• 🏆 Texturing Contest #33 is OPEN! Contestants must re-texture a SD unit model found in-game (Warcraft 3 Classic), recreating the unit into a peaceful NPC version. 🔗Click here to enter!
  • 🏆 Hive's 6th HD Modeling Contest: Mechanical is now open! Design and model a mechanical creature, mechanized animal, a futuristic robotic being, or anything else your imagination can tinker with! 📅 Submissions close on June 30, 2024. Don't miss this opportunity to let your creativity shine! Enter now and show us your mechanical masterpiece! 🔗 Click here to enter!

Dangerous Chat Exploit

Status
Not open for further replies.
Level 10
Joined
Jun 16, 2007
Messages
415
This is no bug, but an exploit, which allows users to take on the identity of other users in the Hive Chat. The exploit uses a minimal amount of social engineering, and is easy enough to trick any hive user who is foolish enough just to press a tinyurl link or a link to another certain site.

The exploit works like this:

1. The exploiter will create a tinyurl which links to a phpsite on the hive.

2. The phpsite will include the javacommand:
javascript:new Ajax.Request('chat_ajax.php?do=write'+'&channel='+channel+'&message='+escape2(document.cookie),{onSuccess:sendMessageDone,onFailure:sendMessageFail});

3. Anyone who knows Javascript will know that this will make the user display a message in chat which contains his cookies.

4. With a bit more code one could even make the victim whisper him, so others don't see it happening, leaving all mods clueless of this action.

5. Once the cookies are acquired, the exploiter can use Firefox Cookie Editor to insert the cookie named PHPSESSID as his own. When reconnected to chat, this will make the exploiter be logged in as his victim even if his victim is already in chat.

6. Furthermore his name won't be displayed in the lobby or anywhere else, leaving no trace of who he is. Everything the exploiter types will be seen by the chat as typed from his victims, meaning he can make his victim say things that will result in the victim being banned, kicked or becoming hated on hive. If a mod falls for such a trap, he will furthermore gain all the powers of the mod, which include him being able to ban other users and kick them.

7. The victim, once it displayed its cookies is powerless in every way. It cannot get rid of the exploiter for the entire day at least, has no way of proving what he said and what the exploiter did, and if the exploiter is banned he will still be able to use his victims account in chat, making the victim entirely powerless, as well as moderators powerless, as their only option is to ban the victim.

8. This exploit is working 100% as it is described, and is NOT a theory. This can easily be used and is a danger to users on the hive who click a link which they don't know where it goes.

Here are ways to fix the exploit:
1. Make the system check when a message includes cookies and make it block the message. (This pretty much fixes it.)
2. Alert users to the danger of this exploit.
3. Block sites like tinyurl.com and all sites that lead to chat.hiveworkshop
 

Dr Super Good

Spell Reviewer
Level 64
Joined
Jan 18, 2005
Messages
27,223
5. Once the cookies are acquired, the exploiter can use Firefox Cookie Editor to insert the cookie named PHPSESSID as his own. When reconnected to chat, this will make the exploiter be logged in as his victim even if his victim is already in chat.

Surly the contence is more important for the cookie than the file name.

Anyway, we have methods of tracking people who do this, as we can see an IP missmatch from the users sending the data.
Also, how can anyone do this on this site, all the people that use the chat know little about programming of have no need to do this.
Finally it has never happened before, and although ralle may try and fix it, it is not that urgant.
 
Level 10
Joined
Jun 16, 2007
Messages
415
Well, the thing is I have often see people use this exploit in a different way, to make people say something like "I'm stupid" or "Person X is my GOD!", so yes many people know how to create links that make you send messages you dont want to send, and it doesnt take a genius to replace "I'm stupid" with document.cookie which took me about 10 seconds to realize even though I only know a little bit of JavaScript. So, all it takes is for the 100s of users who know how to make people send different messages to realize that they can make them send not just strings but data. And if just 1 person starts doing it, more persons will find out about it and it will eventually spread leading to many users using it for fun, because it is sooo very very easy to do and requires nearly no knowledge. Also, many people have IPs which change monthly which makes tracking them impossible if they do it on the last day of a month. Furthermore all it takes is to block all messages containing the word PHPSESSID or document.cookie and its done.
 
Level 27
Joined
May 30, 2007
Messages
2,872
1. The exploiter will create a tinyurl which links to a phpsite on the hive.

2. The phpsite will include the javacommand:
javascript:new Ajax.Request('chat_ajax.php?do=write'+'&channel='+channel+'&message='+escape2(document.cookie),{onSuccess:sendMessageDone,onFailure:sendMessageFail});
Browsers should run the script:
Code:
new Ajax.Request('chat_ajax.php?do=write'+'&channel='+channel+'&message='+escape2(document.cookie),{onSuccess:sendMessageDone,onFailure:sendMessageFail});
From tinyurl.com, not from chat.hiveworkshop.com.
 
Level 10
Joined
Jun 16, 2007
Messages
415
hmm i just tested and cookies can still be displayedin chat. for test i used:
javascript:var url = 'chat_ajax.php?do=write'+'&channel='+channel+'&message='+escape2(document.cookie);new Ajax.Request(url,{onSuccess:sendMessageDone,onFailure:sendMessageFail});

It displayed this:
[19-19-10]
rank4.gif
Hoernchen: bblastvisit=1200019187; bblastactivity=0; __utmz=122518034.1202023260.42.8.utmccn=(referral)|utmcsr=chat.hiveworkshop.com|utmcct=/|utmcmd=referral; __utma=122518034.26340087.1200019193.1202019955.1202023260.42; __utmc=122518034; PHPSESSID=3pkdj13fbfjih5fkulev7ef6q2; __utmb=122518034

I changed my PHPSESSID in this text so don't even think about it.
The exploit can still be used easily with social engineering. You just tell someone to paste it into their url and tell them it will do something else, in fact you can even add more code, so that it does something which will make it less suspicious and you can even clear the person chat log and make it whisper to you leaving not a single trace to anyone except someone who reads the hivelog.
I am pretty certain that you can still embed this into a link to have it run, even though I don't 100% know how to.
 

Dr Super Good

Spell Reviewer
Level 64
Joined
Jan 18, 2005
Messages
27,223
A simple fix I see is that instead of the ID being stored as a cookie like that, the cookie stores a file address which links to a file containing the ID on your hard disc. Thus they would not be able to get the ID as the cookie is constant between everyone (linking to the same file but each person has a different version of that file (contains different ID)).
 

Ralle

Owner
Level 77
Joined
Oct 6, 2004
Messages
10,118
The only way to get cheated is to copy the link some one sends, put it into your browser and click OK. While your at it, why not go download some viruses and trojans aswell?
I mean, why be so stupid to take the javascript from a message and just put it into the address bar without thinking?
Anyway, I can think of a fix. To filter sendMessage and javascript: and other stuff from messages.
 

Dr Super Good

Spell Reviewer
Level 64
Joined
Jan 18, 2005
Messages
27,223
Could fool some of the younder people, like the alt + F4 command has done in the past.

Anyway, I did not think that that fully uploaded the contence of a cookie, I thought it just its name. Thus you will have an empty cookie with the same name as some one elses.
 
Level 10
Joined
Jun 16, 2007
Messages
415
Actually I was able to trick 2 people into copying this script into their browsers url-bar on the same day and they didn't even realize what it did, after their cookies were displayed. Both of them were were respected hive users with 100+ posts and both didn't notice anything and copy and pasted it blindly into their url bar. This didn't take a too damn great effort to be done, and you can argue, that anyone who actually does something like that deserves to be exploited, but then again if its this easy to trick people, then they should be warned or as Ralle said, all messages containing document.cookie or PHPSESSID should be not sent.
 
Status
Not open for further replies.
Top