The administrator account of the head of the internet forum best known for organizing harassment campaigns against trans and non-binary people was hacked.
The creator wrote on the site.
The forum was hacked. You should assume the following.
- Assume your password for the Kiwi Farms has been stolen.
- Assume your email has been leaked.
- Assume any IP you've used on your Kiwi Farms account in the last month has been leaked.
Moon said that the unknown individual or individuals behind the hack gained access to his admin account by using a technique known as session hijacking, in which an attacker obtains the authentication cookies a site sets after an account holder enters valid credentials. After uploading malicious content to XenForo, the session hijacking was possible.
A bad actor uploaded a website that looked like an audio file to the site. He was able to load this website and cause random users to make automated requests and send their cookies off-site so that he could gain access to their account. This mechanism was used to compromise my account.
The attacker used Moon's admin account to issue a command for XenForo to send the email address, usernames, and other details of each user. According to the systems logs, the command failed before any data was sent, but he couldn't rule out the possibility that the attacker ran other commands.
The.opus extension is used by some audio formats. It was uploaded to XenForo and injected with a custom Rust chat program written by Moon.
AdvertisementMoon used a chat app called /test-chat to load targets. In the event that the target was an admin, the targets loaded /help/, XenForo's help documentation, and admin.
The attacker was able to load the file and cause certain users to send the attacker their cookies, even though the command to download all users' data didn't work. Moon's account became compromised due to this.
The compromise came after the content delivery network was rebuked for allowing mass harassment and doxxing activities that were targeting trans and non-binary individuals. There have been distributed denial-of-service attacks againstKiwi Farms for a long time. The last top tier provider to serve the site was Cloudflare. It was forced to return to less capable services after severing ties.
The admin seems to know technically what he's doing based on his comments in Telegram chat, according to Kevin Beaumont. He is working with a lot of companies and users. Don't, that's not right.
In fairness to Joshua (the Admin), he appears to know technically what he’s doing based on his comments in Telegram chat.
Unfortunately for him all the companies he’s working with and the users.. don’t.