Conversation

Notices

1. Embed this notice
   SuperDicq (superdicq@minidisc.tokyo)'s status on Saturday, 27-May-2023 22:35:59 JST SuperDicq

   I personally think it is hilarious that Poast got pwned.

   • Embed this notice
     Alex Gleason (alex@gleasonator.com)'s status on Saturday, 27-May-2023 22:35:53 JST Alex Gleason

     in reply to

     • ✙ dcc :pedomustdie: :phear_slackware:
     • ¢нαяℓιє яσσт
     @charlie_root @dcc @SuperDicq My man. The attacker set up a fake server disguising itself as a nostr bridge. It has nothing to do with the actual nostr bridge.
   • Embed this notice
     ¢нαяℓιє яσσт (charlie_root@annihilation.social)'s status on Saturday, 27-May-2023 22:35:54 JST ¢нαяℓιє яσσт

     in reply to

     • ✙ dcc :pedomustdie: :phear_slackware:
     @dcc @SuperDicq
     
     I still don't know if I trust that nostr bridge :dude_think:
   • Embed this notice
     ¢нαяℓιє яσσт (charlie_root@annihilation.social)'s status on Saturday, 27-May-2023 22:35:55 JST ¢нαяℓιє яσσт

     in reply to

     • ✙ dcc :pedomustdie: :phear_slackware:
     @dcc @SuperDicq
     
     "on may 19, 2023 an unknown user registered the domain name fedirelay.xyz and setup a fake mostr (nostr) relay to listen for requests on the fediverse.
     
     on may 20, 2023 at 20:52 (utc) a user uploaded the attached document to poast. it was originally an obfuscated javascript file (unobfuscated and attached it here, renamed to .txt so you can view it in any editor).
     
     what this javascript file does is take the viewers oauth token, encode it to make it look like a nostr pubkey and then forced the clandestine mostr relay to look up that user locally giving that server the encoded token all while appearing to be a legitimate mostr (nostr) bridge
     
     i have taken steps to completely limit access to the admin api and corrected any CSP or other issues that could possibly have contributed to this, however most of you (instance owners) are still vulnerable to it. the default pleroma install serves media files on your root domain as a local folder (i.e. yourdomain.xyz/media) and the default CSP for any site is to allow executing scripts via the root domain. in order to prevent this you should take steps to either move your media from yourdomain.xyz/media to media.yourdomain.xyz (or any subdomain outside of your root domain) or perhaps by limiting the CSP for that subdirectory via nginx configuration.
     
     if you are an instance owner, the obfuscated file hash is `b2977f2d97f598d2ebd6dcf37afd9047b5da2b6dc95a7b2824fb111c906fb117` so you can search yourdomain.xyz/media/b2977f2d97f598d2ebd6dcf37afd9047b5da2b6dc95a7b2824fb111c906fb117.js and see if you have it on your server.
     
     no user password or anything beyond email:user and your chats and media associated with them have been archived and everybody's tokens were dropped forcing you to all relog on your accounts. this is to ensure that if any of you had tokens exposed by viewing this JavaScript, they are no longer functional on poast.
     
     sorry to anybody i let down but i could never have foreseen this level of sophistication and i would not have ever expected it. now that we are aware of it, we will be more diligent in the future. thanks for being here with us still friends"
   • Embed this notice
     ✙ dcc :pedomustdie: :phear_slackware: (dcc@annihilation.social)'s status on Saturday, 27-May-2023 22:35:55 JST ✙ dcc :pedomustdie: :phear_slackware:

     in reply to

     • ¢нαяℓιє яσσт
     @charlie_root @SuperDicq yes i saw, it was shown that loacal media is fine. Its rather that media proxy stuff does not have the correct csp headers
   • Embed this notice
     ✙ dcc :pedomustdie: :phear_slackware: (dcc@annihilation.social)'s status on Saturday, 27-May-2023 22:35:56 JST ✙ dcc :pedomustdie: :phear_slackware:

     in reply to

     • ¢нαяℓιє яσσт
     @charlie_root @SuperDicq more likely he clicked a link than a nostr bridge being used lol
   • Embed this notice
     ✙ dcc :pedomustdie: :phear_slackware: (dcc@annihilation.social)'s status on Saturday, 27-May-2023 22:35:57 JST ✙ dcc :pedomustdie: :phear_slackware:

     in reply to

     • ¢нαяℓιє яσσт
     @charlie_root @SuperDicq well yes and no, the main issuse is media proxy not having the correct csp on it
   • Embed this notice
     ¢нαяℓιє яσσт (charlie_root@annihilation.social)'s status on Saturday, 27-May-2023 22:35:57 JST ¢нαяℓιє яσσт

     in reply to

     • ✙ dcc :pedomustdie: :phear_slackware:
     @dcc @SuperDicq
     
     > well yes and no
     
     That was tl:dr version of graf explanation of what happened. The attacker(s) utilized the nostr bridge.
   • Embed this notice
     ¢нαяℓιє яσσт (charlie_root@annihilation.social)'s status on Saturday, 27-May-2023 22:35:58 JST ¢нαяℓιє яσσт

     in reply to
     @SuperDicq
     
     The attack was sophisticated and it utilized the nostr bridge. I think its better in the long run because they found a hole in pleroma/akkoma/rebased thats getting fixed now.
   • Embed this notice
     Alex Gleason (alex@gleasonator.com)'s status on Saturday, 27-May-2023 23:06:12 JST Alex Gleason

     in reply to

     • MattZ
     • ✙ dcc :pedomustdie: :phear_slackware:
     • ¢нαяℓιє яσσт
     @colinsmatt11 @charlie_root @dcc @SuperDicq >hashes are not humans
     
     What do you think DNA is?
   • Embed this notice
     MattZ (colinsmatt11@gleasonator.com)'s status on Saturday, 27-May-2023 23:06:13 JST MattZ

     in reply to

     • Alex Gleason
     • ✙ dcc :pedomustdie: :phear_slackware:
     • ¢нαяℓιє яσσт
     @alex @charlie_root @dcc @SuperDicq The fake molester bridge was used because anyone would suspect a encoded data as username lookup whenever they check the network logs.
     
     Fortunately for them, the molester bridge usernames are like that so nobody would suspect that.
     
     As I have stated before, hashes are not humans and they shouldn't be treated as such.
     
     I know that they cannot be changed because bridges takes the worst part of things both things to make it functional.