A recently discovered attack on visitors of the 8chan image website went well beyond the venue's usual script-kiddie fare by combining two weaknesses on that property with a potentially catastrophic vulnerability on the wildly popular photo-sharing site Imgur.com.

The result: the browsers of people who viewed certain Imgur-hosted images linked on one or more Reddit sections automatically executed code of the attacker's choice. That malicious JavaScript code in turn reached out to 8chan and exploited two additional but completely separate vulnerabilities on that site. From then on, every time one of these people visited an 8chan page, their browser would report to an attacker-controlled server and await instructions. In the process, the infected browser would bombard 8chan servers with hundreds of additional requests, although some researchers aren't convinced a denial-of-service on 8chan was the objective of the hack.

Worm-like properties

The hack had the potential to take on worm-like properties, in which a handful of viral images could generate an endless stream of traffic and millions and millions of new infections. It never got to that point, because Imgur fixed the Web-application bug on its site Tuesday morning, while 8chan temporarily blocked the execution of files based on Adobe's Flash media player. With the immediate threat averted, the question security researchers' asked was, why was a vulnerability so potentially powerful as the one exploited against Imgur squandered on such a limited number of people?

The attacker "had a delivery mechanism on one of the most popular sites on the Internet, and he used it to target a very small minority of his peers," Arshan Dabirsiaghi, chief scientist at security firm Contrast Security, told Ars. "He could have turned this into money on the black market in several ways. Instead, he just used it for a prank."

The cross-site scripting (XSS) vulnerability affecting Imgur.com allowed attackers to attach malicious JavaScript to images uploaded to the site. The same weakness could have been used to expose people to off-the-shelf attack code that exploited vulnerabilities in browsers and browser plugins. Such exploits are one of the chief ways criminals surreptitiously install keyloggers and other types of malware on end user computers. A vulnerability like the one exploited against Imgur could have landed the attacker a hefty sum in malware affiliate fees.

Persistent browser infection

The unknown attacker who exploited the vulnerability either took a decidedly more innocuous path or was stopped short before achieving a more malevolent outcome. The only evidence that Dabirsiaghi and others have gathered so far shows the Imgur exploit interacting with booby-trapped Flash images hosted on 8chan. Those SWF images, in turn, installed their own XSS-based attacks in the HTML5 local storage databases of users' browsers. From then on, infected browsers would contact a command and control server each time an 8chan page was loaded. And with each one, the browsers would ping 8chan hundreds more times.

Dabirsiaghi said the control server has yet to issue any commands, so it's unclear if the objective of the attack was to flood 8chan with junk traffic or to do something much more sinister. What remains clear is that anyone who clicked on one of the booby-trapped Imgur links will continue to host malicious code inside their local storage database. Until they clear their browser history, their browsers will continue to hail the attacker-controlled server each time they visit an 8chan page.

The attack was discussed here, here, and here, among other places, although not all of the statements or observations turned out to be accurate. The hack demonstrates a potential weakness introduced by HTML5. By allowing visited websites to store JavaScript and other code inside a browser's local storage database, the newly adopted protocol gives attackers a way to invoke malicious commands with each return visit. Fortunately, those commands are subject to the same-origin policy and other security controls enforced by modern browsers. Still, as this case shows, HTML5 can provide attackers with a persistent way to force other people's browsers to behave in unintended and potentially malicious ways.