Categories
Badness Online Privacy Technology Vulnerability

Masks Off for TheDonald.win

The server for thedonald.win is hosted at 167.114.145.140. Read on to learn how I discovered this.

In 2015, a subreddit called /r/The_Donald was created. This has made a lot of people very angry and widely been regarded as a bad move.

Roughly 5 years after its inception, the Reddit staff banned /r/The_Donald because it was a cesspool of hateful content and harmful conspiracy theories. You can learn more about it here.

Why are we talking about this in 2021?

Well, a lot has happened in the first week of the new year. A lot of words have been written about the fascist insurrection that attempted a coup on the U.S. legislature, so I won’t belabor the point more than I have to.

But as it turns out: The shitty people who ran /r/The_Donald didn’t leave well enough alone when they got shit-canned.

Facepaw
Remember: You can’t recycle fash.
(Art by Khia.)

Instead, they spun up a Reddit clone under the domain thedonald.win and hid it behind CloudFlare.

Even worse: Without Reddit rules to keep them in check, they’ve gone all in on political violence and terrorism.

(Content Warning: Fascism, political violence, and a myriad of other nastiness in the Twitter thread below.)

If you remember last year, I published a blog post about identifying the real server IP address from email headers. This is far from a sophisticated technique, but if simple solutions work, why not use them?

(Related, I wrote a post in 2020 about more effectively deplatforming hate and harassment. This knowledge will come in handy if you find yourself needing to stop the spread of political violence, but is strictly speaking not relevant to the techniques discussed on this page.)

Unmasking TheDonald.win

The technique I outlined in my previous post doesn’t work on their Reddit clone software: Although it asks you for an (optional) email address at the time of account registration, it never actually emails you, and there is no account recovery feature (a.k.a. “I forgot my password”).

Foiled immediately! What’s a furry to do?
(Art by Khia.)

However, their software is still a Reddit clone!

Reddit has this feature where you can submit links and it will helpfully fetch the page title for you. It looks like this:

When I paste a URL into this form, it automatically fetches the title.

How this feature works is simple: They initiate an HTTP request server-side to fetch the web page, parse out the title tag, and return it.

So what happens if you control the server that their request is being routed to, and provide a unique URL?

Leaking TheDonald.win’s true IP address from behind CloudFlare.

Well, that was easy! To eliminate false positives, I performed all of this sampling with Tor Browser and manually rebuilt the Tor Circuit multiple times, and always got the same IP address: 167.114.145.140.

An Even Lazier Technique

Just use Shodan, lol

Apparently chuds are really bad at OpSec, and their IP was exposed on Shodan this whole time.

Soatok Laughing
You can’t help but laugh at their incompetence.
(Art by Khia.)

The Road to Accountability

Okay, so we have their real IP address. What can we do with it?

The easiest thing to do is find out who’s hosting their servers, with a simple WHOIS lookup on their IP address.

Hosted by OVH Canada, eh? After all, nothing screams “Proud American” like hosting your website with a French company in a Canadian datacenter.

Dunking on these fools for the inconsistencies in their worldview is self-care and I recommend it, even though I know they don’t care one iota about hypocrisy.

I immediately wondered if their ISP was aware they were hosting right-wing terrorists, so I filed an innocent abuse report with details about how I obtained their IP address and the kind of behavior they’re engaging in. Canada’s laws about hate speech and inciting violence are comparably strict, after all.

I’ll update this post later if OVH decides to take action.

Lessons to Learn

First, don’t tolerate violent political extremists, or you’ll end up with political violence on your hands. Deplatforming works.

It’s catchy!

Second, and most important: Online privacy is hard. Hard enough that bigots, terrorists, and seditious insurrectionists can’t do it right.

This bears emphasizing: None of the techniques I’ve shared on the history of my blog are particularly clever or novel. But they work extremely well, and they’re useful for exposing shitty people.

Remember: Sunlight is the best disinfectant.

Conversely: Basic OSINT isn’t hard; merely tedious.

Other Techniques (from Twitter)

Subdomain leaks (via @z3dster):

Exploiting CloudFlare workers (via @4dwins):

DNS enumeration (via @JoshFarwell):

If the site in question is running WordPress, you can use Pingbacks to get WordPress to cough up the server IP address. If you aren’t sure if something runs WordPress, here’s the lazy way to detect that: view any page’s source code and see if the string /wp-content shows up in any URLs (especially for CSS). If it’s found, you’re probably dealing with WordPress.

Gab’s (another platform favored by right-wing extremists) IP address discovered through their Image Proxy feature to be 216.66.0.222 (via @kubeworm):

https://twitter.com/kubeworm/status/1348162193523675136

The Alt-Right Notices this Blog Post

Shortly after I posted this online, some users from thedonald.win noticed this blog post and hilarity ensued.

The entire Twitter thread is worth a read.

I want to make something clear in case anyone (especially members of toxic Trump-supporting communities) is confused:

What’s published on this page isn’t doxing, nor do I have any interest in doxing people. That’s the job of law enforcement, not furry bloggers who sometimes write about computer topics. And law enforcement definitely doesn’t need my help: When you create an account, you must solve a ReCAPTCHA challenge, which sends an HTTP request directly to Google servers–which means law enforcement could just subpoena Google for the IP address of the server, even if the above leaks were all patched.

This also isn’t the sort of thing I’d ever brag about, since the entire point I’ve been making is what I’ve done here isn’t technically challenging. If I wanted to /flex, I’d just talk more about my work on constant-time algorithm implementations.

If, in response to my abuse report, OVH Canada determines that their website isn’t violating OVH’s terms of service, then y’all have nothing to worry about.

But given the amount of rampant hate speech being hosted in Canadian jurisdiction, I wouldn’t make that bet.

Addendum (2021-01-19)

Additionally, this wasn’t as simple as running a WHOIS search on thedonald.win either, since that only coughs up the CloudFlare IP addresses. I went a step further and got the real IP address of the server behind CloudFlare, not just CloudFlare’s IP.

This isn’t rocket science, folks.

According to CBC Canada, they moved off OVH Canada the same day this blog post went live. I’m willing to bet a simple WHOIS query won’t yield their current, non-CloudFlare IP address. (To wit: If you think the steps taken in this blog post are so unimpressive to warrant mockery, why not discover the non-CloudFlare IP for yourselves? I’ll bet you can’t.)

There are a lot of ways to deflect criticism for your system administrators’ mistakes, but being overly reductionist and claiming I “just” ran a WHOIS query (which, as stated above, wouldn’t work because of CloudFlare) is only hurting your users by instilling in them a false sense of security.

Just admit it: You fucked up, and got outfoxed by a random furry blogger, and then moved hosting providers after patching the IP leak. How hard is that?

Also, if anyone from CloudFlare is reading this: You should really dump your violent extremist customers before they hurt more people. I’m a strong proponent of freedom of speech–especially for sex workers, the most censored group online–but they’re actively spreading hate and planning violent attacks like the Capitol Hill Riot of January 6, 2021. Pull the damn plug, man.

Finally, I highly recommend Innuendo Studios’ series, The Alt-Right Playbook, for anyone who’s trying to make sense of the surge in right-wing violence we’ve been seeing in America for the past few years.

How Do You Know This IP Wasn’t Bait?

After I published this article, the developers of their software hobbled the Get Suggested Title feature of their software, and the system administrators cancelled their OVH hosting account and moved to another ISP. (Source.)

You can independently verify that their software is hobbled: Try to fetch the page title for a random news website, or Wikipedia article, with the developer console open. It will stall for a while then return an empty string instead of the page title.

They also changed their domain name to patriots.win.

If the IP address I’d found was bait, why would they break a core piece of their software’s functionality and then hurriedly migrate their server elsewhere?

The very notion doesn’t stand up to common sense, let alone greater scrutiny. The whole point of bait is to catch people making a mistake–presumably so you can mock them while remaining totally unaffected–not so you can do these things in a hurry.

A much more likely story: Anyone who makes this claim is trying to downplay a mistake and save face.


Header art by Kyume

By Soatok

Security engineer with a fursona. Ask me about dholes or Diffie-Hellman!

7 replies on “Masks Off for TheDonald.win”

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s