Conversation

:hacker_f::hacker_s::hacker_e:
:hackerman: And the Case of the Missing Auth Token :hackerman2:

I'm late to this party and did not make any kind of writeup (aside from arguing in a thread) because I am on an impromptu trip to visit my grandfather in the hospital, whose kidneys seem to have shut down. But I should probably say a few things about this and how it relates to FSE. If you are unfamiliar, an admin token for graf was exfiltrated through a malicious embed. There has been a confirmed pair of bugs in Pleroma's embedding code for the "rich media" (Twitter cards, link previews) and a fix is on the way. There is also a mitigation: just disable rich media, and ensure you have proper CSP set up for both /media and the /proxy endpoint unless you have disabled media proxying. FSE was never vulnerable to this bug, which will be explained below.

What was leaked were a large number of chats, and then media associated with them. The chats were called "DMs" in the alogs.space thread. The same thing happened to bae.st, probably an opportunistic token grab through the media proxy. The same code worked for both because of this line:

> JSON.parse(localStorage.getItem('localforage/vuex-lz'));

(I don't know how likely it is that this happens or is practical, but future problems could be mitigated by making instance-specific names for the key in the local storage.)

Eventually, the script gets around to exfiltrating the token by sending it to mostr.fedirelay.xyz. The script appeared on Poast on the 20th (concurrent with the mass-spamming, which may or may not be a :whiterose: coincidence :phillippricerevenge:), and the dump hit alogs.space on the 25th. The naming conventions and the presentation of the dump make it look like, once the token was grabbed, the same tool that was used to extract the chudbuds.lol dump was used for this one. The chudbuds.lol vector was different (admin's desktop was compromised) and it was a much bigger breach; this was just the admin token for the web interface rather than login credentials for a shell on the server, etc. It may be worth noting, the chudbuds.lol thread mentioned graf/Gleason a few times near the top, and there have been some minor (very recent) attempts at a DDoS of poa.st and poast.tv. Timing for the chudbuds.lol leak seemed much tighter and better coordinated, but this was a little sloppier (a DDoS of Poast starting when the dump landed on alogs.space would have been an obvious thing to do as a distraction; they coordinated the chudbuds.lol dump with the beginning or one of the admin's Twitch streams, and tossed a couple of kids in to spam the chat).

Since admins can see chats, they were able to extract all of the chats. It might have been possible to exfiltrate almost anything. Poast uses in-DB config, so compromising an admin's account means you can alter instance-blocks, etc.

FSE is immune for a few reasons:

:elliot: FSE does not use the media proxy feature.
:theo: CSP settings on /media are paranoid.
:bwksmug: FSE does not use the rich media feature.
:venomsnake: FSE has no admin accounts, so my account has no special permissions.
:terryno: FSE's aggressive rate-limiting makes attempts at any mass-dump more time-consuming.
:tyrellmanic: I cannot die, nor can I ever be killed.

(We can go ahead and start the timer on the next ImageMagick exploit that punches a hole in the server: the last one was a big one. Incidentally, the last big one was really big: https://imagetragick.com/ . FSE also does not mangle your uploads, so when the next one hits, we'll be immune to that, also.)

Here's a test I did some time in 2020, if timestamps are to be believed: https://freespeechextremist.com/media/3ead00eb-ae12-4737-adc8-2c92d5e86a4f/test.html . That link is safe, the JS doesn't execute (and is innocuous anyway).

Finally, I would like to tap the sign again. Do not trust admins: any of them could be malicious. An admin that is not malicious might be incompetent. An admin that is competent can still screw up. An admin that doesn't screw up can still install software that has a bug in it, get their servers seized by the gubbamint, any number of external forces could conspire to fuck it all up. A million things can go wrong and the second a piece of data leaves your computer, you no longer control it. Don't let it leave your computer if it would be a disaster for you to lose control of it.

:lain: Here's lain talking about the fix: https://lain.com/objects/02a7a6ad-2514-4055-a1d4-a774bc3f5ea4
:teamup: Here's graf's announcement: https://poa.st/objects/23a2d8aa-c72d-488d-b9dd-21d3f3b05521

And, aside from sending annoying guys on Poast their own dick pics in lieu of a retort, this is the impact of the hack:
nothing.gif

Public

Notices

Feeds