The head of Kiwi Farms, the Internet forum best known for organizing harassment campaigns against trans and non-binary people, said the site experienced a breach that allowed hackers to access his administrator account and possibly the accounts of all other users.
On the site, creator Joshua Moon wrote:
The forum was hacked. You should assume the following.
- Assume your password for the Kiwi Farms has been stolen.
- Assume your email has been leaked.
- Assume any IP you’ve used on your Kiwi Farms account in the last month has been leaked.
Moon said that the unknown individual or individuals behind the hack gained access to his admin account by using a technique known as session hijacking, in which an attacker obtains the authentication cookies a site sets after an account holder enters valid credentials and successfully completes any two-factor authentication requirements. The session hijacking was made possible after uploading malicious content to XenForo, a site Kiwi Farms uses to power its user forums.
“A bad actor was able to upload a webpage disguised as an audio file to XenForo,” Moon wrote. “Elsewhere, he was able to load this webpage (probably as an inline frame), causing random users to make automated requests and send their authentication cookies off-site, so that the attacker could use it to gain access to their account. My admin account was compromised through this mechanism.”
The attacker then used the access to Moon’s admin account to issue a command for XenForo to send the email address, username, last activity, and other details of each user. Moon said systems logs indicated the command failed before any data was sent but that he couldn’t rule out the possibility that the attacker ran other commands or scripts that may have succeeded.
The file uploaded to XenForo ends in .opus, an extension that’s used by certain audio formats. It was uploaded to XenForo directly and injected by a custom Rust-based chat program Moon wrote to make Kiwi Farms chats interact with sessions from XenForo.
The script caused targets to load /test-chat, which was a chat app Moon used for the site. Targets also loaded /help/, XenForo’s help documentation, /avatar/avatar, to change avatars to the logo of another site, and admin.php?tools/phpinfo, in the event the target was an admin.
While the command to download all users’ data didn’t appear to succeed, the attacker was able to load the file, most likely as an iframe, that caused certain users to send the attacker their Kiwi Farms authentication cookies. This is what caused Moon’s admin account to become compromised.
The compromise came after content delivery network Cloudflare last week stopped serving Kiwi Farms after weeks of stiff rebuke from critics who said Cloudflare was enabling mass harassment and doxxing activities that were targeting trans and nonbinary individuals. Cloudflare provided protection from distributed denial-of-service attacks that have targeted Kiwi Farms for years. Cloudflare had been the last top-tier provider to continue serving the site. Once it severed ties, Kiwi Farms was forced to fall back on much less capable services.
“In fairness to Joshua (the Admin), he appears to know technically what he’s doing based on his comments in Telegram chat,” independent researcher Kevin Beaumont wrote on Twitter in a thread documenting the breach. “Unfortunately for him all the companies he’s working with and the users… Don’t.”
In fairness to Joshua (the Admin), he appears to know technically what he’s doing based on his comments in Telegram chat.
Unfortunately for him all the companies he’s working with and the users.. don’t.
— Kevin Beaumont (@GossiTheDog) September 18, 2022
Kiwi Farms launched in its current form in 2013 and quickly became a hub for online harassment campaigns. At least three suicides have been tied to harassment stemming from the Kiwi Farms community. Forum participants often openly admit their goal is to drive their targets to take their own lives. Trans and non-binary people, members of the LGBTQ community, and women are frequent targets.
Moon didn’t respond to an email seeking comment and additional details about the breach. On Sunday, he attempted to cast himself as the victim with no indication of irony as he explained the work that would be required to get the site running again.
“XenForo removed us from their license a year ago and their software is no longer sufficient for our needs,” he wrote. “We needed something custom, but my confidence in my work has been shot. The sophistication in this attack is very high, and shows an intimate familiarity with both Rust and XenForo. It is unfortunate that they have applied themselves to this end, likely for pay. There are so many more people trying to destroy than create.”