Kiwi Farms has been breached; assume passwords and emails have been leaked

The top of Kiwi Farms, the Web discussion board greatest identified for organizing harassment campaigns towards trans and non-binary folks, stated the location skilled a breach that allowed hackers to entry his administrator account and probably the accounts of all different customers.

On the location, creator Joshua Moon wrote:

The discussion board was hacked. You need to assume the next.

• Assume your password for the Kiwi Farms has been stolen.
• Assume your e mail has been leaked.
• Assume any IP you have used in your Kiwi Farms account within the final month has been leaked.

Moon stated that the unknown particular person or people behind the hack gained entry to his admin account by utilizing a way generally known as session hijacking, during which an attacker obtains the authentication cookies a web site units after an account holder enters legitimate credentials and efficiently completes any two-factor authentication necessities. The session hijacking was made attainable after importing malicious content material to XenForo, a web site Kiwi Farms makes use of to energy its person boards.

“A foul actor was in a position to add a webpage disguised as an audio file to XenForo,” Moon wrote. “Elsewhere, he was in a position to load this webpage (in all probability as an inline body), inflicting random customers to make automated requests and ship their authentication cookies off-site, in order that the attacker may use it to achieve entry to their account. My admin account was compromised by this mechanism.”

The attacker then used the entry to Moon’s admin account to problem a command for XenForo to ship the e-mail handle, username, final exercise, and different particulars of every person. Moon stated techniques logs indicated the command failed earlier than any information was despatched however that he couldn’t rule out the likelihood that the attacker ran different instructions or scripts which will have succeeded.

The file uploaded to XenForo ends in .opus, an extension that’s utilized by sure audio codecs. It was uploaded to XenForo instantly and injected by a customized Rust-based chat program Moon wrote to make Kiwi Farms chats work together with classes from XenForo.

The script brought on targets to load /test-chat, which was a chat app Moon used for the location. Targets additionally loaded /assist/, XenForo’s assist documentation, /avatar/avatar, to alter avatars to the brand of one other web site, and admin.php?instruments/phpinfo, within the occasion the goal was an admin.

Whereas the command to obtain all customers’ information didn’t seem to succeed, the attacker was in a position to load the file, almost certainly as an iframe, that brought on sure customers to ship the attacker their Kiwi Farms authentication cookies. That is what brought on Moon’s admin account to change into compromised.

The compromise got here after content material supply community Cloudflare final week stopped serving Kiwi Farms after weeks of stiff rebuke from critics who stated Cloudflare was enabling mass harassment and doxxing actions that have been concentrating on trans and nonbinary people. Cloudflare offered safety from distributed denial-of-service assaults which have focused Kiwi Farms for years. Cloudflare had been the final top-tier supplier to proceed serving the location. As soon as it severed ties, Kiwi Farms was pressured to fall again on a lot much less succesful companies.

“In equity to Joshua (the Admin), he seems to know technically what he’s doing based mostly on his feedback in Telegram chat,” unbiased researcher Kevin Beaumont wrote on Twitter in a thread documenting the breach. “Sadly for him all the businesses he’s working with and the customers… Don’t.”

Crocodile tears

Kiwi Farms launched in its present kind in 2013 and shortly grew to become a hub for on-line harassment campaigns. At the very least three suicides have been tied to harassment stemming from the Kiwi Farms neighborhood. Discussion board contributors usually overtly admit their purpose is to drive their targets to take their very own lives. Trans and non-binary folks, members of the LGBTQ neighborhood, and girls are frequent targets.

Moon didn’t reply to an e mail looking for remark and extra particulars in regards to the breach. On Sunday, he tried to solid himself because the sufferer with no indication of irony as he defined the work that may be required to get the location working once more.

“XenForo eliminated us from their license a 12 months in the past and their software program is not enough for our wants,” he wrote. “We would have liked one thing customized, however my confidence in my work has been shot. The sophistication on this assault could be very excessive, and exhibits an intimate familiarity with each Rust and XenForo. It’s unlucky that they’ve utilized themselves to this finish, doubtless for pay. There are such a lot of extra folks making an attempt to destroy than create.”