Firefox Bug Used to Harass Entire IRC Network

One of the few cross-protocol scripting attacks seen in the wild

By on 30 Jan 2010, 13:56 GMT
A group of self-declared Internet trolls, called the GNAA, has used an old but obscure attack method to wreak havoc on the Freenode IRC network. Users were forced to execute IRC commands after visiting maliciously crafted Web pages.

The vulnerability leveraged in this attack dates back to 2001 and affects the HTML form implementation in browsers. Exploiting it allows attackers to send data to unusual services on behalf of users rendering their malformed HTML code within their browsers.

When it was first disclosed, this cross-protocol scripting bug impacted a wide variety of services, including IMAP, SMTP, NNTP or POP3. In order to address it, Mozilla implemented a port blocking policy covering many services that shouldn't normally be accessed through HTML forms.

However, GNNA members have figured out that port 6667 corresponding to the Internet Relay Chat (IRC) protocol is not on the list and therefore, potentially vulnerable. After crafting a piece of malicious JavaScript that would cause visitors to establish a connection on Freenode, join the #freenode channel and spam it with a message, the attackers distributed it via hidden IFrames in websites and blogs.

A pseudo security advisory was posted on well-known satirical wiki, Encyclopedia Dramatica, the undisputed troll archive of the Internet. According to it, all versions of Firefox and SeaMonkey are vulnerable to this exploit, while Internet Explorer and Safari are not. Several IRC networks, in addition to Freenode, were attacked, including Efnet and OFTC (Open and Free Technology Community).

The attack affected regular users and senior staffers alike. Users were forced to launch CTCP floods and ended up automatically banned from servers due to repeated reconnection. Opers (network operators) were tricked into visiting infected blogs, which forced them to k-line (ban) each other.

Freenode is a popular IRC network, housing the support channels for some of the biggest and most important open source projects, including Linux distributions. It is widely viewed as the free software community's IRC network, however the attackers describe it as a fraud created by its founder in order to embezzle funds from user donations.

On the 30th of January, 2010, Freenode servers began migrating to a new ircd (irc daemon) called ircd-seven. The new server software has been in development for quite a while and this recent attack might have helped speed-up the migration plans.

3 Comments

Rare cross-protocol scripting attacks cripple Freenode
   Rare cross-protocol scripting attacks cripple Freenode