Not a bug Possible vulnerability?

manicomio · Sep 20, 2022

There's a site that has been in the news lately called Kiwi Farms that allegedly uses Xenforo. It appears that site got hacked by vigilantes through a Xenforo vulnerability according to the news report. Here's an excerpt:

Moon said that the unknown individual or individuals behind the hack gained access to his admin account by using a technique known as session hijacking, in which an attacker obtains the authentication cookies a site sets after an account holder enters valid credentials and successfully completes any two-factor authentication requirements. The session hijacking was made possible after uploading malicious content to XenForo, a site Kiwi Farms uses to power its user forums.

“A bad actor was able to upload a webpage disguised as an audio file to XenForo,” Moon wrote. “Elsewhere, he was able to load this webpage (probably as an inline frame), causing random users to make automated requests and send their authentication cookies off-site, so that the attacker could use it to gain access to their account. My admin account was compromised through this mechanism.”

Full article:

Kiwi Farms has been breached; assume passwords and emails have been leaked

Harassment site is down for now after hacker gains access to admin account.

arstechnica.com

Forsaken · Sep 20, 2022

Unless they were using a nulled license, they have been unable to get updates for at least a year as XF revoked their license.

Unless this is an unreported exploit, it was likely already fixed in a prior patch.

Forsaken · Sep 20, 2022

Here is the thread discussing the revoked license: https://xenforo.com/community/threa...ring-all-xf-forums-for-hosted-content.200847/

Xon · Sep 20, 2022

The file uploaded to XenForo ends in .opus, an extension that’s used by certain audio formats. It was uploaded to XenForo directly and injected by a custom Rust-based chat program Moon wrote to make Kiwi Farms chats interact with sessions from XenForo.

The actual vulnerability comes from a custom chat implementation which blindly included content into the site.

It used the attachment system, but the chat system included arbitrary user data as first party content. Which is a big 'no' for security.

Forsaken · Sep 20, 2022

“XenForo removed us from their license a year ago and their software is no longer sufficient for our needs,” he wrote. “We needed something custom, but my confidence in my work has been shot. The sophistication in this attack is very high, and shows an intimate familiarity with both Rust and XenForo. It is unfortunate that they have applied themselves to this end, likely for pay. There are so many more people trying to destroy than create.”

"Sophistication of the attack is high"

.

Mendalla · Sep 20, 2022

There are so many more people trying to destroy than create.

The irony, it burns. The creepy clientele of his site completely destroyed the life of a trans activist in my community. The loss of Kiwi Farms is being cheered, not mourned, around here.

manicomio · Sep 20, 2022

Xon said:
The actual vulnerability comes from a custom chat implementation which blindly included content into the site.

It used the attachment system, but the chat system included arbitrary user data as first party content. Which is a big 'no' for security.

Thanks for clearing that up!

MapleOne · Sep 21, 2022

It's unfortunate when ANY community gets attacked, personally I hate seeing content destroyed.

My advice to the owner of the site is just pay for a licence, stay up to date with security and you won't have these problems. If you put a little donate button on your site the members will usually help you recoup the costs.

Anyways, good luck to the owner of the board, make the right decision, it always pays off in the end.

Paul B · Sep 21, 2022

MapleOne said:
It's unfortunate when ANY community gets attacked, personally I hate seeing content destroyed.

My advice to the owner of the site is just pay for a licence, stay up to date with security and you won't have these problems. If you put a little donate button on your site the members will usually help you recoup the costs.

Anyways, good luck to the owner of the board, make the right decision, it always pays off in the end.

You may want to read the news regarding this particular site.

Mendalla · Sep 21, 2022

MapleOne said:
Anyways, good luck to the owner of the board, make the right decision, it always pays off in the end.

The right decision is to ban members who use the site to dox and otherwise harass people and to permanently delete personal information of those who are being targeted. If a site is allowing that, I am quite content with seeing that site destroyed in any way possible, preferably through legal channels.

MapleOne · Sep 21, 2022

Brogan said:
You may want to read the news regarding this particular site.

I just read the Wikipedia page, does not sound like a site I would even remotely want to be associated with.

Mendalla said:
The right decision is to ban members who use the site to dox and otherwise harass people and to permanently delete personal information of those who are being targeted. If a site is allowing that, I am quite content with seeing that site destroyed in any way possible, preferably through legal channels.

I can understand free speech but there is a time when things cross the line and the admin has to make the right decisions for the good of the community.

However if the admin is part of the problem then the community has no future.

Not a bug Possible vulnerability?

manicomio

Active member

Kiwi Farms has been breached; assume passwords and emails have been leaked

Forsaken

Well-known member

Forsaken

Well-known member

Xon

Well-known member

Forsaken

Well-known member

Mendalla

Well-known member

manicomio

Active member

MapleOne

Well-known member

Paul B

XenForo moderator

Mendalla

Well-known member

MapleOne

Well-known member

Similar threads

We value your privacy