constantly load ads that pay attackers

  • Request edgelord-tier child pornography from a honeypot without your knowledge

If you have any questions about the specifics of the attack, please ask me! I love netsec and this breach is like a great white whale.

Link to post
Share on other sites

So I just wanted to ask a question of clarification concerning this breach. From what I'm understanding it used a javascript exploit to accomplish this. Is this something that Malwarebytes Anti-Exploit would have blocked? And if so, if we never received a message that an exploit had been stopped we should be safe?

Link to post
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.