December 17, 2020
14668
0Is Imgur Safe to Use?
We continue our series of investigations of popular resources for various vulnerabilities and technical holes. Last time, we analyzed the famous game Pokémon Go.
You can read the results of the study in the article Is Pokémon Go Safe to Play?
Today, we’ll consider a well-known service, Imgur.
Imgur is a free online service for uploading, storing, and sharing images. It allows you to keep an infinite number of photos forever, or until you decide to delete them. It has an extensive user base and supports popular image formats and comments. Among other things, Imgur allows you to crop images and change their size.
The small hosting site for photos quickly gained an audience of up to a million page views in just five months and received a prestigious award as the best startup of the year. Imgur now has more than 5.5 billion page views, and it is turning from a file downloader into a social network.
What are the reasons for Imgur’s success, and is it safe to use?
Previously, we’re written about Dropbox privacy. Read the article Is Dropbox Private and Safe to Use? and keep your documents right!
History of creation
Back in 2009, Reddit was probably the most viewed resource in the Western world. Ohio University student Alan Schaaf also used it. But it didn’t seem enough for him to exchange messages without photos and images. So he started programming a supplemental site.
Some time passed, and Alan’s project called “Imgur” was ready. The young man created a post on the forum, calling it “a gift to site users.” In the text of the post, he wrote the following: “I am tired of photo editors from the internet, which do not cause anything but disgust. You can upload a photo of any quality to my project (it won’t be compressed), crop it, rotate it, and edit it as you like. I give this tool to you. Use it for your will.” The next day, Alan went to the site to check his publication status and was amazed: he’d never received so many positive comments before.
In his project, Schaaf divided pictures into “photos” and “images.” He called pictures that were taken with a phone or camera “photos,” and “images” were any graphic drawings: pictures, GIFs, photo jabs, and screenshots. Thanks to this division, Imgur’s users could upload an image in any format and send a link to it to their friends.
Schaaf’s goal was to create a resource that was simple and easy to use. To do this, Alan tried to reduce the number of actions that the user needed to perform to send an image to a friend. And he did it: to upload an image, you just need to click on two or three buttons.
Type of content
Imgur specializes in jokes, photo collages, and any other types of images. There is also adult content — photos with sexual content.
Adult content is attractive. We’ve decided to analyze the most popular adult site — Pornhub and consider: is Pornhub safe to use or not?
Imgur has become a photo hosting service that has revolutionized the image industry on the internet. It allowed users to post images in high quality and soon overtook the famous Reddit in terms of the number of visitors.
The main “feature” of the resource is the originality of the images. If a user wants to get to the top, they must place an image that will attract other users’ attention or make them laugh. Only in this case, it is possible for a posted image to appear in the “Popular” section.
The acceptable image formats are APNG, GIF, JPG, JPEG, MOV, MP4, PDF, PNG, TIF, TIFF, PDF. TIFF files are converted to PNG after uploading.
Here are its other advantages and disadvantages.
Advantages
For uploading photos, a person doesn’t need an account. Each user can upload an infinite number of images at once. There is a possibility to create a photo album. A person can upload pictures using the URL and share them with other users. All links can be used and the service supports them. There is a gallery of popular photos. Supports GIF images that take up a lot of memory.
Disadvantages
- Uploading files like PSD is not supported.
Limitations
20 MB is the largest size for non-animated files like JPG. PNG images larger than 5 MB will be converted automatically to JPG, and non-animated images larger than 1 MB will be reduced in size (but their quality does not change).
The GIF size must not exceed 200 MB, and it is converted to GIFV to reduce the size if the file is huge. If you are making a GIF from an online video, the animation duration should not exceed 15 seconds, and the video should not exceed 1 GB.
You can upload no more than 50 images per hour from one account. This limit is set by your IP address, which means that if you log in to your account from a different IP address and have already uploaded 50 images, you can upload another 50 from a new location.
Is Imgur safe to use?
Everything would seem to be good, and Imgur claims to be the most popular image hosting service with its great set of features and advantages. However, in 2016 independent researcher Eugene Farfel discovered a critical vulnerability to Imgur’s popular image hosting service. The problem was with the video service feature, which allows you to quickly make a GIF from any video clip located on an external server.
The SSRF (Server-Side Request Forgery) vulnerability was found at imgur.com/vidgif.
The video feature works very simply: the user just needs to enter the URL of any video clip, and Imgur automatically parses the page, figuring out if there is a video on it, and then allows you to cut a GIF from the found content.
The researcher found out that hosting uses URL requests and the libcurl library to get content from a given page. However, when parsing URLs, Imgur focuses not only on the HTTP and HTTPS protocols, accepting such links.
In theory, the researcher could then carry out a full-fledged attack on the hosting infrastructure, especially if Imgur administrators forget to update the software.
Farfel also noticed that Imgur still uses URL filters, not accepting all links in a row from the user. However, these filters were not so difficult to circumvent: the researcher just had to create a redirect on his own server and feed it to the Video-to-GIF service. The URL, which should not have been accepted in principle, worked successfully.
Using his proof-of-concept, the researcher used a malicious GOPHER link to start a TELNET session. This tactic made it possible to communicate with other protocols, including SMTP. In other words, Imgur servers could have been used for sending spam.
In addition, Farfel discovered that Imgur servers have an unnecessarily long timeout, during which the server tries to establish a connection with an FTP link. This nuance could be used to implement DDoS attacks: by giving the Video-to-GIF service a sufficient number of links to ports closed to FTP. Then it was possible to occupy all available connection slots with useless waiting, which would lead to the termination of the service.
What is a DDoS attack and how can you prevent it? Read the article and trace the attack in time!
It is reported that the SSRF vulnerability was found in February 2016, and the Imgur developers fixed the problem in less than a day. Since the image hosting service has its own bug bounty program, the researcher earned $2000 on this bug!
But who can guarantee that this vulnerability will not reappear or hackers will not find the other tech holes?
Conclusion
In addition, back in 2014, the service’s database was hacked, which caused the data of about 2 million users to be publicly available. However, the world community found out about this much later.
Of course, this service’s security system in 2020 is much more reliable than in 2014 or 2016. However, do not forget that with the development of technology, various hacking techniques and methods of hacking are also developing. Therefore, you need to take the security of internet resources more seriously, especially when adding your personal data to them.
Read our checklist of necessary security measures on the internet and always be under reliable protection in the World Wide Web.
