Researchers earned $2,000 for his discovery. Imgur’s staff have closed a critical security issue that allowed attackers to use its service to send spam and even shut down some features of its service.
Ukrainian security researcher Eugene Farfel (aesteral) brought the issue to Imgur’s attention via the company’s bug bounty program hosted on the HackerOne bug bounty platform.
At its core, the problem is a SSRF (Server-Side Request Forgery) vulnerability which affected Imgur’s Video to GIF service at imgur.com/vidgif.
This service takes a simple URL as user input. Imgur then parses this link in order to discover videos on the page and using its proprietary technology convert it into a GIF image.
Imgur did not blacklist certain link types from its Video to GIF service
Under the hood, Imgur sends out a cURL request using the libcurl library to retrieve the page’s content. Farfel discovered that Imgur does not filter out various “dangerous” protocols when parsing this URL, so instead of issuing requests just for HTTP or HTTPS requests, Imgur also sends out requests for content via other protocols.
In his tests, the researcher discovered that he could initiate requests for protocols such as SSH, POP3, IMAP, STMP, FTP, SFTP, TFTP, DICT, and GOPHER.
Farfel created a proof-of-concept Web server where he hosted a netcat server. Netcat is a networking utility for reading or writing network connections.
By telling Imgur to start a connection to his malicious server via SFTP, he was able to detect what kind of software Imgur’s servers were using.
This allowed him to find out what libcurl and libssh2 versions the server was running, information which could allow him to search for security vulnerabilities to which those versions are susceptible to. He could later mount an attack on Imgur’s infrastructure, possibly taking over servers if Imgur staff ever forgot to update their software.
Sneaky URL redirect opens SMTP sessions on Imgur’s server
Secondly, he discovered that while Imgur did some filtering on the user input URLs, he could bypass those filters by creating a redirect on his server.
He told Imgur to retrieve a URL from his site, which would pass the input filters URL, but when Imgur’s libcurl URL would retrieve the page’s content, it would be redirected to another malicious URL that would have been blocked if fed directly to Imgur.
In his proof-of-concept, Farfel used a redirect to a malicious GOPHER link which then started TELNET chat-sessions. This allowed the researcher to access any kind of TELNET-based protocols, such as SMTP and use Imgur’s servers to send out emails on his behalf, something that spam campaign operators would have greatly appreciated.
Simple method of shutting down Imgur’s Video to GIF service
Additionally, the researcher discovered that by pointing Imgur’s Video to GIF service to a special port in his firewall that blocked FTP requests, he could induce a DoS (Denial of Service) state..
This was possible due to an abnormal long timeout setting in Imgur’s server settings that kept retrying FTP-based links for tens of seconds. If the attacker started a massive amount of connections, he could have taken up all available connection slots, effectively shutting down Imgur’s Video to GIF service.
The researcher discovered the SSRF issue at the start of February, and Imgur’s staff fixed it in less than a day, only recently receiving permission from the company to publish his research.
Farfel’s effort in researching and disclosing the issue pocketed him $2,000 (€1,800). The researcher previously worked with Mail.ru, to which it disclosed an XSS vulnerability last November.