Not a bug Possible vulnerability?

manicomio

Active member
Affected version
2.2
There's a site that has been in the news lately called Kiwi Farms that allegedly uses Xenforo. It appears that site got hacked by vigilantes through a Xenforo vulnerability according to the news report. Here's an excerpt:

Moon said that the unknown individual or individuals behind the hack gained access to his admin account by using a technique known as session hijacking, in which an attacker obtains the authentication cookies a site sets after an account holder enters valid credentials and successfully completes any two-factor authentication requirements. The session hijacking was made possible after uploading malicious content to XenForo, a site Kiwi Farms uses to power its user forums.


“A bad actor was able to upload a webpage disguised as an audio file to XenForo,” Moon wrote. “Elsewhere, he was able to load this webpage (probably as an inline frame), causing random users to make automated requests and send their authentication cookies off-site, so that the attacker could use it to gain access to their account. My admin account was compromised through this mechanism.”

Full article:

 
Unless they were using a nulled license, they have been unable to get updates for at least a year as XF revoked their license.

Unless this is an unreported exploit, it was likely already fixed in a prior patch.
 
The file uploaded to XenForo ends in .opus, an extension that’s used by certain audio formats. It was uploaded to XenForo directly and injected by a custom Rust-based chat program Moon wrote to make Kiwi Farms chats interact with sessions from XenForo.

The actual vulnerability comes from a custom chat implementation which blindly included content into the site.

It used the attachment system, but the chat system included arbitrary user data as first party content. Which is a big 'no' for security.
 
“XenForo removed us from their license a year ago and their software is no longer sufficient for our needs,” he wrote. “We needed something custom, but my confidence in my work has been shot. The sophistication in this attack is very high, and shows an intimate familiarity with both Rust and XenForo. It is unfortunate that they have applied themselves to this end, likely for pay. There are so many more people trying to destroy than create.”

"Sophistication of the attack is high" 🤣.
 
There are so many more people trying to destroy than create.
The irony, it burns. The creepy clientele of his site completely destroyed the life of a trans activist in my community. The loss of Kiwi Farms is being cheered, not mourned, around here.
 
The actual vulnerability comes from a custom chat implementation which blindly included content into the site.

It used the attachment system, but the chat system included arbitrary user data as first party content. Which is a big 'no' for security.
Thanks for clearing that up!
 
It's unfortunate when ANY community gets attacked, personally I hate seeing content destroyed.

My advice to the owner of the site is just pay for a licence, stay up to date with security and you won't have these problems. If you put a little donate button on your site the members will usually help you recoup the costs.

Anyways, good luck to the owner of the board, make the right decision, it always pays off in the end.
 
It's unfortunate when ANY community gets attacked, personally I hate seeing content destroyed.

My advice to the owner of the site is just pay for a licence, stay up to date with security and you won't have these problems. If you put a little donate button on your site the members will usually help you recoup the costs.

Anyways, good luck to the owner of the board, make the right decision, it always pays off in the end.
You may want to read the news regarding this particular site.
 
Anyways, good luck to the owner of the board, make the right decision, it always pays off in the end.
The right decision is to ban members who use the site to dox and otherwise harass people and to permanently delete personal information of those who are being targeted. If a site is allowing that, I am quite content with seeing that site destroyed in any way possible, preferably through legal channels.
 
You may want to read the news regarding this particular site.

I just read the Wikipedia page, does not sound like a site I would even remotely want to be associated with.

The right decision is to ban members who use the site to dox and otherwise harass people and to permanently delete personal information of those who are being targeted. If a site is allowing that, I am quite content with seeing that site destroyed in any way possible, preferably through legal channels.

I can understand free speech but there is a time when things cross the line and the admin has to make the right decisions for the good of the community.

However if the admin is part of the problem then the community has no future.
 
Top Bottom