Imgur Hacked to DDoS 4Chan and 8Chan

Imgur, the massive photo sharing community best known for images of adorable animals and hilarious gifs has been exploited in a bizarre attack to send a Distributed Denial of Service (DDoS) Attack knocking 4Chan and 8Chan offline.

The DDoS attack was first spotted by someone on Reddit posting in the /r/4Chan subreddit, where a Reddit user created an image displaying how Imgur links were sending massive amounts of traffic to 4Chan and 8Chan. Explaining that whenever a user clicked on an Imgur link within the 4Chan subreddit, the link opened a hidden window users could not see and load hundreds of image requests to media stored on 4Chan and 8Chan servers. The amass of traffic slowed 4Chan and 8Chan to a crawl, even knocking them offline for several hours.

When the image was first opened, underlying Javascript would open two iframes which are moved 900 pixels off the monitor, allowing this to remain undetected by the end user. This would spawn an additional request to load another 500 images found on the 4Chan and 8Chan servers, causing both of them to go down.

Imgur DDoS 4Chan and 8Chan
Original Image Reddit User Created to Illustrate the Attack

Speculation began arising that an Imgur employee may have deliberately injected the malicious code into the image host, but most comments on the thread suggest the attack was the result of an external breach. However, neither of the theories are true, according to Imgur.

In the Reddit post an Imgur employee commenting on the attack said while Imgur itself wasn’t hacked, the company did discover a vulnerability that the attacker was able to exploit to inject malicious code.

“Someone managed to upload an HTML file with malicious JavaScript inside of it that targeted 8chan,” Mr. Grim, an Imgur employee said in a Reddit comment. “We patched this bug and it’s no longer possible to upload those files. We’re also not [serving] those bad files anymore.”

According to an official Imgur blog post published Tuesday, the vulnerability has been patched but the company advised users as a precaution to clear your browsing data, cookies and localstorage if you visited the site during the time in which it was affected.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *