HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.
Please upgrade here. These earlier versions are no longer being updated and have security issues.

Strange Imgur Embedding Behavior with Mediator

This discussion is related to the Mediator addon.

I had a really weird case happen to me about a month ago.
A post I wrote, about some action movie and with IMGUR url's included, got somehow changed.

What happened was that when I wrote the post, the embedder worked perfectly, and it showed the photos as it should do.

About a week later, I notice that my post got a lot of attention, and I visit it again, only to see that the embedded images had been changed with
semi-graphic nude gay porn. However once clicked, the link was still valid, and it took the browser to the relevant photo gallery of the action movies.

We had absolutely no idea what had happened, so we either assumed that:
We had been hacked (we were not)
A fellow admin had played a trick on us (which had not happened)
Imgur was weird problems
Imgur had an aggressive no embedding/hotlinking policy (it does not)
The album uploader had somehow figured out a way to mess around with viewers (not apparently so)
Mediator v0.2 had a problem

Now every time I post an Imgur link, it seems that this "gay album" has been deleted, and now it shows this on every
IMGUR url:

I was using Mediator v0.2
The behavior disappeared once I updated to v0.2.8

I have just no idea what to make of it, and it's no biggie any more. But I wanted to write about it!

Comments

  • vrijvlindervrijvlinder Papillon-Sauvage MVP

    I have just no idea what to make of it, and it's no biggie any more. But I wanted to write about it!

    A person with access to your image hosting account or that of the source of your images can change the images to whatever they want by simply using the same name of the original image.

    A plugin such as this one can not insert other links apart from the ones you put in. I would go around and change passwords and access for third parties , to the hosting service.

    This kind of thing is common . With pranksters or someone who has a grudge and gained access to your hosting service account or the one belonging to the original source.

    unixhero
  • You're probably right

    Okay, the Imgur album in question wasn't mine, so I guess that explains it.

  • swookswook
    edited April 2013

    @unixhero
    Wait I wouldn't worry about this. There's no 'hacking' or anything involved.

    I'm very sorry you had these problems, and I believe it is due to the way I was parsing links.

    https://github.com/swook/Mediator/commit/f3de8e74d409aef944df65e1d82280f83824da78 is the fix to the mentioned problem.

    What was happening was that the hash on the url wasn't equivalent to the hash of the image. I noticed this happening by chance on my own forum but since it affected links such as gallery links (or multiple image links), I considered the issue small and didn't advertise the fix.

    Sorry again for the disturbances!
    I will figure out a good way to embed galleries some time.

  • vrijvlindervrijvlinder Papillon-Sauvage MVP

    @swook

    Does this mean that the hash called porno images instead? How could it know specifically to get porno ?

    It would make sense if it was image not found or removed, But to get other images and they be gay porn seems like someone did it intentionally no?

  • @vrijvlinder,

    The reason, I'm guessing, is that the hash used for a gallery is not unique, and if an image is uploaded and the same hash assigned, this will update the hash to point at the image and not the gallery.

    So in this unfortunate case, the gallery hash was re-directed to a newly uploaded pornographic image.

    To explain better:

    A gallery can have the hash ABCDEF
    an image can also have the hash ABCDEF

    When the gallery was linked to, an image with hash ABCDEF was not uploaded.

    Some time later, someone uploaded an image, and a hash of ABCDEF was assigned. This image happened to be gay-porn.

    Mediator asked for an image of hash ABCDEF, and instead of returning the gallery's image, imgur gave the gay-porn image.

    It's just a case of bad luck, I wouldn't worry about it.

    vrijvlinderperegrine
  • vrijvlindervrijvlinder Papillon-Sauvage MVP

    Interesting, and yes that would be unfortunate if one is not into gay porn lol

    I have heard of cases where people switch out images with ill intent , so to me that seemed like a real possibility .

  • unixherounixhero
    edited April 2013

    Lol, well it was kind of hilarious :)
    It seems like the reason for it is really interesting...

Sign In or Register to comment.