Dangerous Chat Exploit

[Hoernchen]

This is no bug, but an exploit, which allows users to take on the identity of other users in the Hive Chat. The exploit uses a minimal amount of social engineering, and is easy enough to trick any hive user who is foolish enough just to press a tinyurl link or a link to another certain site.

The exploit works like this:

1. The exploiter will create a tinyurl which links to a phpsite on the hive.

2. The phpsite will include the javacommand:
javascript:new Ajax.Request('chat_ajax.php?do=write'+'&channel='+channel+'&message='+escape2(document.cookie),{onSuccess:sendMessageDone,onFailure:sendMessageFail});

3. Anyone who knows Javascript will know that this will make the user display a message in chat which contains his cookies.

4. With a bit more code one could even make the victim whisper him, so others don't see it happening, leaving all mods clueless of this action.

5. Once the cookies are acquired, the exploiter can use Firefox Cookie Editor to insert the cookie named PHPSESSID as his own. When reconnected to chat, this will make the exploiter be logged in as his victim even if his victim is already in chat.

6. Furthermore his name won't be displayed in the lobby or anywhere else, leaving no trace of who he is. Everything the exploiter types will be seen by the chat as typed from his victims, meaning he can make his victim say things that will result in the victim being banned, kicked or becoming hated on hive. If a mod falls for such a trap, he will furthermore gain all the powers of the mod, which include him being able to ban other users and kick them.

7. The victim, once it displayed its cookies is powerless in every way. It cannot get rid of the exploiter for the entire day at least, has no way of proving what he said and what the exploiter did, and if the exploiter is banned he will still be able to use his victims account in chat, making the victim entirely powerless, as well as moderators powerless, as their only option is to ban the victim.

8. This exploit is working 100% as it is described, and is NOT a theory. This can easily be used and is a danger to users on the hive who click a link which they don't know where it goes.

Here are ways to fix the exploit:
1. Make the system check when a message includes cookies and make it block the message. (This pretty much fixes it.)
2. Alert users to the danger of this exploit.
3. Block sites like tinyurl.com and all sites that lead to chat.hiveworkshop

 

[Firelord213]

Yea this should be removed from the chat

 

[Dr Super Good]

5. Once the cookies are acquired, the exploiter can use Firefox Cookie Editor to insert the cookie named PHPSESSID as his own. When reconnected to chat, this will make the exploiter be logged in as his victim even if his victim is already in chat.

Surly the contence is more important for the cookie than the file name.

Anyway, we have methods of tracking people who do this, as we can see an IP missmatch from the users sending the data.
Also, how can anyone do this on this site, all the people that use the chat know little about programming of have no need to do this.
Finally it has never happened before, and although ralle may try and fix it, it is not that urgant.

 

[Hoernchen]

Well, the thing is I have often see people use this exploit in a different way, to make people say something like "I'm stupid" or "Person X is my GOD!", so yes many people know how to create links that make you send messages you dont want to send, and it doesnt take a genius to replace "I'm stupid" with document.cookie which took me about 10 seconds to realize even though I only know a little bit of JavaScript. So, all it takes is for the 100s of users who know how to make people send different messages to realize that they can make them send not just strings but data. And if just 1 person starts doing it, more persons will find out about it and it will eventually spread leading to many users using it for fun, because it is sooo very very easy to do and requires nearly no knowledge. Also, many people have IPs which change monthly which makes tracking them impossible if they do it on the last day of a month. Furthermore all it takes is to block all messages containing the word PHPSESSID or document.cookie and its done.

 

[Ralle]

I think I have fixed it

 

[Hakeem]

1. The exploiter will create a tinyurl which links to a phpsite on the hive.

2. The phpsite will include the javacommand:
javascript:new Ajax.Request('chat_ajax.php?do=write'+'&channel='+channel+'&message='+escape2(document.cookie),{onSuccess:sendMessageDone,onFailure:sendMessageFail});

Browsers should run the script:

new Ajax.Request('chat_ajax.php?do=write'+'&channel='+channel+'&message='+escape2(document.cookie),{onSuccess:sendMessageDone,onFailure:sendMessageFail});

From tinyurl.com, not from chat.hiveworkshop.com.

 

[Elfsilver Lord]

Im gonna try this. Ralle, if it works, then you havent fixed it. If I cant, your in luck, and I am probably stayed unbanned, lol.

 

[Hoernchen]

hmm i just tested and cookies can still be displayedin chat. for test i used:
javascript:var url = 'chat_ajax.php?do=write'+'&channel='+channel+'&message='+escape2(document.cookie);new Ajax.Request(url,{onSuccess:sendMessageDone,onFailure:sendMessageFail});

It displayed this:
[19-19-10]

Hoernchen: bblastvisit=1200019187; bblastactivity=0; __utmz=122518034.1202023260.42.8.utmccn=(referral)|utmcsr=chat.hiveworkshop.com|utmcct=/|utmcmd=referral; __utma=122518034.26340087.1200019193.1202019955.1202023260.42; __utmc=122518034; PHPSESSID=3pkdj13fbfjih5fkulev7ef6q2; __utmb=122518034

I changed my PHPSESSID in this text so don't even think about it.
The exploit can still be used easily with social engineering. You just tell someone to paste it into their url and tell them it will do something else, in fact you can even add more code, so that it does something which will make it less suspicious and you can even clear the person chat log and make it whisper to you leaving not a single trace to anyone except someone who reads the hivelog.
I am pretty certain that you can still embed this into a link to have it run, even though I don't 100% know how to.

 

[Hakeem]

Tinyurl doesn't work for javascript: URLs.

 

[Dr Super Good]

A simple fix I see is that instead of the ID being stored as a cookie like that, the cookie stores a file address which links to a file containing the ID on your hard disc. Thus they would not be able to get the ID as the cookie is constant between everyone (linking to the same file but each person has a different version of that file (contains different ID)).

 

[Mini-Me]

Simple eh DSG? A simple fix is not to click on the links people paste in chat.

 

[Hakeem]

Dr Super Good, cookies are the file stored on client computers.

 

[Ralle]

The only way to get cheated is to copy the link some one sends, put it into your browser and click OK. While your at it, why not go download some viruses and trojans aswell?
I mean, why be so stupid to take the javascript from a message and just put it into the address bar without thinking?
Anyway, I can think of a fix. To filter sendMessage and javascript: and other stuff from messages.

 

[Dr Super Good]

Could fool some of the younder people, like the alt + F4 command has done in the past.

Anyway, I did not think that that fully uploaded the contence of a cookie, I thought it just its name. Thus you will have an empty cookie with the same name as some one elses.

 

[Hoernchen]

Actually I was able to trick 2 people into copying this script into their browsers url-bar on the same day and they didn't even realize what it did, after their cookies were displayed. Both of them were were respected hive users with 100+ posts and both didn't notice anything and copy and pasted it blindly into their url bar. This didn't take a too damn great effort to be done, and you can argue, that anyone who actually does something like that deserves to be exploited, but then again if its this easy to trick people, then they should be warned or as Ralle said, all messages containing document.cookie or PHPSESSID should be not sent.

 

[redmarine]

How can you see when it is a phplwkerjh? I don't want to fall for this.

 

[Hakeem]

Don't copy anything into your URL bar.

Maybe it should say that somewhere.

 

[Wolverabid]

Don't copy anything into your URL bar.

Exactly.

Ralle may reopen this to provide further detail, for now:

~ Thread closed.