
4chan Intrusion Postmorterm - killwhitey
http://blog.4chan.org/post/84289353232/concerning-a-recent-intrusion
======
rodgerd
I find myself wondering who in their right mind pokes 4chan with a stick. It
is not an angry mob I would care to have ambling in my general direction.

~~~
linuxydave
I think that the userbase is rather fickle and it depends on who you piss off.
Each board has its own culture so, for example, if you piss off /b/ then you
might get an angry mob that gives you grief but I doubt that would happen if
you pissed off /g/ or /tg/.

~~~
meowface
In this case the user who gained access to the database was seen as doing it
for a reasonably "noble" reason, relatively speaking (to find information
about another user whom some disliked), so from what I can see there hasn't
been much backlash against him even though his full name was posted in a few
places. It was kind of a self-hack.

~~~
nilved
Please don't miscontrue the person's intentions as noble, or even put that
word in the same paragraph as 4chan. It was misogynistic, sexist harrassment.

~~~
meowface
I did say "relatively speaking." I wasn't making a judgment as to whether it
was moral or immoral, just that 4chan as a whole mostly saw it as reasonable,
which is why most of them found the intrusion humorous instead of an affront.

This is in stark contrast to when UG Nazi hacked 4chan a while ago by
hijacking Cloudflare's CEO's Gmail and pointing 4chan.org's A record at their
own server.

------
drum
Moot mentions refunds for targeted users. I was unaware 4chan offered
something purchasable. Anybody know what he's referring to?

~~~
grrowl
4chan Pass, which enables you to bypass the annoying CAPTCHA (and is a kind of
CAPTCHA in itself, since a computer can't own a credit card); much like Reddit
Gold

~~~
jfoster
Is a credit card like a captcha? A computers may not be able to own credit
cards, but they can use cards owned by someone else.

~~~
blueskin_
Most of the spam on 4chan isn't that serious to be worth using fraudulent
cards.

------
Igglyboo
Wow, now that is a response. Full disclosure of what happened and a nice
payout to victims who weren't even harmed that much.

------
tobyjsullivan
This makes an excellent testimonial for Stripe. Consider the ROI just
realised.

~~~
linuxydave
4chan gets a lot of of traffic and is well-known so I think anything they use
gets a boost in popularity :)

~~~
moot
Eh, Stripe has way larger/more high profile customers than us, but yes we've
been very happy with them.

~~~
linuxydave
While that is true I think you might have more impact than you realise :)

------
vex
Way to not give any details about the vulnerability...

~~~
hayksaakian
chippy1337's comment is marked as dead, but here it is for posterity:

Rumor is it was an SQL Injection in the "days" parameter of the stats system.
Details here -> [http://pastebin.com/Fq96ndB6](http://pastebin.com/Fq96ndB6)
\-----

~~~
meowface
Ah, chippy1337. Haven't seen that name in a while.

Is "he" the original?

------
voltagex_
Can't read it here, could someone post the text?

~~~
alloyed
I suspect a lot of people will be unable to read it if they use HTTPS
everywhere: the 4chan blog does not support https and the EFF is currently in
a ruleset freeze so they cannot reflect that until the next stable version is
out.

~~~
ZoF
Tumblr only recently added SSL support, which is likely the reason Moot hasn't
implemented it yet.

That said, I(unfortunately) doubt that HTTPS-everywhere is being utilized by
that many people.

~~~
hrrsn
That's only for the dashboard. Blogs are still cleartext. It's possible to do
SSL for *.tumblr.com domains but not (easily) for custom ones.

------
izietto
They should spend time to refactor their code, it's a mess:
[http://pastebin.com/a45dp3Q1](http://pastebin.com/a45dp3Q1)

With that source is much harder to make a security analysis and is easier to
create side effects leading to security holes

~~~
moot
Per meowface's comment, this code is ~4 years old. It's in a much better place
now, but there's still a lot of room for improvement.

The vulnerability wasn't in the main application. I'll write more about it on
my personal blog in the coming days
([http://chrishateswriting.com](http://chrishateswriting.com)).

~~~
hsx
Have you ever thought about re-writing 4chan and making it open source? I
think a large portion of the community would be willing to contribute.

~~~
thrillgore
IIRC they had open source code called Futabally, but as time went on they
closed the sources to protect their interests. Projects like it exist, such as
Kusaba X.

