The head of Kiwi Farms, the Internet discussion board finest recognized for organizing harassment campaigns towards trans and non-binary individuals, mentioned the location skilled a breach that allowed hackers to entry his administrator account and probably the accounts of all different customers.
On the location, creator Joshua Moon wrote:
The discussion board was hacked. You ought to assume the next.
- Assume your password for the Kiwi Farms has been stolen.
- Assume your electronic mail has been leaked.
- Assume any IP you’ve got used in your Kiwi Farms account within the final month has been leaked.
Moon mentioned that the unknown particular person or people behind the hack gained entry to his admin account by utilizing a method often known as session hijacking, wherein an attacker obtains the authentication cookies a web site units after an account holder enters legitimate credentials and efficiently completes any two-factor authentication necessities. The session hijacking was made potential after importing malicious content material to XenForo, a web site Kiwi Farms makes use of to energy its consumer boards.
“A bad actor was able to upload a webpage disguised as an audio file to XenForo,” Moon wrote. “Elsewhere, he was able to load this webpage (probably as an inline frame), causing random users to make automated requests and send their authentication cookies off-site, so that the attacker could use it to gain access to their account. My admin account was compromised through this mechanism.”
The attacker then used the entry to Moon’s admin account to difficulty a command for XenForo to ship the e-mail deal with, username, final exercise, and different particulars of every consumer. Moon mentioned methods logs indicated the command failed earlier than any knowledge was despatched however that he couldn’t rule out the likelihood that the attacker ran different instructions or scripts which will have succeeded.
The file uploaded to XenForo ends in .opus, an extension that’s utilized by sure audio codecs. It was uploaded to XenForo instantly and injected by a customized Rust-based chat program Moon wrote to make Kiwi Farms chats work together with periods from XenForo.
The script brought about targets to load /test-chat, which was a chat app Moon used for the location. Targets additionally loaded /assist/, XenForo’s assist documentation, /avatar/avatar, to vary avatars to the brand of one other web site, and admin.php?instruments/phpinfo, within the occasion the goal was an admin.
While the command to obtain all customers’ knowledge didn’t seem to succeed, the attacker was capable of load the file, most definitely as an iframe, that brought about sure customers to ship the attacker their Kiwi Farms authentication cookies. This is what brought about Moon’s admin account to turn out to be compromised.
The compromise got here after content material supply community Cloudflare final week stopped serving Kiwi Farms after weeks of stiff rebuke from critics who mentioned Cloudflare was enabling mass harassment and doxxing actions that have been concentrating on trans and nonbinary people. Cloudflare offered safety from distributed denial-of-service assaults that have focused Kiwi Farms for years. Cloudflare had been the final top-tier supplier to proceed serving the location. Once it severed ties, Kiwi Farms was compelled to fall again on a lot much less succesful companies.
“In fairness to Joshua (the Admin), he appears to know technically what he’s doing based on his comments in Telegram chat,” impartial researcher Kevin Beaumont wrote on Twitter in a thread documenting the breach. “Unfortunately for him all the companies he’s working with and the users… Don’t.”
In equity to Joshua (the Admin), he seems to know technically what he’s doing based mostly on his feedback in Telegram chat.
Unfortunately for him all the businesses he’s working with and the customers.. don’t.
— Kevin Beaumont (@GossiTheCanine) September 18, 2022
Kiwi Farms launched in its present kind in 2013 and rapidly turned a hub for on-line harassment campaigns. At least three suicides have been tied to harassment stemming from the Kiwi Farms group. Forum contributors usually brazenly admit their purpose is to drive their targets to take their very own lives. Trans and non-binary individuals, members of the LGBTQ group, and girls are frequent targets.
Moon didn’t reply to an electronic mail in search of remark and further particulars concerning the breach. On Sunday, he tried to forged himself because the sufferer with no indication of irony as he defined the work that will be required to get the location working once more.
“XenForo removed us from their license a year ago and their software is no longer sufficient for our needs,” he wrote. “We needed something custom, but my confidence in my work has been shot. The sophistication in this attack is very high, and shows an intimate familiarity with both Rust and XenForo. It is unfortunate that they have applied themselves to this end, likely for pay. There are so many more people trying to destroy than create.”