For context, one of my favorite people on the fediverse who I don't understand at all is bot. She's active on http://seal.cafe currently (hosted by friend of the site & cat enjoyer @kroner), and is constantly getting into fights with lots of people about random issues; I enjoy these even without context because I'm a fan of incendiary rhetoric and bot is a world class shit talker who also seems to feel strongly about the things she choses to argue about.
If you don't take my word for it, here's a snapshot of recent box posts
You might have seen that http://poa.st and http://bae.st, two popular instances on the free speech zone of the fediverse got hacked recently. We had a small thread here that didn't get the attention it deserved but there's a lot of rightoid seethe going on. Reminder that http://rdrama.cc is still the best instance that has all the marseys and has never been hacked; shout out @nekobit. If you remember the http://chudbuds.lol hack/leak, you'll know that private messages sent on the fediverse/Activity Pub are not end-to-end encrypted, so naturally lots of alt-tech wannabe e-celebs got their DMs leaked from this. For further context, graf is the admin/owner of http://poa.st who has recently feuded with Null and Crunklord420, over some dumb shit (watch MATI from 3 weeks ago if you want some context); he also defederated http://rdrama.cc over a meme nose emoji that he called doxing his admin (his admin runs a lolicon posting instance and also had a falling out with graf, so the image isn't doxing anymore but http://rdrama.cc is still blocked because he's a bitch)
So here's the meat. Box has been posting about intercourse pests that use http://poa.st for well over a year at this point. As with many posts of someone claiming someone else on the internet is a sex-pest, I was initially credulous, until this leak came out in which graf goes to bat for a guy who he says admitted to raping a minor to him directly. You could potentially get away with just staying silent on this issue, in my eyes, especially if you're wearing the mask of a free speech extremist alt-tech nerd, but graf is not that. He blocked http://rdrama.cc initially from sending any information to his instance, and later blocked both sent and recieved information from our instance to his. He blocked http://kiwifarms.cc under the pretense that http://kf.cc allowed cp on its servers, despite the fact that the 3rd party instance he claimed was the source of this cp had the policy set against it on the http://kf.cc server as it did on http://poa.st. Null sperging on the graf question about a month ago here.
Onion link for anyone who wants to explore more because kiwi farms is powered by a cat on one of those big wheels where they can run if they feel like it
I have done my journ*listic duty and asked bot about this revelation, the response was incredibly keyed
TLDR: Graf is homosexual (bad kind). Bot @ http://seal.cafe is vindicated. I am always right about fediverse tyrants being r-slur autists. Crunklord420 keeps being based and Terrypilled.
@Aevann, IDK if this is enough of a rightoid exposé to qualify for grant marseybux, but I love you
Someone remind me to pin award this in the morning so that people see this because I have to spend some marsey bux and also this is good drama. k thanks
Jump in the discussion.
No email address required.
Everyone involved in this is turbo online and should close their laptops and move to a monastery ASAP
@nekobit is fetch tho, keep up the terminal illness
i applied some apache mitigations but apparently there are other potential vulnerabilities.
I'm probably going to search for vulnerabilities with trial and error then report them to ensure nothing happens.
so how does the vuln work exactly? like user uploads poz.jz to your server then real user runs poz.js client side and it posts their dms to http://fedirelay.xyz or is it serverside?
it's a little sophisticated, don't think anyone has figured out what exactly ran the script (seems like reports were vulnerable when opened on the admin panel but don't know if that was the one used to hack http://poa.st and http://bae.st)
what the hackers actually got was the user's token, once they got a token from an admin they could access the admin panel where all dms are easily visible (then made a simple script to scrape them)
the tokens were encoded and sent to http://fedirelay.xyz in a very very fancy way that i barely understand and couldn't hope to mansplain