You may be scratching your head and wondering how you can turn forum users into drones. Firstly, this is not an exploit specific to a certain forum platform and it doesn’t require any unusual options to be enabled such as allowing the posting of flash files!
The only requirement is that the forum allows you to post externally hosted images – usually enabled by default.
How does it work?
A lot of people don’t realise that an image on a page is treated by the browser just like any other GET request. You can enter the url of an image and it will be displayed on the page, or you can enter the url of a regular page and the browser will fetch that url. The browser will only go as far as fetching the headers of the page, enough to trigger an action on the remote server or drop cookies (via the header) onto the drone. Some browsers will display a broken image link and some will display nothing.
Now imagine if you were to place an image with a specially crafted URL that actually places a vote in an online poll. You could post this ‘image’ to a busy forum and anyone who reads your post would be hitting that URL and placing a vote for you – without ever knowing!.
What can I do with my drones?
You can have them hit any page that works via GET. A lot of online voting systems use a simple GET request. You can also drop cookies on the drone, provided the page you’re linking to places the cookies in the header and not on the page via javascript.
Why use a forum?
If you need a lot of people hitting a URL from different IP addresses, forums are the perfect choice. You can immediately get access to hundreds of clean IP addresses (not linked to spam or proxies) and have them do your bidding (any GET request) without ever knowing.
Another benefit is that forums are generally very topic specific. Dropping cookies on a 1000 random users to your own personal website would be reasonably useless, but if you were to place an image on a poker forum which pulls a page that drops cookies for the major Poker websites, you could get a worthwhile conversion.
What type of forum can be used?
The forum must allow posting of externally hosted images. This option is usually enabled!
Case study – Tripadvisor ‘helpful review’ vote
Tripadvisor allow you to mark a review as helpful. The more votes you get, the more genuine your reviews look and the more likely your reviews will influence other visitors. When sniffing the action associated with this button, you’ll notice that it performs a POST to a specific URL, a quick test reveals that it also works as a GET request. You do not need to be a logged in user to cast a vote.
We take the URL that is triggered when clicking the ‘Yes’ button and create our image code:
<img src="http://www.tripadvisor.com/RateUserReview?returnTo=__2F__Hotel__5F__Review__2D__g186605__2D__d213279__2D__Reviews__2D__Trinity__5F__Lodge__2D__Dublin__5F__County__5F__Dublin__2E__html%2523helpful129310629&src=129310629&geo=186605&uid=6677AB2A22ECC10355BE7BEBB264AA35&rateValue=1" />
This image code can be posted onto any forum (or any site in general!) that allows posting externally hosted images. The perfect scenario would be to join a busy forum and find an active thread. Take the time to write a proper reply to the thread and add your image code at the end of it. Any other forum user who reads the thread will trigger your “image” and place a vote on your review, without ever knowing.
Test
A random review was selected for this test – “Dublin: Trinity Lodge: Excellent room in great location”
Before:
The "Dublin: Trinity Lodge: Excellent room in great location" review has 4 votes.
Forum Post:
A post created on an active thread with the specifically crafted image dumped at the end. In the chrome browser it displays a broken image icon. Every forum user who views this thread will trigger a vote for the review on Tripadvisor.
After (10 minutes later):
Thanks for the forum drones, the amount of helpful votes for "Dublin: Trinity Lodge: Excellent room in great location" has increased from 4 to 53 in a matter of 10 minutes.