lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Mon, 1 Sep 2003 10:01:43 -0700
From: "morning_wood" <se_cur_ity@...mail.com>
To: <bugtraq@...urityfocus.com>, <full-disclosure@...ts.netsys.com>,
   <alrogers@...iends.net>, <legal@...power.com>
Subject: Ifriends payment bypass


------------------------------------------------------------------
          - EXPL-A-2003-023 exploitlabs.com Advisory 023
------------------------------------------------------------------
                    -= Ifriends payment bypass =-



Donnie Werner
co-founder / CTO e2-labs
http://e2-labs.com


Vunerability:
----------------
PAYMENT BYPASS FOR REGISTERED USERS


Description OF product:
-----------------------
 ifriends.com is a multi million dollar company ( webpower inc )
with a low ball income / profit of $300,000 per day. ( yes, per DAY )
they feature live, pornographic and non pornographic webcam and chatting
on a fee based structure. the primary business format is a 50/50 split of
revenue generated via a per minute fee from over 1000 live hosts at
any one time charging on average between $2-$9 per MINUTE, the rate
set by the chathost themselves.

quick math, avg. low figures..
LH = 200 hosts live in a PAYING session at any given time
PR = $2 fee per minute ( lowest )
HR = 60 minuts
PCT =50 percent of fee

LH x PR x HR =
200 x $2 x 60 = $24,000  gross
x .5 = $12,000 net profit per hour

$12,000 x 24 x 365 = $105,120,000 net profit per year... this is a low est.

quick math, proable figures
300 x $4 x 60 = $72,000
x .5 = $36,000 net per hour

or a bit over $300 million a year.


VUNERABILITY / EXPLOIT
======================
1. bypassing payment timekeeping


scenario #1
===========
 Authorized ( V.I.P or registered ) "user" starts a "session" with
a "chathost" in normal fashion via browser.
user concurently starts a webcam viewing program such as "webcam-watcher 3"
viewing the source in browser reveals video host-ip:port
( see http://www.securityfocus.com/archive/1/320267 )
 user enters into webcam viewer "http://host-ip:port/java.jpg and
presses "go"
user closes browser, image continues, fees stop acruing.


exploit detail:
===============
 ifriends uses a combination of html, javascript and java in their
viewing, and more importantly, timekeeping functions.

the basis of this is 3 main applets.

1. video
2. audio
3. timekeeping

 we will focus on the 3rd and see below how the session timekeeping is
done via javascript, and recorded in the java applet parameters.

------------ SNIP ---------------
function reportTime()
{
  var expdate = new Date()
  expdate.setTime(expdate.getTime());
  window.status='Done'
  document.ReportTime.src =
'http://apps.iFriends.net/cgi/iJsChck.exe?screenname=CHATHOST-NAME&sessionID=123
4567&PARM5=EILRAHC&Time=' + expdate.getTime();
  setTimeout("reportTime()",60000)
}

<input type="hidden" name="SCREENNAME" value="CHATHOST-NAME">
<input type="hidden" name="SESSIONID" value="1234567">
<input type="submit" value=" Begin Video Chat (Free-Registration Members Only)
"></form>
<FORM METHOD="POST" NAME="iReqFeed"
ACTION="http://access.Ifriends.net/cgi/showcam.exe?" target="_parent">
<input type="hidden" name="SCREENNAME" value="CHATHOST-NAME">
<input type="hidden" name="PARM5" value="AHPLA">
<input type="hidden" name="SESSIONID" value="1234567">
<input type="hidden" name="CUSTSESA" value="0">
<input type="hidden" name="CUSTSCREENNAME" value="">
<input type="hidden" name="recordcode"
value="lhost__CHATHOST-NAME__1234567_YEARMODA_12345">
<input type="submit" value=" Begin Guest Chat with CHATHOST-NAME (Available to
all) " ></form>
---------- SNIP ------------------

<script language="JavaScript">
            <!--
               document.writeln('<APPLET CODE="ifchat20.class"
CODEBASE="http://chat.iFriends.net/" ARCHIVE="/ifchat20.jar" WIDTH=320 HEIGHT='
+ sHeight +'>');
               document.writeln('<PARAM name="viewer"
value="REGISTERED-USERNAME">');
               document.writeln('<PARAM name="session" value="1234567">');
               document.writeln('<PARAM name="exhib" value="CHATHOST-NAME">');
               document.writeln('<PARAM name="server"
value="chat.iFriends.net">');
               document.writeln('<PARAM name="port" value=8086>');
               document.writeln('<PARAM name="timeseq"
value="5627127506012727078775743189">');
               document.writeln('</APPLET>');
            //-->
            </script>
            </TD>
        </TR>
    </TABLE>

<IMG name="ReportTime"
src="http://apps.iFriends.net/cgi/iJsChck.exe?screenname=CHATHOST-NAME&sessionID
=1234567&PARM5=EILRAHC" width=1 height=1>
<script language="Javascript">
<!--
setTimeout("reportTime()",60000)
//-->
</script>

---------- SNIP --------------------

 the actual authorization takes place in the ifcam software residing on the
chathosts
system. once the ifcam software recieves a valid authorization code, your ip
address
is then authorized for the remainder of the chathost session. the timekeeping
for payment
is controlled via the browser and maintains state with ifriends.com servers.

 thus, by connecting to the video source independantly of the original browser
window,
then closing that browser, ( or by modifying the source, re-rendering... etc, )
closing the original browser applet effectivly signals ifriends to stop the
tracking / timekeeping of that user. this is done to prevent overcharges in case
of a connection break.

Result is continued video viewing with no acruing charges.

 this issue has been a problem for over 2 years, as is a continuation of the
privacy
disclosure originaly discussed in http://www.securityfocus.com/archive/1/320267

Local:
------
not realy

Remote:
-------
yes


vendor contact:
---------------
I spoke to legal@...power.com and prepared
a proposal as per their request.

toll free - (800)243-9726
alrogers@...iends.net
WPI/IFriends
7765 Lake Worth Road, Suite 341
Lake Worth, FL 33467

legal@...power.com


vendor response:
----------------
they never respond after first contact cuz they do not care,
they continualy break thier own promises
( http://www.ifriends.net/legal/privacy.htm )
hint: they make $300 mil a year, they dont care.
I have repeatadly called and spoke to the complaint
department ( he forwarded all requests ) and he was
very concerned. Nevertheless.... no formal response.


credits:
--------
Donnie Werner
morning_wood@...labs.com

http://e2-labs.com
http://exploitlabs.com
http://nothackers.org


thanks:
=======
 i would like to thank a very nice couple who helped in verifying the
effectiveness
of this exploit. ( both are registered chathost and VIP members of
ifriends.com )

fun link:
--------
http://www.myifriends.net/general/acw.htm?VIDEOCAMS&http://www.sec.gov/divisions
/enforce.shtml
( hint: click "enter" )

Original advisory available at
 http://exploitlabs.com/files/advisories/EXPL-A-2003-023-ifriends-bypass.txt

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ