free counter

Kiwi Farms has been breached; assume passwords and emails have already been leaked


Harassment site is down for the present time after hacker gains usage of admin account.

Kiwi Farms has been breached; assume passwords and emails have been leaked

The top of Kiwi Farms, the web forum most widely known for organizing harassment campaigns against trans and non-binary people, said the website experienced a breach that allowed hackers to gain access to his administrator account and perhaps the accounts of most other users.

On the website, creator Joshua Moon wrote:

The forum was hacked. You need to assume the next.

  • Assume your password for the Kiwi Farms has been stolen.
  • Assume your email has been leaked.
  • Assume any IP you’ve applied to your Kiwi Farms account within the last month has been leaked.

Moon said that the unknown individual or individuals behind the hack gained usage of his admin account with a technique referred to as session hijacking, where an attacker obtains the authentication cookies a niche site sets after a merchant account holder enters valid credentials and successfully completes any two-factor authentication requirements. The session hijacking was permitted after uploading malicious content to XenForo, a niche site Kiwi Farms uses to power its user forums.

A negative actor could upload a webpage disguised being an audio file to XenForo, Moon wrote. Elsewhere, he could load this webpage (probably being an inline frame), causing random users to create automated requests and send their authentication cookies off-site, so the attacker might use it to get usage of their account. My admin account was compromised through this mechanism.

The attacker then used the usage of Moons admin account to issue a command for XenForo to send the e-mail address, username, last activity, along with other information on each user. Moon said systems logs indicated the command failed before any data was sent but he couldnt eliminate the chance that the attacker ran other commands or scripts that could have succeeded.

The file uploaded to XenForo leads to .opus, an extension thats utilized by certain audio formats. It had been uploaded to XenForo directly and injected by way of a custom Rust-based chat program Moon wrote to create Kiwi Farms chats connect to sessions from XenForo.

The script caused targets to load /test-chat, that was a chat app Moon useful for the website. Targets also loaded /help/, XenForo’s help documentation,/avatar/avatar, to improve avatars to the logo of another site, andadmin.php?tools/phpinfo, in case the target was an admin.

As the command to download all users data didnt may actually succeed, the attacker could load the file, probably being an iframe, that caused certain users to send the attacker their Kiwi Farms authentication cookies. This is exactly what caused Moons admin account to become compromised.

The compromise came after content delivery network Cloudflare the other day stopped serving Kiwi Farms after weeks of stiff rebuke from critics who said Cloudflare was enabling mass harassment and doxxing activities which were targeting trans and nonbinary individuals. Cloudflare provided protection from distributed denial-of-service attacks which have targeted Kiwi Farms for a long time. Cloudflare have been the final top-tier provider to keep serving the website. Once it severed ties, Kiwi Farms was forced to fall back on significantly less capable services.

In fairness to Joshua (the Admin), he seems to know technically what hes doing predicated on his comments in Telegram chat, independent researcher Kevin Beaumont wrote on Twitter in a thread documenting the breach. Unfortunately for him all of the companies hes dealing with and the users… Dont.

In fairness to Joshua (the Admin), he seems to know technically what hes doing predicated on his comments in Telegram chat.

Unfortunately for him all of the companies hes dealing with and the users.. dont.

Kevin Beaumont (@GossiTheDog) September 18, 2022

Crocodile tears

Kiwi Farms launched in its current form in 2013 and quickly became a hub for online harassment campaigns. At the very least three suicides have already been tied to harassment stemming from the Kiwi Farms community. Forum participants often openly admit their goal would be to drive their targets to take their very own lives. Trans and non-binary people, members of the LGBTQ community, and women are frequent targets.

Moon didnt react to a contact seeking comment and extra information regarding the breach. On Sunday, he attemptedto cast himself because the victim without indication of irony as he explained the task that might be required to obtain the site running again.

XenForo removed us from their license this past year and their software is not any longer sufficient for the needs, he wrote. We needed something custom, but my confidence in my own work has been shot. The sophistication in this attack is quite high, and shows a romantic knowledge of both Rust and XenForo. It really is unfortunate they have applied themselves to the end, likely for pay. You can find so much more people attempting to destroy than create.

Read More

Related Articles

Leave a Reply

Your email address will not be published.

Back to top button

Adblock Detected

Please consider supporting us by disabling your ad blocker