I find myself wondering who in their right mind pokes 4chan with a stick. It is not an angry mob I would care to have ambling in my general direction.

I think that the userbase is rather fickle and it depends on who you piss off. Each board has its own culture so, for example, if you piss off /b/ then you might get an angry mob that gives you grief but I doubt that would happen if you pissed off /g/ or /tg/.

In this case the user who gained access to the database was seen as doing it for a reasonably "noble" reason, relatively speaking (to find information about another user whom some disliked), so from what I can see there hasn't been much backlash against him even though his full name was posted in a few places. It was kind of a self-hack.

The way I heard it originally the dude broke in while trying to stalk his ex-gf, which is consistent with the report.

Please don't miscontrue the person's intentions as noble, or even put that word in the same paragraph as 4chan. It was misogynistic, sexist harrassment.

I did say "relatively speaking." I wasn't making a judgment as to whether it was moral or immoral, just that 4chan as a whole mostly saw it as reasonable, which is why most of them found the intrusion humorous instead of an affront.

This is in stark contrast to when UG Nazi hacked 4chan a while ago by hijacking Cloudflare's CEO's Gmail and pointing 4chan.org's A record at their own server.

Moot mentions refunds for targeted users. I was unaware 4chan offered something purchasable. Anybody know what he's referring to?

4chan passes, they allow you to post without entering in captcha, and to avoid IP block bans. Otherwise the experience is identical.

4chan Pass, which enables you to bypass the annoying CAPTCHA (and is a kind of CAPTCHA in itself, since a computer can't own a credit card); much like Reddit Gold

Is a credit card like a captcha? A computers may not be able to own credit cards, but they can use cards owned by someone else.

Most of the spam on 4chan isn't that serious to be worth using fraudulent cards.

Wow, now that is a response. Full disclosure of what happened and a nice payout to victims who weren't even harmed that much.

This makes an excellent testimonial for Stripe. Consider the ROI just realised.

4chan gets a lot of of traffic and is well-known so I think anything they use gets a boost in popularity :)

Eh, Stripe has way larger/more high profile customers than us, but yes we've been very happy with them.

While that is true I think you might have more impact than you realise :)

Way to not give any details about the vulnerability...

chippy1337's comment is marked as dead, but here it is for posterity:

Rumor is it was an SQL Injection in the "days" parameter of the stats system. Details here -> http://pastebin.com/Fq96ndB6 -----

Ah, chippy1337. Haven't seen that name in a while.

Is "he" the original?

Can't read it here, could someone post the text?

Concerning a recent intrusion

Last week we were made aware of a software vulnerability that allowed an intruder access to administrative functions and information from one of our databases. The intruder later stated their motive was to expose the posting habits of a specific user they disliked.

After careful review, we believe the intrusion was limited to imageboard moderation panels, our reports queue, and some tables in our backend database. Due to the way the intruder extracted information from the database, we have detailed logs of what was accessed. The logs indicate that primarily moderator account names and credentials were targeted.

Three 4chan Pass users had their Pass credentials accessed, and were notified and offered refunds and lifetime Passes shortly after the discovery. As a reminder, all payment information is processed securely by Stripe—we never see nor store any of it, and thus no payment information was compromised.

We patched the vulnerability quickly after it came to our attention, and have spent—and will continue to spend—dozens of hours poring over our software and systems to help mitigate and prevent future intrusions.

We’re sorry it happened, and will do our best to ensure it doesn’t happen again.

—moot

I suspect a lot of people will be unable to read it if they use HTTPS everywhere: the 4chan blog does not support https and the EFF is currently in a ruleset freeze so they cannot reflect that until the next stable version is out.

Tumblr only recently added SSL support, which is likely the reason Moot hasn't implemented it yet.

That said, I(unfortunately) doubt that HTTPS-everywhere is being utilized by that many people.

That's only for the dashboard. Blogs are still cleartext. It's possible to do SSL for *.tumblr.com domains but not (easily) for custom ones.

A lot of corporate firewalls block access to 4chan etc.

This is the first .newlongwordtld domain I've seen that isn't a spam site squatting on a popular domain equivalent. A new era has begun

Yeah, only because .is domains were being compromised and a new TLD was chosen as an easy alternative.

>.is domains were being compromised

Can you elaborate?

> Content Blocked (content_filter_denied)

> Content Category: "Proxy Avoidance"

Another day, another block at $employer. Curiously, web.archive.org is allowed.

Thanks for the link.

Google Cache: https://webcache.googleusercontent.com/search?q=cache:-lA9eo...

They should spend time to refactor their code, it's a mess: http://pastebin.com/a45dp3Q1

With that source is much harder to make a security analysis and is easier to create side effects leading to security holes

Per meowface's comment, this code is ~4 years old. It's in a much better place now, but there's still a lot of room for improvement.

The vulnerability wasn't in the main application. I'll write more about it on my personal blog in the coming days (http://chrishateswriting.com).

Have you ever thought about re-writing 4chan and making it open source? I think a large portion of the community would be willing to contribute.

IIRC they had open source code called Futabally, but as time went on they closed the sources to protect their interests. Projects like it exist, such as Kusaba X.

That code was leaked in 2010 and is quite out of date. Since then they've updated their codebase quite a bit.