/operate/ - Endchan Operations

 >>/29851/
My role signature.

What the heck.

Ah I was logged out.

I'm the culprit. AMA.

 >>/29851/
Two notes:
1. "root" is not the server root. The site engine calls the top role - above the admin - as root. See the Moderation Manual of Endchan. The "root" role allows access to Endchan's moderation pages with Root privileges, which comes with what I wrote in OP.
2. passwords are stored hashed, and similarly to emails that would have needed access to the database itself.

 >>/29855/
Which LLM did you use?

 >>/29857/
ChatGPT.

I noticed new commits for lynxchan and saw that the fork for endchan was last updated in 2020. Gross negligence if I dare say so. If I didn't turn every global volunteer into a "root", they probably wouldn't have noticed it at all lul

Monk could have prevented it...

 >>/29858/
Monk?

 >>/29855/
Your a faggot I dont know you. I did the hack to get the IP's so I can sell the data on the dark web. I can see your IP too and its says you are 100% full of shit.

 >>/29861/
You got me, I admit defeat

 >>/29861/
> I did the hack to get the IP's so I can sell the data on the dark web. I
That's going to bring millions, if not billions! Did you get the public or the private IPs? I heard the private ones are hard to route.

Good, go back to 4chan you faker before I destroy your computer, I can do that now that i got root access on your IP.

 >>/29863/
I used a reverse proxy AI hack, it was easy.

snaptik_76... mp4
(2.7 MB, 720x1280 h264)

 >>/29864/
I cannot be stopped.

 >>/29865/
I'll engine x you!

Why are you still running this site you useless retards? 2 years ago you let people upload custom css that could be used to get lurkers ip addresses with ip grabbers and now your entire site got hacked. You're low iq and can't run a site properly and you don't give a shit about your users either. Take down this website if you have any dignity left. I recommend whoever reads this to stop using this website right now

snaptik_76... mp4
(807.41 KB, 576x1246 h264)

 >>/29868/

 >>/29868/
Wouldn't this be easily avoidable with a proper content security policy?

 >>/29870/
I meant the css ip thingy

 >>/29868/
yeah but you cant find the delisted boards which is the only place my IP was, LOOOOOOL

 >>/29851/
too bad :/

 >>/29872/
Did you shit in the pan?

 >>/29851/
Hope you'll use this incident as an opportunity to get better and more secure, find other potential bugs and exploits in your engine before anyone else will do it.
Stay strong.

 >>/29868/
Not real problem if people use Tor Browser
https://www.torproject.org/download/

 >>/29851/
Also possible: board transfer, checking board ownership (but not BVs) with last login time, tho logs show board staff usernames.

 >>/29876/
boards can ban tor users and whole ip ranges from vpns

 >>/29851/
What exactly was in the logs e.g. only IPs for posts or views and downloads too and what was the period affected?

role-escalation-... png
(41.82 KB, 403x487)

 >>/29879/
Several things to address and clarify in your question.
> period
The logs says first escalation was on 2026 February 11th at 12:44, which means we discovered it about 20 hours later. These logs are accessible from the home page, scroll down a lot.
> logs
There are more logs generated by the engine that aren't published to that page. These logs aren't accessible with global Root privileges, no option in the moderation view or elsewhere.
> views and downloads
The engine doesn't log views and downloads - it's stated in the FAQ too.
> IPs
As for the IPs. When a user is a board or global staff member he can see IP hashes (and ranges) at posts in thread moderation view. For Root, there's an IP instead. So if they wanted to get IPs they had to open each thread. In theory they could harvest with a scraper. I don't know if this was done or not.

 >>/29880/
The timestamps there are UTC. In case it's not clear.

 >>/29881/
Из-за тебя некоторых людей убьют, других в тюрьмах сгноят. Как ты будешь нести ответственность?

1 webp
(26.02 KB, 640x678)

 >>/29880/
> superguy
This is hilarious. I imagine pic for some reason.

 >>/29882/
А он и не должен нести ответственность. Ты же не подписывал никакой договор, когда решил пользоваться этой бордой, по которому он бы нёс ответственность за сохранность твоих данных? Нет. Вот и всё. А что до морального аспекта, ему в Австралии / Новой Зеландии или где он там по большей части на это прохладно, я думаю. Лучшее что он может сделать в такой ситуации, это  >>/29875/ не допустить повторения чего-то подобного.

Также удвою  >>/29876/. Для polru-шизиков и люbbителей ПАВ это актуально как никогда, на любом ресурсе. Ответственность за человека в первую очередь несёт этот же самый человек, сам за себя, а не кто-то другой.

 >>/29880/
Thx for the clarifications.
Basically, root can see IPs of every post on Endchan, even the for the ones created many years ago.

> So if they wanted to get IPs they had to open each thread. In theory they could harvest with a scraper. I don't know if this was done or not.
Obviously this was the point.