Conversation
Notices
-
Embed this notice
anime graf mays ?️? (graf@poa.st)'s status on Friday, 26-May-2023 10:44:09 JST 
anime graf mays ?️?
hey friends,
on may 19, 2023 an unknown user registered the domain name fedirelay.xyz and setup a fake mostr (nostr) relay to listen for requests on the fediverse.
on may 20, 2023 at 20:52 (utc) a user uploaded the attached document to poast. it was originally an obfuscated javascript file (unobfuscated and attached it here, renamed to .txt so you can view it in any editor).
what this javascript file does is take the viewers oauth token, encode it to make it look like a nostr pubkey and then forced the clandestine mostr relay to look up that user locally giving that server the encoded token all while appearing to be a legitimate mostr (nostr) bridge
i have taken steps to completely limit access to the admin api and corrected any CSP or other issues that could possibly have contributed to this, however most of you are still vulnerable to it. the default pleroma install serves media files on your root domain as a local folder (i.e. yourdomain.xyz/media) and the default CSP for any site is to allow executing scripts via the root domain. in order to prevent this you should take steps to either move your media from yourdomain.xyz/media to media.yourdomain.xyz (or any subdomain outside of your root domain) or perhaps by limiting the CSP for that subdirectory via nginx configuration.
if you are an instance owner, the obfuscated file hash is `b2977f2d97f598d2ebd6dcf37afd9047b5da2b6dc95a7b2824fb111c906fb117` so you can search yourdomain.xyz/media/b2977f2d97f598d2ebd6dcf37afd9047b5da2b6dc95a7b2824fb111c906fb117.js and see if you have it on your server.
sorry to anybody i let down but i could never have foreseen this level of sophistication and i would not have ever expected it. now that we are aware of it, we will be more diligent in the future. thanks for being here with us still friends- Alex Gleason likes this.
- GNU Too repeated this.
-
Embed this notice
?? Humpleupagus ?? (humpleupagus@eveningzoo.club)'s status on Friday, 26-May-2023 11:37:42 JST 
?? Humpleupagus ??
It was just small talk. 😒 -
Embed this notice
Wrath (eiswald@poa.st)'s status on Friday, 26-May-2023 11:37:43 JST 
Wrath
@DK_Dharmaraj @graf >could never have foreseen this level of sophistication
Beat me to it. Literally reads like a private corporation, probably state affiliated (pick of the liter with these seething kikes), has a bone to pick with Poast and other instances. There's also a fairly good chance that this was just a scare tactic.
They want to drive users away from platforms like this for obvious reasons, to where I don't know because I cannot imagine anyone here going to twitter or some other curated, algorithmically policed platform.
Whoever it was they were probably very skilled and either paid to do it or have money behind them to begin with. I have no reason to leave and really see no good reason to leave.
Taking a page from what Count Dankula had to say on matters like this and something I've long believed. I don't care how secure or safe that you think you or the platform or the methods you use are, you are being watched. If (((they))) want to keep tabs on you they can and will and there's nothing that can be done to prevent it short of pulling the plug on the internet. Always assume that EVERYTHING you do on the internet is being monitored.
Anyway. This whole matter stinks to high hell and to TL;DR: you're right. It stinks like, and I hate to fucking say it, a glownigger.?? Humpleupagus ?? repeated this. -
Embed this notice
Dan_Hulson (dan_hulson@poa.st)'s status on Friday, 26-May-2023 11:37:43 JST 
Dan_Hulson
@Eiswald @DK_Dharmaraj @graf What a fucking night to decide to come back to Fedi. I'm going back to painting the house for a week until people get over the fact that @Humpleupagus and I were always dming dick pics to each other -
Embed this notice
DK (dk_dharmaraj@poa.st)'s status on Friday, 26-May-2023 11:37:44 JST 
DK
@graf State actor suspected? -
Embed this notice
Space Elf (spaceelf@leafposter.club)'s status on Friday, 26-May-2023 11:54:53 JST 
Space Elf
@parker @parker I don't know if this is relevant to the instance, but I saw this and figured I might ping you to save some potential effort, just in case. Fediverse Contractor likes this. -
Embed this notice
Parker Banks (parker@pl.psion.co)'s status on Friday, 26-May-2023 11:54:59 JST 
Parker Banks
@SpaceElf @parker @graf I checked, we don't have the offending JavaScript on file, so we're good. I will also update the CSP so as to block execution of scripts from the media directory. Fediverse Contractor likes this. -
Embed this notice
on-lain ✔ᵛᵉʳᶦᶠᶦᵉᵈ (lain@lain.com)'s status on Friday, 26-May-2023 15:31:13 JST 
on-lain ✔ᵛᵉʳᶦᶠᶦᵉᵈ
@graf that's a crazy attack, can you tell me more about how that mostr relay plays into this? I know that you can upload pretty much any file, but how did the attacker get it to execute in the context of the website? -
Embed this notice
on-lain ✔ᵛᵉʳᶦᶠᶦᵉᵈ (lain@lain.com)'s status on Friday, 26-May-2023 15:34:36 JST
on-lain ✔ᵛᵉʳᶦᶠᶦᵉᵈ
@mint @graf i still don't understand how the script gets executed. where is it being embedded in script tag? Fediverse Contractor likes this.Fediverse Contractor repeated this. -
Embed this notice
(mint@ryona.agency)'s status on Friday, 26-May-2023 15:34:37 JST 
@lain @graf >how that mostr relay plays into this
It's just a dud. Oauth tokens get presented as those long-ass usernames, the script does the account lookup query on local instance, and then local instance tries to fetch the account with that username from a remote one, which then logs the tokens. -
Embed this notice
(mint@ryona.agency)'s status on Friday, 26-May-2023 15:39:21 JST
@lain @graf Looks like there was a bit of social engineering involved. My first guess was, since poast runs Soapbox as default frontend and serves Pleroma-FE separately, the subdomain FE is on (pl.poa.st) might have not applied CSP rules, essentially giving all control over the local storage to the opened HTML with embedded JS. But that fails flat in his setup, since media is hosted on a separate domain (poastcdn.org) which should have those rules applied regardless.
Screenshot_20230526_093439.pngon-lain ✔ᵛᵉʳᶦᶠᶦᵉᵈ and Fediverse Contractor like this. -
Embed this notice
anime graf mays ?️? (graf@poa.st)'s status on Friday, 26-May-2023 15:43:00 JST
anime graf mays ?️?
@lain we had a user approach us claiming an image wouldn't load on pleroma FE but would load fine on soapbox, screenshot had a seemingly empty post so I/we went to check it out. loaded fine so I didn't think anything of it but I think it might have been embedded tags in svg or similar. I'm currently restoring our database backup from that night before he nuked his account so I can get a better picture and will have more details this weekend. feelsshittyman on-lain ✔ᵛᵉʳᶦᶠᶦᵉᵈ likes this. -
Embed this notice
on-lain ✔ᵛᵉʳᶦᶠᶦᵉᵈ (lain@lain.com)'s status on Friday, 26-May-2023 15:43:45 JST
on-lain ✔ᵛᵉʳᶦᶠᶦᵉᵈ
@graf thanks for the info. hang in there! -
Embed this notice
anime graf mays ?️? (graf@poa.st)'s status on Friday, 26-May-2023 15:57:00 JST
anime graf mays ?️?
@Goobly @lain I don't know which token was taken yet. I dropped all tokens from our database immediately after noticing so thats another reason im restoring database to a testing environment. a couple of us are going to dig through it and get a complete picture to report it. on-lain ✔ᵛᵉʳᶦᶠᶦᵉᵈ likes this. -
Embed this notice
Goobly (goobly@poa.st)'s status on Friday, 26-May-2023 15:57:02 JST 
Goobly
@graf @lain Did they grab your token too? -
Embed this notice
翠星石 (suiseiseki@freesoftwareextremist.com)'s status on Friday, 26-May-2023 16:23:01 JST 
翠星石
@graf So I was right to use BloatFE and never run JavaShit all along? 翠星石 likes this. -
Embed this notice
anime graf mays ?️? (graf@poa.st)'s status on Friday, 26-May-2023 17:46:16 JST
anime graf mays ?️?
@Suiseiseki yes you are correct bloat is superior and I kneel 翠星石 likes this. -
Embed this notice
pistolero :thispersondoesnotexist: (p@freespeechextremist.com)'s status on Saturday, 27-May-2023 05:48:02 JST 
pistolero :thispersondoesnotexist:
@like50bears @graf
> I get that CSP won't prevent it
CSP absolutely would prevent it. I'm not sure how PleromaFE is related, but I've seen that code, the only thing that could have stopped it is CSP or hosting attachments (including proxied ones) on a different domain. -
Embed this notice
?? Humpleupagus ?? (humpleupagus@eveningzoo.club)'s status on Saturday, 27-May-2023 05:48:02 JST
?? Humpleupagus ??
Would the auth token allow them to access BE or only FE if the token was for an admin account? -
Embed this notice
anime graf mays ?️? (graf@poa.st)'s status on Saturday, 27-May-2023 05:48:03 JST
anime graf mays ?️?
@Boomerman correct -
Embed this notice
James Key (like50bears@shitposter.club)'s status on Saturday, 27-May-2023 05:48:03 JST 
James Key
@graf Thanks for the writeup. Can you explain how the (obfusticated) js was run? I get that CSP won't prevent it, but how does a piece of user uploaded content get executed to begin with? -
Embed this notice
DM me your tummy (girls (female)only) (boomerman@poa.st)'s status on Saturday, 27-May-2023 05:48:04 JST 
DM me your tummy (girls (female)only)
@graf So this theoretically isnt just poast but the entire fediverse thats vulnerable? -
Embed this notice
Ademan (ademan@thebag.social)'s status on Saturday, 27-May-2023 05:55:46 JST 
Ademan
getting access to your backend is the easy part
-
Embed this notice
?? Humpleupagus ?? (humpleupagus@eveningzoo.club)'s status on Saturday, 27-May-2023 05:55:46 JST
?? Humpleupagus ??
The trick is to go in head first. -
Embed this notice
on-lain ✔ᵛᵉʳᶦᶠᶦᵉᵈ (lain@lain.com)'s status on Saturday, 27-May-2023 06:08:46 JST
on-lain ✔ᵛᵉʳᶦᶠᶦᵉᵈ
@p @graf @animeirl there's a bug with oembeds not being properly stripped of their tags and pleroma-fe just displayed it, if soapbox puts them in an iframe that would indeed make soapbox safe from this. there is a second exploit that is frontend independent, but it's much more involved and you have to open the attachment in a new tab -
Embed this notice
shrimps! (animeirl@shitposter.club)'s status on Saturday, 27-May-2023 06:08:47 JST 
shrimps!
@graf Huh? Are you saying soapbox executes attachments? -
Embed this notice
pistolero :thispersondoesnotexist: (p@freespeechextremist.com)'s status on Saturday, 27-May-2023 06:08:47 JST
pistolero :thispersondoesnotexist:
@animeirl @graf It's FE-independent as far as I can tell. Gleason seems to think there's PleromaFE involvement, I don't know what the deal is there (he was Iron Dome'd during the spamwave last week, so he can't tag me; solved the spam issue from FSE's end) but I don't see how it's possible. You have to allow an HTML attachment to load the script: unless a FE loads the HTML to do a preview, FE isn't involved. -
Embed this notice
shrimps! (animeirl@shitposter.club)'s status on Saturday, 27-May-2023 06:30:05 JST
shrimps!
@lain @p @graf is the second still not solved? -
Embed this notice
on-lain ✔ᵛᵉʳᶦᶠᶦᵉᵈ (lain@lain.com)'s status on Saturday, 27-May-2023 06:30:05 JST
on-lain ✔ᵛᵉʳᶦᶠᶦᵉᵈ
@animeirl @p @graf that one is solved by the patches in pleroma, the CSP nginx snippet and moving media and proxy to a subdomain, any one of these fixes will solve it. -
Embed this notice
?? Humpleupagus ?? (humpleupagus@eveningzoo.club)'s status on Saturday, 27-May-2023 09:43:07 JST
?? Humpleupagus ??
The exploit had to be tested, right? Is there any way to track, or search, for when it was first used? Does it leave any unique public signature? -
Embed this notice
pistolero :thispersondoesnotexist: (p@freespeechextremist.com)'s status on Saturday, 27-May-2023 09:43:08 JST
pistolero :thispersondoesnotexist:
@EdBoatConnoisseur @Eiswald @DK_Dharmaraj @graf I think that number is way low.
You should try asking Sui where the minecraft mod came from, because the same tool was used to dump the Poast chats as the Chudbuds one, and that thread on alogs had pictures of graf/Gleason/etc., then that guy ran around fedi saying Poast was next. -
Embed this notice
Wrath (eiswald@poa.st)'s status on Saturday, 27-May-2023 09:43:09 JST
Wrath
@EdBoatConnoisseur @DK_Dharmaraj @graf >i would put my bucks on the actual attacker having been a fediverse admin who has beef to pick with graf and friends
Also very possible. -
Embed this notice
EdBoatConnoisseur (edboatconnoisseur@poa.st)'s status on Saturday, 27-May-2023 09:43:09 JST 
EdBoatConnoisseur
@Eiswald @DK_Dharmaraj @graf there are at least 3 faggots i think would be petty enough to pull shit like that.
-
Embed this notice
EdBoatConnoisseur (edboatconnoisseur@poa.st)'s status on Saturday, 27-May-2023 09:43:10 JST
EdBoatConnoisseur
@Eiswald @DK_Dharmaraj @graf 1 tell dk_dharma to unblock me (i know it wont work)
2 i doubt it was a glownigger itself, i would put my bucks on the actual attacker having been a fediverse admin who has beef to pick with graf and friends who simply took the opportunity to be a gun for hire and recieve remuneration to pull this one off. you know if you are good at something you don’t do it for free and all that.
-
Embed this notice
pistolero :thispersondoesnotexist: (p@freespeechextremist.com)'s status on Sunday, 28-May-2023 04:11:38 JST
pistolero :thispersondoesnotexist:
@Humpleupagus @EdBoatConnoisseur @DK_Dharmaraj @Eiswald @graf That is an excellent point. So far, not sure where it was tested; I believe there was just one copy found on Poast. ?? Humpleupagus ?? likes this.
All GNU social JP content and data are available under the 