:hacker_f::hacker_s::hacker_e:
And the Case of the Missing Auth Token 
I'm late to this party and did not make any kind of writeup (aside from arguing in a thread) because I am on an impromptu trip to visit my grandfather in the hospital, whose kidneys seem to have shut down. But I should probably say a few things about this and how it relates to FSE. If you are unfamiliar, an admin token for graf was exfiltrated through a malicious embed. There has been a confirmed pair of bugs in Pleroma's embedding code for the "rich media" (Twitter cards, link previews) and a fix is on the way. There is also a mitigation: just disable rich media, and ensure you have proper CSP set up for both /media and the /proxy endpoint unless you have disabled media proxying. FSE was never vulnerable to this bug, which will be explained below.
What was leaked were a large number of chats, and then media associated with them. The chats were called "DMs" in the alogs.space thread. The same thing happened to bae.st, probably an opportunistic token grab through the media proxy. The same code worked for both because of this line:
> JSON.parse(localStorage.getItem('localforage/vuex-lz'));
(I don't know how likely it is that this happens or is practical, but future problems could be mitigated by making instance-specific names for the key in the local storage.)
Eventually, the script gets around to exfiltrating the token by sending it to mostr.fedirelay.xyz. The script appeared on Poast on the 20th (concurrent with the mass-spamming, which may or may not be a
coincidence 
), and the dump hit alogs.space on the 25th. The naming conventions and the presentation of the dump make it look like, once the token was grabbed, the same tool that was used to extract the chudbuds.lol dump was used for this one. The chudbuds.lol vector was different (admin's desktop was compromised) and it was a much bigger breach; this was just the admin token for the web interface rather than login credentials for a shell on the server, etc. It may be worth noting, the chudbuds.lol thread mentioned graf/Gleason a few times near the top, and there have been some minor (very recent) attempts at a DDoS of poa.st and poast.tv. Timing for the chudbuds.lol leak seemed much tighter and better coordinated, but this was a little sloppier (a DDoS of Poast starting when the dump landed on alogs.space would have been an obvious thing to do as a distraction; they coordinated the chudbuds.lol dump with the beginning or one of the admin's Twitch streams, and tossed a couple of kids in to spam the chat).
Since admins can see chats, they were able to extract all of the chats. It might have been possible to exfiltrate almost anything. Poast uses in-DB config, so compromising an admin's account means you can alter instance-blocks, etc.
FSE is immune for a few reasons:
FSE does not use the media proxy feature.
CSP settings on /media are paranoid.
FSE does not use the rich media feature.
FSE has no admin accounts, so my account has no special permissions.
FSE's aggressive rate-limiting makes attempts at any mass-dump more time-consuming.
I cannot die, nor can I ever be killed.
(We can go ahead and start the timer on the next ImageMagick exploit that punches a hole in the server: the last one was a big one. Incidentally, the last big one was really big: https://imagetragick.com/ . FSE also does not mangle your uploads, so when the next one hits, we'll be immune to that, also.)
Here's a test I did some time in 2020, if timestamps are to be believed: https://freespeechextremist.com/media/3ead00eb-ae12-4737-adc8-2c92d5e86a4f/test.html . That link is safe, the JS doesn't execute (and is innocuous anyway).
Finally, I would like to tap the sign again. Do not trust admins: any of them could be malicious. An admin that is not malicious might be incompetent. An admin that is competent can still screw up. An admin that doesn't screw up can still install software that has a bug in it, get their servers seized by the gubbamint, any number of external forces could conspire to fuck it all up. A million things can go wrong and the second a piece of data leaves your computer, you no longer control it. Don't let it leave your computer if it would be a disaster for you to lose control of it.
Here's lain talking about the fix: https://lain.com/objects/02a7a6ad-2514-4055-a1d4-a774bc3f5ea4
Here's graf's announcement: https://poa.st/objects/23a2d8aa-c72d-488d-b9dd-21d3f3b05521
And, aside from sending annoying guys on Poast their own dick pics in lieu of a retort, this is the impact of the hack:
nothing.gif
And the Case of the Missing Auth Token I'm late to this party and did not make any kind of writeup (aside from arguing in a thread) because I am on an impromptu trip to visit my grandfather in the hospital, whose kidneys seem to have shut down. But I should probably say a few things about this and how it relates to FSE. If you are unfamiliar, an admin token for graf was exfiltrated through a malicious embed. There has been a confirmed pair of bugs in Pleroma's embedding code for the "rich media" (Twitter cards, link previews) and a fix is on the way. There is also a mitigation: just disable rich media, and ensure you have proper CSP set up for both /media and the /proxy endpoint unless you have disabled media proxying. FSE was never vulnerable to this bug, which will be explained below.
What was leaked were a large number of chats, and then media associated with them. The chats were called "DMs" in the alogs.space thread. The same thing happened to bae.st, probably an opportunistic token grab through the media proxy. The same code worked for both because of this line:
> JSON.parse(localStorage.getItem('localforage/vuex-lz'));
(I don't know how likely it is that this happens or is practical, but future problems could be mitigated by making instance-specific names for the key in the local storage.)
Eventually, the script gets around to exfiltrating the token by sending it to mostr.fedirelay.xyz. The script appeared on Poast on the 20th (concurrent with the mass-spamming, which may or may not be a
coincidence ), and the dump hit alogs.space on the 25th. The naming conventions and the presentation of the dump make it look like, once the token was grabbed, the same tool that was used to extract the chudbuds.lol dump was used for this one. The chudbuds.lol vector was different (admin's desktop was compromised) and it was a much bigger breach; this was just the admin token for the web interface rather than login credentials for a shell on the server, etc. It may be worth noting, the chudbuds.lol thread mentioned graf/Gleason a few times near the top, and there have been some minor (very recent) attempts at a DDoS of poa.st and poast.tv. Timing for the chudbuds.lol leak seemed much tighter and better coordinated, but this was a little sloppier (a DDoS of Poast starting when the dump landed on alogs.space would have been an obvious thing to do as a distraction; they coordinated the chudbuds.lol dump with the beginning or one of the admin's Twitch streams, and tossed a couple of kids in to spam the chat).Since admins can see chats, they were able to extract all of the chats. It might have been possible to exfiltrate almost anything. Poast uses in-DB config, so compromising an admin's account means you can alter instance-blocks, etc.
FSE is immune for a few reasons:
FSE does not use the media proxy feature. CSP settings on /media are paranoid. FSE does not use the rich media feature. FSE has no admin accounts, so my account has no special permissions. FSE's aggressive rate-limiting makes attempts at any mass-dump more time-consuming. I cannot die, nor can I ever be killed.(We can go ahead and start the timer on the next ImageMagick exploit that punches a hole in the server: the last one was a big one. Incidentally, the last big one was really big: https://imagetragick.com/ . FSE also does not mangle your uploads, so when the next one hits, we'll be immune to that, also.)
Here's a test I did some time in 2020, if timestamps are to be believed: https://freespeechextremist.com/media/3ead00eb-ae12-4737-adc8-2c92d5e86a4f/test.html . That link is safe, the JS doesn't execute (and is innocuous anyway).
Finally, I would like to tap the sign again. Do not trust admins: any of them could be malicious. An admin that is not malicious might be incompetent. An admin that is competent can still screw up. An admin that doesn't screw up can still install software that has a bug in it, get their servers seized by the gubbamint, any number of external forces could conspire to fuck it all up. A million things can go wrong and the second a piece of data leaves your computer, you no longer control it. Don't let it leave your computer if it would be a disaster for you to lose control of it.
Here's lain talking about the fix: https://lain.com/objects/02a7a6ad-2514-4055-a1d4-a774bc3f5ea4 Here's graf's announcement: https://poa.st/objects/23a2d8aa-c72d-488d-b9dd-21d3f3b05521And, aside from sending annoying guys on Poast their own dick pics in lieu of a retort, this is the impact of the hack:
nothing.gif
@p I find the baest leak bundled in with the rest to be really tasteless. It's one thing to have a problem with graf, it's another to address that problem by attacking sjw.
@roboneko @p There's been extra paranoia recently; reports of feds and general bad-actors have had admins on alert. Plus, not everyone uses media proxy, or rich media links, or allows javascript files to be executable in the uploads folder -- there's a ton of variation in how pleroma instances are set up.
There's an old meme, "every pleroma is a fork of pleroma" or something to that effect, that played into our favour.
There's an old meme, "every pleroma is a fork of pleroma" or something to that effect, that played into our favour.
@graf @sevvie @roboneko Yeah, but I think it's more like people scrolling past it without looking at it, and a browser might not load the whole thing but the stupid media proxy does, then it's evicted from cache long before the next person scrolls past it without looking at it. I think it's worse than just putting in the image as-is.
@graf @roboneko @sevvie Yeah, but a couple of things, like what is actually the max size it keep before evicting, and how do you even know what it's doing without metrics?
One thing I'm saying, say there's a 60MB video. Browser loads part of it (say a meg) then waits until you hit play. Say you don't. Instance doesn't know that, so media proxy asks for the whole 60MB, serves 1MB. Say that person has 20 followers on Poast. 20 people ask for the first meg and don't watch it, so that's 40MB wasted bandwidth. If it gets evicted during that period, then add 60MB wasted bandwidth per eviction.
Or say the issue that started this, someone leaning on the page-down key, and their browser is requesting images, then they get to the media proxy, it's not aborting shit, it just keeps asking for new images because no one rate-limited outgoing reqs in this cursed media proxy, but their browser actually is not loading all these images...but Poast, with it's fat datacenter pipe, loads all these images fast enough to saturate my upstream. The guy doing it could not, with his residential cable (or whatever) connection, but Poast's server can. His browser will crash, at some point he's gonna run out of memory, but Poast is just flooding the reqs and dumping it to disk. The normal bottlenecks aren't there. The media proxy has been nothing but trouble for me.
One thing I'm saying, say there's a 60MB video. Browser loads part of it (say a meg) then waits until you hit play. Say you don't. Instance doesn't know that, so media proxy asks for the whole 60MB, serves 1MB. Say that person has 20 followers on Poast. 20 people ask for the first meg and don't watch it, so that's 40MB wasted bandwidth. If it gets evicted during that period, then add 60MB wasted bandwidth per eviction.
Or say the issue that started this, someone leaning on the page-down key, and their browser is requesting images, then they get to the media proxy, it's not aborting shit, it just keeps asking for new images because no one rate-limited outgoing reqs in this cursed media proxy, but their browser actually is not loading all these images...but Poast, with it's fat datacenter pipe, loads all these images fast enough to saturate my upstream. The guy doing it could not, with his residential cable (or whatever) connection, but Poast's server can. His browser will crash, at some point he's gonna run out of memory, but Poast is just flooding the reqs and dumping it to disk. The normal bottlenecks aren't there. The media proxy has been nothing but trouble for me.
@graf @p @roboneko @sevvie Why does the Fediverse have to be a single group list run by
Anti Whites & Jews & Mentally ill and
International Marxists/Commies/Zionists
Why cant we have our own separate group network affiliation lists
Clearly certain groups are in compatible
Time for a peaceful self separation and self segregation
Let US go our own way (away from you lot)
Anti Whites & Jews & Mentally ill and
International Marxists/Commies/Zionists
Why cant we have our own separate group network affiliation lists
Clearly certain groups are in compatible
Time for a peaceful self separation and self segregation
Let US go our own way (away from you lot)
@p @roboneko @sevvie @charliebrownau ((((((((DICKS)))))))))))))))))))))))))))))))
