Conversation
Notices
-
:btrfly: anime graf mays 🛰️🪐 (graf@poa.st)'s status on Friday, 26-May-2023 10:43:38 JST 
:btrfly: anime graf mays 🛰️🪐
hey friends,
on may 19, 2023 an unknown user registered the domain name fedirelay.xyz and setup a fake mostr (nostr) relay to listen for requests on the fediverse.
on may 20, 2023 at 20:52 (utc) a user uploaded the attached document to poast. it was originally an obfuscated javascript file (unobfuscated and attached it here, renamed to .txt so you can view it in any editor).
what this javascript file does is take the viewers oauth token, encode it to make it look like a nostr pubkey and then forced the clandestine mostr relay to look up that user locally giving that server the encoded token all while appearing to be a legitimate mostr (nostr) bridge
i have taken steps to completely limit access to the admin api and corrected any CSP or other issues that could possibly have contributed to this, however most of you are still vulnerable to it. the default pleroma install serves media files on your root domain as a local folder (i.e. yourdomain.xyz/media) and the default CSP for any site is to allow executing scripts via the root domain. in order to prevent this you should take steps to either move your media from yourdomain.xyz/media to media.yourdomain.xyz (or any subdomain outside of your root domain) or perhaps by limiting the CSP for that subdirectory via nginx configuration.
if you are an instance owner, the obfuscated file hash is `b2977f2d97f598d2ebd6dcf37afd9047b5da2b6dc95a7b2824fb111c906fb117` so you can search yourdomain.xyz/media/b2977f2d97f598d2ebd6dcf37afd9047b5da2b6dc95a7b2824fb111c906fb117.js and see if you have it on your server.
sorry to anybody i let down but i could never have foreseen this level of sophistication and i would not have ever expected it. now that we are aware of it, we will be more diligent in the future. thanks for being here with us still friends- cool_boy_mew, matrix07012 :thotpatrol: :cunnyEmpire:, Weaf :jv::nv: and Ene like this.
-
cool_boy_mew (coolboymew@shitposter.club)'s status on Friday, 26-May-2023 11:24:53 JST 
cool_boy_mew
@graf
CC: @Moon you probably saw it already -
:btrfly: anime graf mays 🛰️🪐 (graf@poa.st)'s status on Friday, 26-May-2023 11:31:48 JST
:btrfly: anime graf mays 🛰️🪐
@mona @mona as far as i know this is strictly pleroma (and maybe just pleromafe) cool_boy_mew likes this. -
Mona (mona@frennet.xyz)'s status on Friday, 26-May-2023 11:31:49 JST 
Mona
@graf@poa.st how would this effect misskey since it handles uploads and storing of media differently?
-
DK (dk_dharmaraj@poa.st)'s status on Friday, 26-May-2023 11:34:40 JST 
DK
@graf State actor suspected? -
Wrath (eiswald@poa.st)'s status on Friday, 26-May-2023 11:34:40 JST 
Wrath
@DK_Dharmaraj @graf >could never have foreseen this level of sophistication
Beat me to it. Literally reads like a private corporation, probably state affiliated (pick of the liter with these seething kikes), has a bone to pick with Poast and other instances. There's also a fairly good chance that this was just a scare tactic.
They want to drive users away from platforms like this for obvious reasons, to where I don't know because I cannot imagine anyone here going to twitter or some other curated, algorithmically policed platform.
Whoever it was they were probably very skilled and either paid to do it or have money behind them to begin with. I have no reason to leave and really see no good reason to leave.
Taking a page from what Count Dankula had to say on matters like this and something I've long believed. I don't care how secure or safe that you think you or the platform or the methods you use are, you are being watched. If (((they))) want to keep tabs on you they can and will and there's nothing that can be done to prevent it short of pulling the plug on the internet. Always assume that EVERYTHING you do on the internet is being monitored.
Anyway. This whole matter stinks to high hell and to TL;DR: you're right. It stinks like, and I hate to fucking say it, a glownigger.Woggy's Zeonic Frolicks likes this. -
:btrfly: anime graf mays 🛰️🪐 (graf@poa.st)'s status on Friday, 26-May-2023 12:28:51 JST
:btrfly: anime graf mays 🛰️🪐
@BiggusDiccus @Boomerman its a temporary fix. the solution is to prevent uploading javascript and other shit in the first place. there's no reason people need to be sharing javascript on a social media site Woggy's Zeonic Frolicks likes this. -
:btrfly: anime graf mays 🛰️🪐 (graf@poa.st)'s status on Friday, 26-May-2023 12:28:52 JST
:btrfly: anime graf mays 🛰️🪐
@Boomerman correct -
BiggusDiccus (biggusdiccus@poa.st)'s status on Friday, 26-May-2023 12:28:52 JST 
BiggusDiccus
@graf
We should probably be thankful that this vulnerability was exposed with such little damage.
Great work Graf! Is your current solution a full fix for this or is it a bandaid while the issue gets investigated further?
@Boomerman -
Boomerman (boomerman@poa.st)'s status on Friday, 26-May-2023 12:28:54 JST 
Boomerman
@graf So this theoretically isnt just poast but the entire fediverse thats vulnerable? -
монолит (wishgranter14@poa.st)'s status on Friday, 26-May-2023 12:42:39 JST 
монолит
@AnimeTradCath @graf Yea, I need a geek to English translation. I sort of get that it "stole" the oauth token to trick something into doing something, but not really sure what? I normally use pl.poa.st, but just today it's giving me all these 403 errors. Not sure if related or not. -
EdBoatConnoisseur (edboatconnoisseur@poa.st)'s status on Friday, 26-May-2023 12:42:39 JST 
EdBoatConnoisseur
Woggy's Zeonic Frolicks likes this. -
🇮🇷🇻🇦AnimeTradCath:flag_swr: 🇮🇷 (animetradcath@poa.st)'s status on Friday, 26-May-2023 12:42:40 JST 
🇮🇷🇻🇦AnimeTradCath:flag_swr: 🇮🇷
@graf >i have taken steps to completely limit access to the admin api and corrected any CSP or other issues that could possibly have contributed to this, however most of you are still vulnerable to it. the default pleroma install serves media files on your root domain as a local folder (i.e. yourdomain.xyz/media) and the default CSP for any site is to allow executing scripts via the root domain. in order to prevent this you should take steps to either move your media from yourdomain.xyz/media to media.yourdomain.xyz (or any subdomain outside of your root domain) or perhaps by limiting the CSP for that subdirectory via nginx configuration.
I'm not the best with computers so this is all Greek to me. -
Shari Vegas :windmill_of_friendship: :1488: (sharivegas@pleroma.nobodyhasthe.biz)'s status on Friday, 26-May-2023 12:53:38 JST 
Shari Vegas :windmill_of_friendship: :1488:
@parker @SpaceElf @parker @graf I think we should do both. I'm trying to figure out how to do that now. -
Parker Banks (parker@pl.psion.co)'s status on Friday, 26-May-2023 12:53:39 JST 
Parker Banks
@ShariVegas @SpaceElf @parker @graf Thanks I'll try that in a bit then. Otherwise I was thinking of something like deny all for js files in the uploads directory. -
Shari Vegas :windmill_of_friendship: :1488: (sharivegas@pleroma.nobodyhasthe.biz)'s status on Friday, 26-May-2023 12:53:40 JST
Shari Vegas :windmill_of_friendship: :1488:
@parker @SpaceElf @parker @graf I think for our installations, we can simply drop the access-control-allow-origins and access-control-allow-credentials headers?
I’ve added
proxy_hide_header 'access-control-allow-credentials'; proxy_hide_header 'access-control-allow-origin';
to the location block for /media. I think that’ll work just fine?
-
Parker Banks (parker@pl.psion.co)'s status on Friday, 26-May-2023 12:53:41 JST
Parker Banks
@SpaceElf @parker @graf I checked, we don't have the offending JavaScript on file, so we're good. I will also update the CSP so as to block execution of scripts from the media directory. -
💮Space Elf🐝 (spaceelf@leafposter.club)'s status on Friday, 26-May-2023 12:53:42 JST 
💮Space Elf🐝
@parker @parker I don't know if this is relevant to the instance, but I saw this and figured I might ping you to save some potential effort, just in case. -
Parker Banks (parker@pl.psion.co)'s status on Friday, 26-May-2023 12:54:18 JST
Parker Banks
@ShariVegas @SpaceElf @parker @graf
I'm pretty sure this is wrong
location ~* /media/.*\.js$ {
deny all;
} -
Boomerman (boomerman@poa.st)'s status on Friday, 26-May-2023 14:22:51 JST
Boomerman
@Shadowman311 @reloadedAK @ggf @DK_Dharmaraj @graf Theyre all federal assets. Only people even talking about it are twitter retards. No one cares it isnt some big splash. Maybe they doxx a couple of shit poasters. Big whoop. -
reloadedAK :ak: (reloadedak@poa.st)'s status on Friday, 26-May-2023 14:22:51 JST 
reloadedAK :ak:
@Boomerman @Shadowman311 @ggf @DK_Dharmaraj @graf I would hope that those of us that use Poast wouldn't give THAT level of doxx info -
reloadedAK :ak: (reloadedak@poa.st)'s status on Friday, 26-May-2023 14:22:52 JST
reloadedAK :ak:
@Shadowman311 @ggf @DK_Dharmaraj @graf Remember he is willing to associate with that fag Zoom to dig dirt on people so I wouldn't be completely sure he didn't have a hand in it -
Boomerman (boomerman@poa.st)'s status on Friday, 26-May-2023 14:22:52 JST
Boomerman
@reloadedAK @Shadowman311 @ggf @DK_Dharmaraj @graf I sorta personally suspect this may have been zoom. Its his MO for stuff like this. -
Shadowman311 (shadowman311@poa.st)'s status on Friday, 26-May-2023 14:22:52 JST 
Shadowman311
@Boomerman @reloadedAK @ggf @DK_Dharmaraj @graf Zoom likes to brag, he can't help it, its a fatal flaw of his. If he did this it won't be long until he says something. -
Shadowman311 (shadowman311@poa.st)'s status on Friday, 26-May-2023 14:22:53 JST
Shadowman311
@ggf @DK_Dharmaraj @graf The fact that Ralph knew about it immediately is extremely suspicious, but I doubt anyone from his fanbase could pull this off. That being said he is within a few degrees of separation from federal assets like Baked Alaska and almost certainly Fuentes so he could have easily just gotten it through that particular circle. -
ggf (ggf@poa.st)'s status on Friday, 26-May-2023 14:22:55 JST 
ggf
@DK_Dharmaraj @graf Two reasons why this was not a state actor.
1. One of the first things anybody does to test a site out is throw some javascript at it and see what happens. Everybody has their own methods and what they look for which is probably why it wasn't leveraged before.
2. The results made its way to Ethan Ralph.
The hacker was probably one of the first people who noticed a CSP flaw, but there could of been others. Graf has probably already checked as part of his post mortem if anybody else tried uploading a .js in the past. While I'd imagine mostly it was benevolent reasons, those people make a good list to ask why they were, the original account of the hacker might even be among one of them. -
Boomerman (boomerman@poa.st)'s status on Friday, 26-May-2023 14:23:36 JST
Boomerman
@reloadedAK @Shadowman311 @ggf @DK_Dharmaraj @graf It seems unfortunately some did. Which sucks but like come on man. -
Machismo (zerglingman@freespeechextremist.com)'s status on Friday, 26-May-2023 14:27:16 JST 
Machismo
@graf The modern web and its consequences.
I need to install bloat already, then just ban all scripts on my site. -
Ako Suminoe :njp: (realakosuminoe@poa.st)'s status on Friday, 26-May-2023 14:53:31 JST 
Ako Suminoe :njp:
@Zerglingman @graf This has nothing to do with the "modern" web and attacks like this were EXTREMELY common on the older web. I mean, the old web used to involve sending passwords in plain text over unencrypted connections. Script injections and token leaks happened all the time, and the unfortunate situation of the modern web is that it needs to mitigate all of these issues. The reality is that security in a federated social network is a HARD problem to solve, and I'm honestly surprised that issues like this haven't happened more frequently. Machismo likes this. -
Machismo (zerglingman@freespeechextremist.com)'s status on Friday, 26-May-2023 14:54:16 JST
Machismo
@RealAkoSuminoe @graf lmao ok retard -
(mint@ryona.agency)'s status on Friday, 26-May-2023 15:33:12 JST 
@lain @graf >how that mostr relay plays into this
It's just a dud. Oauth tokens get presented as those long-ass usernames, the script does the account lookup query on local instance, and then local instance tries to fetch the account with that username from a remote one, which then logs the tokens. -
LS (lain@lain.com)'s status on Friday, 26-May-2023 15:33:14 JST 
LS
@graf that's a crazy attack, can you tell me more about how that mostr relay plays into this? I know that you can upload pretty much any file, but how did the attacker get it to execute in the context of the website? -
(mint@ryona.agency)'s status on Friday, 26-May-2023 15:38:08 JST
@lain @graf Looks like there was a bit of social engineering involved. My first guess was, since poast runs Soapbox as default frontend and serves Pleroma-FE separately, the subdomain FE is on (pl.poa.st) might have not applied CSP rules, essentially giving all control over the local storage to the opened HTML with embedded JS. But that fails flat in his setup, since media is hosted on a separate domain (poastcdn.org) which should have those rules applied regardless.
Screenshot_20230526_093439.png -
LS (lain@lain.com)'s status on Friday, 26-May-2023 15:38:09 JST
LS
@mint @graf i still don't understand how the script gets executed. where is it being embedded in script tag? Machismo repeated this. -
Ako Suminoe :njp: (realakosuminoe@poa.st)'s status on Friday, 26-May-2023 16:07:18 JST
Ako Suminoe :njp:
@graf @BiggusDiccus @Boomerman no fun allowed likes this.
All 076萌SNS content and data are available under the 