Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Security The Internet Communications Network Privacy News Technology

A Bored Hacker Easily Stole And Defaced More Than 70 Subreddits (vice.com) 74

An anonymous reader writes: Hacker, BVM, said he's "lost count" of the number of subreddits he's stolen and defaced, but estimates that the number is more than 70. Subreddits like r/pics, r/starwars, and r/gameofthrones, and many others, have been defaced just in the last few days. He claims Reddit's crummy security, and lack of two-factor authentication are what has made his exploits possible. "Reddit's security is shit," he says. "If Reddit would simply add 2FA it would be a lot harder to get in." Why is BVM hacking these subreddits? "No reason really. Just boredom. It's not like it's really a challenge or anything so I just do it to pass time," the hacker told Motherboard in an online chat. BVM didn't comment on how exactly he is taking over subreddits. However, he did admit he's been hacking into moderators' accounts and then changing the CSS style of the pages, replacing it with a note taking responsibility. Reddit appears to be responding to these incidents quickly, restoring the subreddits.
This discussion has been archived. No new comments can be posted.

A Bored Hacker Easily Stole And Defaced More Than 70 Subreddits

Comments Filter:
  • If true, I'm guessing it's credential reuse, phishing, or possibly XSS/CSRF. The volume hints at XSS/CSRF, but the suggestion to implement 2FA says otherwise since it may not mitigate such vulnerabilities.
    • by shri ( 17709 )

      Assuming reddit updates their git repo, the changes over the next few days should make the vulnerability more obvious.

      • Assuming this is in fact their fault. If the hacker is taking an out-of-band approach such as reusing passwords from other leaks, there isn't really a discrete vulnerability in Reddit's codebase. The fact that such passwords could be used to access accounts could be described as a weakness in Reddit's security, but the actual vulnerability exploited lies in whatever system was originally compromised. Same thing with phishing--it's not really Reddit's fault if users can be tricked into disclosing credentials
  • by Anonymous Coward

    so now everything is because of lack of two factor auth? fuck off

  • by Gojira Shipi-Taro ( 465802 ) on Tuesday May 10, 2016 @09:04PM (#52088289) Homepage

    And ban him from access to anything more advanced than a leaded pencil. Vandalism is vandalism. You're bored? go help the needy or something.

    • by goten ( 36521 )
      Or, ya know, stop having shitty security on a website? Oh and how about users don't reuse passwords? While I agree with you in spirit, there's the other side of the coin where harmless situations do more good than bad. BVM isn't stealing identities, nobody is going to jail, it's just a visual change to bring attention to a poor practice. How about we cater our response to damage done and not burn the whole world down.
      • Or, ya know, informing Reddit about their shitty security via one of the many messaging or social media platforms instead of being a dick and causing unnecessary work for someone.

      • by tom229 ( 1640685 )
        The torch and pitchfork parent is modded 4. The reasonable and level headed post you made is at 1. Seems about right for today's slashdot.

        You store your data on this website people. You store at least a small part of yourself - and for many it's a critical part of their identity (think pro gamers, or anyone that makes their living online). If your bank was potentially keeping your personal information in a box behind an unlocked door, accessible to the public, wouldn't you be upset? While he might not be
  • by Anonymous Coward

    Hire the bloke..

  • I hit the reddit/funny daily, I also use imagezoom, so that when my mouse hovers over a thumbnail I get the whole pic. Yesterday about a third of the images did not zoom, Today it was 100%. Sucks to read reddit when I have to click on each link

    / hoverzoom also doesn;t work
  • Bored my ass (Score:3, Interesting)

    by Anonymous Coward on Tuesday May 10, 2016 @09:26PM (#52088397)

    Reddit's pathetic politically correct SJW policy of censorship and shadowbanning is driving more and more to fight back and deface what they can in the name of freedom of speech. Proving their security is also shit is just icing on the cake.

    • Re:Bored my ass (Score:4, Informative)

      by Mashiki ( 184564 ) <mashiki.gmail@com> on Wednesday May 11, 2016 @12:27AM (#52089059) Homepage

      Wouldn't surprise me. /r/subredditcancer [reddit.com] has been doing a pretty good job of tracking that over the last year and change.

    • Re: (Score:3, Interesting)

      by Maritz ( 1829006 )

      Reddit's pathetic politically correct SJW policy of censorship and shadowbanning is driving more and more to fight back and deface what they can in the name of freedom of speech. Proving their security is also shit is just icing on the cake.

      The guy said he did it because he was bored.

      Great point though.

    • Re:Bored my ass (Score:5, Insightful)

      by hey! ( 33014 ) on Wednesday May 11, 2016 @08:08AM (#52090217) Homepage Journal

      Reddit's pathetic politically correct SJW policy of censorship and shadowbanning is driving more and more to fight back and deface what they can in the name of freedom of speech.

      Which is plain juvenile. The correct (and more effective) strategy is to take your eyeballs elsewhere. Engaging a site that you disagree with actually helps the site.

      Social media is essentially porn. The people who use it the most aren't out to engage other people, they're looking for a quick and easy hit of stimulation; the only difference is that it's outrage, not horniness that gets titillated. Do I have to spell this out? You act out your outrage and get paid in attention; some of that attention reacts with outrage and in turn gets attention, including from you. So you react, and the cycle goes on, the outrage market makers milk homeopathic quantities of revenue from each act of outrage. And integrated over the sheer volume out there, those fractions of penny per flame post add up to real money.

      It literally doesn't matter what you believe, as long as you believe it as obnoxiously as possible. You are, to social media companies, nothing but an outrage milk-cow.

      Porn is actually better for you than social media, and better for society as a whole because horniness is a less harmful drive to titillate than outrage.

  • by Anonymous Coward

    It's really kind of pointless. I had no life at the time and nothing better to do than spend hours/days trying to infiltrate various websites. I was often successful. Once you get in you get a bit of an ego boost, poke through some data you weren't supposed to be seeing, then that's pretty much it. Most of the content was private/personal, and boring to me. I felt kind of bad sometimes. Then I got a real job and a life. All that said, I'm still shocked at how bad security is these days.

  • by Martin S. ( 98249 ) on Wednesday May 11, 2016 @02:51AM (#52089391) Journal

    Losers like this should not be given this sort of oxygen of publicity to feed their fragile egos.

  • by GrumpySteen ( 1250194 ) on Wednesday May 11, 2016 @07:40AM (#52090063)

    They're going to steal my imaginary internet points!

    Seriously... who gives a shit about Reddit's security? It's a public bulletin board filled with porn, PM_Me_Your_ accounts, cat memes and throwaway accounts trolling any subreddit that actually tries to have a serious discussion. Adding two factor authorization to that is like putting a combination lock on your garbage can.

  • I have no idea how this website became so popular. The original interface was horrible and completely unintuitive. Years later it's one of the most popular websites on the internet and it's only slightly better. Their servers go down constantly - unable to handle even slight spikes in traffic. And their simplistic mod system has ruined the community by rewarding a lowest common denominator hive-mind.

    In my mind, reddit is proof that there's no policy or formula to follow to have a successful website. Secu
    • I have no idea how this website became so popular. The original interface was horrible and completely unintuitive.

      My guess is that it's unintuitive to us, who have a modicum of technical capability and understanding. I remember trying to find a setting on Facebook years ago and I couldn't find it. I stopped and tried to think of where an idiot would expect it and there it was! My guess is reddit's interface is designed for idiots.

      Disclaimer: I haven't loaded reddit in probably 10 years. I don't plan to now.

Reality must take precedence over public relations, for Mother Nature cannot be fooled. -- R.P. Feynman

Working...