Why you should be using VPN on MPGH [IP leaking Proof of Work and how to fix it]

[Fucking Moron]

Hello MPGH!

Recently I found a way to leak IP addresses of the MPGH users and here is my proof of work.
I'm also providing a quick and easy fix for the staff members.

Let's start with the way how MPGH handles user images and signatures.
What it does is simply include the image in the HTML (no cdn, no proxy, just a direct connection).
There is nothing bad in this by itself but I found a smart way of matching the request with the mpgh username.



Every request sends the referrer header with the url where the file is loaded from.


Knowing this you can create a bot which checks the Who's Online page (https://www.mpgh.net/forum/online.php)
and looks for people who are viewing our XYZ thread where the image has been loaded from.

For optimal performance you can sort the list by "Last Activity" entry by adding ?sort=time parameter.


The last step is to include the dummy image in your signature or thread and gather data.

Data which you can gather using this method:
* Thread id
* Time
* User id
* Username
* IP address
* Country
* Browser used

And here goes my proof of work:


How efficient it is?
By running the bot for 3 days I was able to dump ~2000 users multiple times (25.000 requests).

How effective it is?
Sometimes you get false results so in order to make them more trustworthy you should dump a user at least 3-4 times.
Success rate is around 80%

How to fix it (easy way)
Add referrer-policy header on server response which will restrict data being send from the client inside the referrer.
I suggest using strict-origin-when-cross-origin.
Read more here: https://developer.mozilla.org/en-US/...eferrer-Policy
* note: it still will be possible to gather data using who's online but success rate will fall to around 10%
* note2: for full fix I'd suggest disabling who's online feature for normal users

How to fix it (hard way)
Create cdn server which will redirect all media requests through it.

Final words
Please don't ban me lmao. This data is available for everyone anyways and I'm just showing the problem so it can be fixed quickly :3
Also I want to show that you are not safe on the internet without VPN even if you visit trusted sites only.
Also please consider switching to Tor https://www.torproject.org/ <3

Donate for my small research and making MPGH a safer place for all of us ?
BTC: 1NjW3K26ZPZeveW4st4sC249MfyW2w5ZP8
ETH: 0x56b4ED755b7bDD75A954e168EB96f4501F75342d

did u sql inject?????
or were was original leak or thought from

[Zaczero]

did u sql inject?????
or were was original leak or thought from

everything is explained in the thread uwu

[Fucking Moron]

everything is explained in the thread uwu

Bro I read the first two sentences And then the images lol
U need. Tl:dr

[Jhem]

And then the online page got deleted. good work dave.

[Zaczero]

And then the online page got deleted. good work dave.

silent said its a temporary fix

[Jhem]

silent said its a temporary fix

This is actually excellent findings, dave should give you something, like ban himself for a whole year.

[Zaczero]

This is actually excellent findings, dave should give you something, like ban himself for a whole year.

lma o

[Psiyix]

Great work my friend. Appreciate the information which is
beyond the scope of many. I am definitely going to look
at protecting myself more while on the internet.

I'm sure Tor has it's limitations as well and would be good
to know how to really protect yourself for max privacy.

Will the who's online be disabled on here as per your
suggestion?

Thanks again bro, appreciate you.

[ikennafree]

didn't know you couldn't use Vpns here

[Zaczero]

Great work my friend. Appreciate the information which is
beyond the scope of many. I am definitely going to look
at protecting myself more while on the internet.

I'm sure Tor has it's limitations as well and would be good
to know how to really protect yourself for max privacy.

Will the who's online be disabled on here as per your
suggestion?

Thanks again bro, appreciate you.

'Who's online' has been temporarily disabled by staff until the media CDN is completed

- - - Updated - - -

didn't know you couldn't use Vpns here

You can unless you post something in the marketplace (you have to disable it temporarily while making the post there)

- - - Updated - - -

didn't know you couldn't use Vpns here

You can unless you post something in the marketplace (you have to disable it temporarily while making the post there)

[trini599]

Very fine explanation with a detailed report

[DizzyDrop]

Well Done. I think They're already Fix

[ReplacementsNX]

I use some VPN for good time and not have issues with bans but if you register with VPN and same day wants to sell Samsung s9 for $50, I guess u will get banned

[Enneagram]

I use some VPN for good time and not have issues with bans but if you register with VPN and same day wants to sell Samsung s9 for $50, I guess u will get banned

Yoo man. What's gonna happen to your customers who still have their warranties from the N3X4 shop?

I have my Grammarly, NordVPN and Netflix bro.