4chan Has Been Down Since Monday Night After 'Pretty Comprehensive Own' (arstechnica.com) 69
4chan was reportedly hacked Monday night, with rival imageboard Soyjack Party claiming responsibility and sharing screenshots suggesting deep access to 4chan's databases and admin tools. Ars Technica reports: Security researcher Kevin Beaumont described the hack as "a pretty comprehensive own" that included "SQL databases, source, and shell access." 404Media reports that the site used an outdated version of PHP that could have been used to gain access, including the phpMyAdmin tool, a common attack vector that is frequently patched for security vulnerabilities. Ars staffers pointed to the presence of long-deprecated and removed functions like mysql_real_escape_string in the screenshots as possible signs of an old, unpatched PHP version. In other words, there's a possibility that the hackers have gained pretty deep access to all of 4chan's data, including site source code and user data.
Stopped updating in 2016 (Score:2)
Re: (Score:2)
you mean to tell me moot left us hanging?!
Re: (Score:2)
TLSv1.2 has been around since 2008 so most likely they do.
If they haven't updated since 2016 then they won't have TLSv1.3 which has been the standard since 2018.
Re:Stopped updating in 2016 (Score:4, Interesting)
Nah. They've been working on it actively. Trying to mine users information (it was supposed to be an anonymous board) for marketing purposes. "Either put up with a 15 minute delay to post or verify your e-mail address with us."
And they had ClownFlare working with them. To make sure everyone had JavaScript turned on. So their scammy banner ads would work.
Re: (Score:2, Informative)
Re: (Score:2)
Account with E-Mail or a cookie that is weeks old doesn't matter, you can be tracked over these weeks using the cookie.
Re: (Score:2)
Which is worth 5 cents total to marketers.
Re: (Score:2)
That are the people who sell your soul (not their, your) for 0.5 Cent.
Re: (Score:2)
I did not say other websites are better. On the other hand, there are many websites where a leak would be less drastic for their users.
And you must consider, that 4chan organizes raids that draw a lot of negative attention to them. When they raid Scientology, you can bet the Scientologists would be happy if they get the id stored in long lasting cookie to reconstruct the post history of the user. And you bet that the TLAs are monitoring 4chan.
Re: (Score:2)
They had too much trouble with bot posters that would post for the "first time". The side-effect is if you don't use a particular computer to post for a few days, the cookie expires and you have to go through the 15 minute delay again.
Bot posters may have to initialize their ID cookie one time. But from then on, it's pretty easy to keep it active with occasional activity.
Re: (Score:2)
Re: (Score:3)
Actual Attack Vector (Score:5, Interesting)
"Contrary to popular belief, it was not SQL injection. /po/, /qst/, /sci/, /tg/)
The exploit is such:
4chan allows uploading PDF to certain boards (/gd/,
They neglected to verify that the uploaded file is actually a PDF file. As such, PostScript files, containing PostScript drawing
commands, can be uploaded.
Said PostScript file will be passed into Ghostscript to generate a thumbnail image.
The version of Ghostscript that 4chan uses is from 2012, so it is trivial to exploit.
From there, we exploit a mistaken suid binary to elevate to the global user."
Re: (Score:3)
It started at -1; OP apparently spends most of their time being a troll.
Exactly the kind of poster most likely to be informed about the topic at hand.
Re: (Score:1)
It's been dead since around 30 min after the sharty poster gained complete control, the homepage may still be up but that is hosted separately from the boards. It'll likely take weeks to repair unless they're willing to risk another hack due to not completely patching all the spaghetti code
Re:Actual Attack Vector (Score:5, Informative)
The site is available (at this moment) so your claim can be tested. I wonder why it's been immediately modded down.
Speaking of testing the claims. The site is *not* available. You may hit the landing page 4chan.org, but if you navigate to any board you'll get a Connection Timed Out error. It's been like this since before this story was published yesterday, and it's like this now.
The only person here who deserves a downmodding is you.
Re: (Score:3)
Re:Actual Attack Vector (Score:4, Funny)
Rumors are, that half the users there are PDF files.
Re: (Score:2)
And they rejoiced (Score:4, Interesting)
I've never seen such an uplifting post on /.
Too bad 4Chan went down after their members took over the US government.
Re: (Score:3)
We'll see when the list of email addresses is scrutinized...
Re: And they rejoiced (Score:2)
It's all relative. I've seen insanely stupid things every day this year.
Re: And they rejoiced (Score:1)
Re: Oh no! (Score:2)
My guess would be try to link email addresses to public figures and try to blackmail them with the threat of releasing all of their posts
Hey there mr politician, I see you post some pretty racist stuff on 4chan, would be a shame if it went public in time for the next election
Re: (Score:2)
Half their posts came from Israeli IP ranges. So it's the counterpart to the Epstein operation, blackmailing the people who couldn't be blackmailed with Epstein island flights.
Re: (Score:2)
My guess would be try to link email addresses to public figures and try to blackmail them with the threat of releasing all of their posts
This doesn't sound like an efficient method of determining the true market value of the posts. Why not hold an online auction for each public figure? Obviously bids would need to be in bitcoins or similar and they would need to find an escrow service that could handle bitcoins but that would not seem insolvable.
Re: (Score:2)
Bitcoin, for it's inherent built in traceability?
4chan, the sphincter of the internet (Score:5, Interesting)
Historically, if 4chan had an outage for any length of time, the rest of the internet would suffer what was released upon it.
Reasonable forums would be overrun with trolling and shitposting.
No idea if that still holds true, or if 4chan is even still relevant. But it used to do the job of holding in all the excrement and keeping it away from the rest of us.
I am betting that they still don't just stop posting just because 4chan is down. Reddit mods are probably having a very bad day
Re:4chan, the sphincter of the internet (Score:5, Insightful)
Reasonable forums would be overrun with trolling and shitposting.
It's 2025. There's no reasonable discourse left on the internet. You can thank Trump for that, or Biden, or TDS, or the Climate Hoax, or the WuFlu, etc. etc. Honestly 4chan and it's children shouting the N word is child's play. I remember when it was actually newsworthy to see a troll draw a swastika, now you find them everywhere.
I long for the days where 4chan was the worst of humanity on the internet.
Re:4chan, the sphincter of the internet (Score:4, Informative)
And from the article: 'Security researcher Kevin Beaumont described the hack as "a pretty comprehensive own" ...'
Even alleged professionals speak like 13 year olds, because that's who they are. No self-respecting person would say this professionally, a teenage would.
The internet glorifies people with who are emotionally stunted, that's why we have the president we have.
What a load of nonsense.
When you've been in that industry for a very, very long time, word 'own' is normal to use and has nothing to do with age.
Word "owned" is literally used as a substitute for "gotten into". It's shorter, it has history and noone takes is in context that you are taking it in.
It is you who is the problem here and your need to be enraged with idiotic things.
Re: (Score:2)
So used by experts but not seriously? Tell us what other things you gatekeep while jumping through mental gymnastics only to faceplant during the dismount.
Re: (Score:2, Informative)
Thing is, 4chan wasn't even the worst. Places like stormfront already existed during peak 4chan. And remember, back in the day when they'd close the pool at Habbo Hotel due to AIDS, they'd crowd out the real users by standing around in the shape of a swastika in order to be as patently offensive and obnoxious as possible, yeah. But when they got serious, they targeted truly vile organizations that richly deserved to be attacked and have everything bad that could be made to happen to them happen; like HB
Re: (Score:3)
There could be consequences for some of the 4chan users. There are many .edu email addresses belonging to moderators, which include their full names.
Re: (Score:2)
There could be consequences for some of the 4chan users. There are many .edu email addresses belonging to moderators, which include their full names.
I'm surprised it wasn't a sport to just sign up the professional email addresses of people you despise. Think of it as a variant of shitposting.
Re: (Score:3)
It's a well-known fact that many alphabet soup agency operate on 4chan either to disseminate (dis)information or to watch what the social rejects have to say.
In fact, to not go into graphic details, a certain kind of spam on the political board disappears entirely when major events happen (Russian offensive, the 7th october attack...)
The agents are simply too busy on those days to do their usual spam.
Re: (Score:2)
This was already debunked. The E-Mail addresses in the leak are hashed, so no .edu or .gov E-Mail addresses could be identified and it is unlikely that .gov ones are in there.
Re: (Score:3)
Historically, if 4chan had an outage for any length of time, the rest of the internet would suffer what was released upon it.
Reasonable forums would be overrun with trolling and shitposting.
Now they can just go to X, which is already overrun with trolling and shitposting, plus all the other kinds of shit which people post on 4chan.
Not PHP (Score:5, Insightful)
This isn't a PHP issue, this is literately they "fed stuff to ghostscript via php" thus ghostscript ran postscript code inside the webserver process.
Like on it's face this is a pretty basic, dumb, hack. A properly secured site, regardless of the PHP version would not run "non-php" shell programs. All it would have taken is uploading a PDF file that grabbed a known file (eg index.php) and post it, and then figure out the configuration data from that.
Outdated site software. (Score:3)
The website was running on a version of Freebsd that was severely outdated. Version 10.1. A PDF exploit using Ghostscript allowed running a SUID binary to gain access. There is no excuse for running such an outdated version in 2025 when version 13.5 is out now. This is just laziness.
Re: (Score:2)
Laziness or cluelessness?
The people running this site don't appear to know what they are doing, the ones who did have probably moved on to some role in the new gummint so expect those who are held to be responsible to be deported to El Salvador.
Re: (Score:2)
The website was running on a version of Freebsd that was severely outdated.
FreeBSD has MAC. However, had they been running Linux, it might have been easier to configure SELinux to prevent this type of attack.
phpmyadmin (Score:2)
Seriously, it is like 4 lines of config to put that thing behind http auth and never have a problem with its security vulnerabilities again.
Or use a desktop client for MySQL and don't install anything on your webspace.
I fear the worst (Score:3)
Potentially, this means the entire 4chan user interaction chain and all posts and their language will be available for download. Then AI researchers will use it to study social networks and language. Then we will get 4chan regurgitated back to us by AI tools.
Re: (Score:3)
File under (Score:3)
I'm half joking.
yeah 4chan is a shithole (Score:2)