Stories
Slash Boxes
Comments

SoylentNews is people

posted by cmn32480 on Wednesday September 23 2015, @08:36AM   Printer-friendly
from the another-reason-to-turn-off-javascript dept.

From Venture Beat:

Hackers have somehow infiltrated cat-GIF-meme-photo-sharing site Imgur to direct overwhelming volumes of traffic at 4chan, the freewheeling-forum that hosts some of the Web's darker conversations.

Naturally, this problem was uncovered over at Reddit. "When an Imgur image is loaded from /r/4chan, imgur loads a bunch of images from 4chan's content delivery network or 8chan (unclear at this point, might be both), which causes a DDoS to those sites."

Reddit thread which originally reported it here. From another thread on reddit:

"This isn't a DDOS. It's targeting 8chan users and leaving javascript code in their local storage that causes their browsers ping back to a command and control server each time they hit an 8chan page. Thus far the C&C server hasn't sent out any commands (or stopped issuing commands before this was discovered). Over the evening whoever authored this has been updating and changing their code. It only effects very specific imgur images/pages. Why is not yet known."

Update: Newer articles.


Original Submission #1Original Submission #2

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 3, Interesting) by TheLink on Wednesday September 23 2015, @09:48AM

    by TheLink (332) on Wednesday September 23 2015, @09:48AM (#240453) Journal

    Will CSP stop such attacks?
    https://developer.mozilla.org/en-US/docs/Web/Security/CSP [mozilla.org]

    I proposed something simpler much earlier: https://lists.w3.org/Archives/Public/www-html/2002May/0021.html [w3.org]

    Which if implemented might have prevented many of those worms (advogato, myspace, yahoo, etc).

    The W3C and browser developers don't seem interested in making Stop buttons, they prefer making more and more Go buttons.

    Many people like to say that its the responsibility of websites to make sure none of the Go buttons are pressed. Which is a silly and inefficient approach - especially since current websites can't defend against Go buttons that will appear in the future.
    And they also say "use a library", but will a library alone be sufficient when different browsers have different corner cases and exploitable problems? So yes use a library, but I think we still need more Stop buttons.

    • (Score: 0) by Anonymous Coward on Wednesday September 23 2015, @10:32AM

      by Anonymous Coward on Wednesday September 23 2015, @10:32AM (#240461)

      I think noscript stops a javascript based attack :)

      • (Score: 2, Insightful) by Anonymous Coward on Wednesday September 23 2015, @11:49AM

        by Anonymous Coward on Wednesday September 23 2015, @11:49AM (#240474)

        And also breaks 99% of the web that 99% of the population uses.

        • (Score: 2, Insightful) by Anonymous Coward on Wednesday September 23 2015, @11:51AM

          by Anonymous Coward on Wednesday September 23 2015, @11:51AM (#240475)

          Good. That 99% of the web is worthless anyway.

          • (Score: 2) by ticho on Wednesday September 23 2015, @12:13PM

            by ticho (89) on Wednesday September 23 2015, @12:13PM (#240479) Homepage Journal

            Sturgeon's Law in effect. :)

            • (Score: 3, Funny) by nitehawk214 on Wednesday September 23 2015, @02:29PM

              by nitehawk214 (1304) on Wednesday September 23 2015, @02:29PM (#240528)

              Sturgeon's Law is "90% of everything is crap", so this must be Sturgeon's Law adjusted for inflation.

              --
              "Don't you ever miss the days when you used to be nostalgic?" -Loiosh
              • (Score: 2, Funny) by Anonymous Coward on Wednesday September 23 2015, @07:20PM

                by Anonymous Coward on Wednesday September 23 2015, @07:20PM (#240663)

                No, that's just math. 90% suck, 90% of the remaining 10% also, 90% of that 1% suck and so on...

                • (Score: 1) by nitehawk214 on Sunday September 27 2015, @01:50AM

                  by nitehawk214 (1304) on Sunday September 27 2015, @01:50AM (#242121)

                  Ahh, the compound interest of suck. Understandable.

                  --
                  "Don't you ever miss the days when you used to be nostalgic?" -Loiosh
        • (Score: 1) by Myrddin Wyllt on Wednesday September 23 2015, @12:55PM

          by Myrddin Wyllt (5849) on Wednesday September 23 2015, @12:55PM (#240487)

          Yes, it was very silly of the NoScript authors not to provide a simple right-click menu option to allow all or part of a trusted website to run scripts on a permanent or temporary basis.

           

          • (Score: 3, Interesting) by number6 on Wednesday September 23 2015, @02:02PM

            by number6 (1831) on Wednesday September 23 2015, @02:02PM (#240519) Journal

            If you find 'NoScript' just too overreaching, 'YesScript' can be used instead....

            Description:

              YesScript is a simple Javascript blacklist which can be quickly toggled from an icon at the status bar. When you are at a web page and you toggle the YesScript icon, it will turn black and the parent domain will remain blacklisted until you toggle YesScript off.

              YesScript lets you make a blacklist of sites that aren't allowed to run JavaScript. Use YesScript on sites that annoy you or hog your system resources. One click to the icon in the status bar turns scripts on or off for the current site.

              Unlike NoScript, YesScript does absolutely nothing to improve your security. I believe that Firefox is secure enough by default and that blocking all scripts by default is paranoia. YesScript strives to remove hassles from your browsing experience, rather than add them.

            Download:

               YesScript at Firefox Addons [mozilla.org]

            • (Score: -1, Offtopic) by Anonymous Coward on Wednesday September 23 2015, @06:28PM

              by Anonymous Coward on Wednesday September 23 2015, @06:28PM (#240629)

              Offtopic.....

              • (Score: 3, Touché) by number6 on Wednesday September 23 2015, @06:51PM

                by number6 (1831) on Wednesday September 23 2015, @06:51PM (#240642) Journal

                Dear Cockbreath, If you want post as AC and click 'Reply' just to post one word... you can GO AND GET FUCKED !!!!

                I was 100% sincere in trying to post something which may be useful to not only the parent but anybody who may stumble upon this thread one day.
                AND, I stopped my life for 20 minutes to format all those words in that post and to preview multiple times before posting.

                But you already knew all that didn't you Cockbreath !!

            • (Score: 4, Informative) by maxwell demon on Wednesday September 23 2015, @08:13PM

              by maxwell demon (1608) on Wednesday September 23 2015, @08:13PM (#240693) Journal

              Note this:

              Unlike NoScript, YesScript does absolutely nothing to improve your security.

              Indeed, at the time you can blacklist the site, the exploit already happened.

              --
              The Tao of math: The numbers you can count are not the real numbers.
              • (Score: 2) by number6 on Wednesday September 23 2015, @08:40PM

                by number6 (1831) on Wednesday September 23 2015, @08:40PM (#240703) Journal

                Some websites have got annoying asshole JS running which pops up a messagebox forcing you to give it input otherwise it will not allow you to leave the page---YOU ARE LOCKED INTO THE PAGE !!
                If you try to close the page or tab, the messagebox appears and you MUST give it input---WHO KNOWS WHAT THE FUCK WILL START RUNNING IF YOU CLICK OK !!
                BUT... if you have 'YesScript' installed, you just click its icon and JS is instantly disabled on that page---you can easily close the page or tab now and move on outta there...and leave that site blacklisted !!

          • (Score: 2) by TheLink on Thursday September 24 2015, @04:18PM

            by TheLink (332) on Thursday September 24 2015, @04:18PM (#241010) Journal

            Doesn't really solve the big picture problem I mentioned. Most people that are using noscript want to run scripts on some websites (otherwise they would be disabling javascript completely on the browser).

            For example say you use noscript to disable JS globally but allow scripts on soylentnews.org.

            One day some wise guy manages to use unicode or some new stuff the W3C/browser bunch invent to bypass soylentnews's filters, and thus inject some JS into a post.

            And so any vulnerable browsers viewing that post/thread will run that JS.

            Whereas with my suggestion (or presumably Mozilla's CSP), SN could be enclosing/putting all 3rd party content within a block/frame where where JS and other naughtiness is not enabled. So even if the JS slips out the browser has already been told not to run any JS within that block/frame and so it won't no matter what (unless there's a browser bug where stuff isn't actually disabled- which will take a greater level of incompetence/sloppiness). And even if the W3C/Mozilla invent some new fancy way of getting pwned, it could be disabled by default within that block/frame (e.g. only basic HTML allowed).

        • (Score: 0) by Anonymous Coward on Wednesday September 23 2015, @02:47PM

          by Anonymous Coward on Wednesday September 23 2015, @02:47PM (#240532)

          99% of the population are idiots. You included.

          • (Score: 0) by Anonymous Coward on Thursday September 24 2015, @02:36AM

            by Anonymous Coward on Thursday September 24 2015, @02:36AM (#240810)

            99pct of the pop are happy feminists banned child marraige 100 years ago.

            >In the United States, as late as the 1880s most States set the minimum age at 10-12, (in Delaware it was 7 in 1895).[8] Inspired by the "Maiden Tribute" female reformers in the US initiated their own campaign[9] which petitioned legislators to raise the legal minimum age to at least 16, with the ultimate goal to raise the age to 18. The campaign was successful, with almost all states raising the minimum age to 16-18 years by 1920.

        • (Score: 3, Insightful) by Joe Desertrat on Wednesday September 23 2015, @06:05PM

          by Joe Desertrat (2454) on Wednesday September 23 2015, @06:05PM (#240616)

          And also breaks 99% of the web that 99% of the population uses.

          I find very little ever broken by NoScript, and I can't ever claim that for sure as it is just one layer of my protection. Sites may load a little less immediately and force more user interaction to do so, but they load.

  • (Score: 2, Funny) by nitehawk214 on Wednesday September 23 2015, @02:39PM

    by nitehawk214 (1304) on Wednesday September 23 2015, @02:39PM (#240529)

    I took a look at imgur's javascript code after seeing a post about this on imgur the other day. Odd that post got buried somewhere, I couldn't find it again today. Anyhow, the code is a standard javascript disaster, so much for touting themselves as the "Simple Image Sharer". I am not surprised that they did not know what their own code is doing.

    --
    "Don't you ever miss the days when you used to be nostalgic?" -Loiosh