cybersecurity

Weekly thread to discuss whatever you’re working on, big or small, at work or in your free time.

The notorious imageboard 4chan is down following what appears to be a major hack of its backend. The hackers claim to have exposed code for the site, the emails of moderators, and a list of mod communications. This happened, it seems, as part of a five year long, inter-image board beef between users of 4chan and Soyjak, another image board that splintered off of 4chan.

It’s still unclear what the fallout of the hack will be, but the notorious image board remains down and a huge amount of data appears to have been leaked.

Users struggled to load 4chan on the evening of April 14, 2025, according to posts on other imageboards and forums. A few hours before that, the banned board /qa/ reappeared on the site and someone using the hiroyuki account, named after 4chan’s owner Hiroyuki Nishimura, posted “FUCKING LMAO” and “U GOT HACKED XD.

The hiroyuki account was flagged in bold red as an admin, suggesting the person posting the messages had control over a real admin account. /qa/ was a “questions and answer” imageboard on 4chan. Pitched as a place to discuss concerns that affected the whole of 4chan, /qa/ was in practice a board where various factions fought.

Soyjak is a popular meme you’ve probably seen before. It’s a balding man with glasses and shaggy beard, his mouth agape in docile joy. He is now the name of a rival imageboard.

At about the same time 4chan struggled to load, someone on the soyjak.st posted a thread that claimed to explain what happened. “Tonight has been a very special night for many of us at the soyjak party,” the thread said. “Today, April 14, 2025, a hacker who has been in 4cuck’s system for over a year, executed the true operation soyclipse, reopening /qa/, exposing personal information of various 4cuck staff, and leaking code from the site.”

The thread shared images of the resurrected and defaced /qa/ board as well as what appear to be screenshots from 4chan’s internal moderation tools. The screenshots included discussion about why users had been banned from 4chan, pieces of its backend in phpMyAdmin (the infrastructure that runs 4chan and other forums and imageboards), and traffic stats for specific boards.

Elsewhere on the internet, someone leaked an alleged list of moderator email addresses and a portion of what they described as the “source code” for the site. 404 Media reached out to an email in the leaked list that appeared to be for Nishimura but did not hear back.

It appears that 4chan was susceptible to a hack because it was running very out of date code that contained various vulnerabilities, according to 404 Media’s look at the code and people sorting through the hack online.

So 4chan very likely got hacked because they were running on an extremely out of date version of PHP that has a lot of vulnerabilities and exploits and are using deprecated function to interact with there MySQL database.

Web security 101: Keep your code and software up to date. pic.twitter.com/JFDOsbr5rt

— Yushe (@_yushe) April 15, 2025

That starts to answer the question of how this happened. But why did it happen? This all has roots in a five year old meme fight.

Soyjak.party, the site where a user began posting about the 4chan hack, was an offshoot of 4chan created as a joke about five years ago. Besides being a general cesspool,

4chan has long been a place that incubates memes. lolcats, the NavySeal copypasta, and Pepe the Frog grew and spread on 4chan’s imageboards. From time to time a meme is overplayed or spammed and mods on the site get tired of it.

Five years ago, users spammed the /qa/ board with soyjaks. Unable to quash the tide of soyfaced jpegs, 4chan shut down the entire /qa/ board. The soyajk loving exiles of 4chan started a new site called soyjak.party where they could craft open mouthed soyboy memes to their heart’s content. When 4chan was hacked on the night of April 14, the /qa/ board briefly returned. “/QA/ RETURNS SOYJAK.PARTY WON” read a banner image at the top of the board.

As of this writing, 4chan is still down. When you attempt to access a specific board, the connection times out. “The initial connection between Cloudflare's network and the origin web server timed out. As a result, the web page can not be displayed,” the error page says.

Weekly thread for any and all career, learning and general guidance questions. Thinking of taking a training or going for a cert? Wondering how to level up your career? Wondering what NOT to do? Got other questions? This is the time and place to ask!

Wanna chat about something non-infosec amongst those of us who frequent /c/cybersecurity? Here’s your chance! (Keep things civil & respectful please)

Weekly thread to discuss whatever you’re working on, big or small, at work or in your free time.

Weekly thread for any and all career, learning and general guidance questions. Thinking of taking a training or going for a cert? Wondering how to level up your career? Wondering what NOT to do? Got other questions? This is the time and place to ask!

Why does Stripe require OAuth tokens to pass through a third party server?

Can someone who understands OAuth better than me explain to me why Stripe REQUIRES that their OAuth Access Keys get shared with a third party?

I've tried RTFM, but my biggest hangup is that the OAuth docs appear describe a very different situation than mine. They usually describe a user agent (web browser) as the client. And they talk about "your users" as if I have a bunch of users that I'm going to be fetching access keys for.

Nah, this is server <--> server. I have a server. Stripe has a server. I am one user. All I need is ONE API key for ONE account. But I'm forced to use OAuth. It doesn't seem appropriate, and it's especially concerning that the "flow" requires the (non-expiring!) Access Token to be shared with a third party server. Why?!?

I recently learned that Stripe has been pushing OAuth (branded as "Stripe Connect") to its integration apps as the "more secure" solution, compared to Restricted API Keys. In fact, we've found that most integrations we've encountered that use Stripe Connect are less secure than using Restricted API Keys because the (private!) tokens are shared with a third party!

I've been using Stripe to handle credit card payments on my e-commerce website for years. Recently, we updated our wordpress e-commerce website and all its plugins. And then we discovered that all credit card payments were broken because our Stripe Payment Gateway plugin stopped allowing use of Restricted API Keys. Instead they only support "Stripe Connect" (which, afaict, is a marketing term for OAuth). This change forced us to do a security audit to make sure that the new authentication method met our org's security requirements. What we found was shocking.

So far we've started auditing two woocommerce plugins for Stripe, and both have admitted that the OAuth tokens are shared with their (the developer's) servers!

One of them is a "Stripe Verified Partner", and they told us that they're contractually obligated by Stripe to use only "Stripe Connect" (OAuth) -- they are not allowed to use good-'ol API Keys.

They also told us that Stripe REQUIRED them to include them in the OAuth flow, such that their servers are given our (very secret!) OAuth Access Keys!

The benefit of normal API Keys, of course, is that they're more secure than this OAuth setup for (at least) two reasons:

1. I generate the API keys myself, and I can restrict the scope of the keys permissions

2. I store the key myself on my own server. It's never transmitted-to nor stored-on any third party servers. Only my server and Stripe's servers ever see it.

Can someone shine a light onto this darkpattern? I understand that standardization is good. OAuth Refresh Keys add security (this service doesn't use them). But why-oh-why would you FORCE OAuth flows that share the (non-expiring) Access Tokens with a third party? And why would you claim that's more secure than good-ol-API-keys?

Does OAuth somehow not support server<-->server flows? Or is it a library issue?

What am I missing?

Wanna chat about something non-infosec amongst those of us who frequent /c/cybersecurity? Here’s your chance! (Keep things civil & respectful please)

Weekly thread to discuss whatever you’re working on, big or small, at work or in your free time.

Weekly thread for any and all career, learning and general guidance questions. Thinking of taking a training or going for a cert? Wondering how to level up your career? Wondering what NOT to do? Got other questions? This is the time and place to ask!

In the beginning of March 2025, user of XSS forum “plymouth” made a post in their stealer thread about the upcoming major update to the infostealer. Finally, on 30th March they posted announcement and details of the StealC V2 release. According to the user, the development of the second version took half a year, and in its essence, it is entirely new software.