4chan hack

damas · 2025-04-15T12:01:54+00:00

4chan got PWNED. Thoughts and payers?

Porter

Pon
Today I will effortpost.

magicrabbit

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

Kaper

Pon Meant more about stuff like potential CP spam and other general obscene shit being posted in the confusion.

Lumeinshin

They've released a blog post with an explanation of what happened
https://blog.4chan.org/post/781845918774394880/still-standing
Here is an interesting extract

Over the following days, 4chan’s development team surveyed the damage, which to be frank, was catastrophic. While not all of our servers were breached, the most important one was, and it was due to simply not updating old operating systems and code in a timely fashion.
Ultimately this problem was caused by having insufficient skilled man-hours available to update our code and infrastructure, and being starved of money for years by advertisers, payment providers, and service providers who had succumbed to external pressure campaigns.

They then go on to say that the servers and software have been updated. /f/ is not coming back because they cant take the risk of .swf files and pdfs are temporarily disabled to be safe.

Interesting little post, doesn't really make up for the lack of updates to the software at least.

Ross_R

Lumeinshin cant take the risk of .swf files

And what exactly is the risk of .swf files?
I mean, how can an swf file harm a server? I mean, just remove any kind of internal players, make it so that the end-user's browser plays the file - and there goes, not your problem anymore.
As long as you do not execute it, it's just a bouquet of code lying there.

Nickname

any bets over when will the website gets hacked again? Because they really haven't done anything to fix anything, and the jannies have been seething at the alternatives. Merely mentioning 8chan moe on 4chan will land you a month-long ban now. Rapeape is simply seething at the userbase discovering alternatives to his hellhole of a website. Maybe ban every single schizo, especially the twitter screenshot posters, instead of rewarding their behaviour and then maybe people will flock to the website again. Fucking cocksucker.

frijole del alta

well there goes the 4chan rehab experiment, didn't last that long as people expected. well there were those went to reddit, kinda stopped going there years ago for le luls. I missed /sp/ thats for sure.

Pedestrian

they removed the flash board but retained pol. yeeeah.

Somnolence

Pedestrian That was for security reasons though, not for anything ideological.

I speak for the cubes

Man, I just tried effortposting on /mu/ again and instantly got shut down. Yay.
I'll just stay here.

Pedestrian

Somnolence

Pedestrian

Ross_R
imagine a mod/admin plays the swf file just for fun or coz it looked too cool to be ignored

Somnolence

Ross_R
I dunno, sounds like a disaster waiting to happen. "What's the problem with landmines all over the countryside, just don't walk over there?"
The more surface area you allow for vulnerabilities, the more potential avenues for exploitation you're opening yourself up to. It might be that a .swf file sitting on the server is not ever going to cause a problem, but I could easily envision a world where a tainted .swf file works as a way to broaden or exacerbate another vulnerability.
It's annoying because /f/ was a decent little archive, and it's sad to see it go. I suspect nothing is going to become lost media because of it though.

Sean

magicrabbit I felt the exact same way during the downtime.

Ross_R That is exactly what I was thinking. I think the problem is that the people running the site want to change as little of the scripting needed to run the site as possible.

Ross_R

Pedestrian imagine a mod/admin plays the swf file just for fun or coz it looked too cool to be ignored

Mods and admins have their own PCs. It's not like any of those people browse the internet with 4chan's file server.

Somnolence but I could easily envision a world where a tainted .swf file works as a way to broaden or exacerbate another vulnerability.

Then do enlighten me, please, because I certainly fail to envision such a world, as was stated in my original question.
Once again, I can see an .swf with a wishmaster posing a threat to the end users, but then, wow, virus on the imageboard, what else is new?
So I really fail to see why they removed a flash board.

Somnolence

Ross_R Not going to pretend for you like I understand the sever structure of 4chan to give you the answer you're looking for. Especially now that they've gone an supposedly updated things behind the scenes. All I'm saying is leaving an archive of unsupported, readily exploitable media, will all kinds of capabilities for arbitrary and remote execution, just sitting on your servers for a handful of people to occasionally glance at- is not exactly good opsec. Seems like bad practice to sit on a mountain of explosives and say: "well, no one strike a match and we'll be fine".

Given what happened with PDFs, and the site's apocryphal history with PNGs, I would fully expect the team at 4chan to have made a cost-benefit analysis of every single file type they allow in the future. Flash files seems like an obvious candidate to excise.

Pedestrian

Ross_R hacking mods personal devices is more that enough a reason to kill off flash. Wasnt the pdf hack done the same way? personal pc of some mod got hacked and they manged to get all passwords?

Ross_R

Somnolence Not going to pretend for you like I understand the sever structure of 4chan to give you the answer you're looking for.

Let's leave it at that then. I definitely looked for a more in-tech answer rather than "sit on a mountain of explosives" analogy.
Newgrounds hosts swf just fine. Internet Archive has mountains of those. The second example is particularly interesting, since they used Ruffle for their site, which is a fresh, written-from-zero open-source flash emulator. I t might not work perfectly, but it is definitely up to date in terms of security. So they could've used that if they are so worried about security.
All in all, I see zero reasons to get rid of /f/. Once again, if it was me, I'd just make flash files strictly download-only, no read permissions for the file server - and that's about it. Let it be the end users' problem. It was always this way on the imageboards either way.

Fantasy

I had always been under the impression that part of the reason Flash was abandoned by Adobe was due to it being very exploitable. Even a quick Google has many exploits being found throughout the years.
If Adobe couldn't fully keep it safe than I doubt 4chan could. I do know the open source project but those are also prone to bad actors.

Outside of security reasons I'd wager getting rid of /f/ was monetary reasons. Extra files to store that hiro didn't want to pay for, mobile users getting nothing out of it so little ad traffic, and that's one less thing for the small team to deal with.

Ross_R

Fantasy I'd wager getting rid of /f/ was monetary reasons. Extra files to store that hiro didn't want to pay for, mobile users getting nothing out of it so little ad traffic, and that's one less thing for the small team to deal with.

Now that's a reason I'm ready to believe.
I really only asked the question in case if anyone could provide me some info about swf that I don't know already, so, like, pardon me or something. But I really think it's all about money, given how other sites host swf in the end of the day.
Internet Archive is an especially important precedent, since it is way more targeted site than 4chan... I think. And since the Archive has it, I guess it shows it works just having it on the server for the end user.
I mean, really, unless you give the file read/write permissions on the server itself, it is 100% save. You actually need to hack the server by other means and change those settings. Like, it's the basics.

Porter

Fantasy Probably didn't hurt that /f/ worked differently than the rest of the boards. They didn't even get to interact with the latest April Fools prank because the admins couldn't be bothered/didn't know how to implement it there.

« Previous Page Next Page »

Sheepishpatio.net is a forum running on the Flarum software, use of the forum is free. Please enjoy your time.

Friends of the site Here

If you are interested in creating imagery for the site, the resource page is Here