------------------------------------------------------------------
- EXPL-A-2003-023 exploitlabs.com Advisory 023
------------------------------------------------------------------
-= Ifriends payment bypass =-
Donnie Werner
co-founder / CTO e2-labs
http://e2-labs.com
Vunerability:
----------------
PAYMENT BYPASS FOR REGISTERED USERS
Description OF product:
-----------------------
ifriends.com is a multi million dollar company ( webpower inc )
with a low ball income / profit of $300,000 per day. ( yes, per DAY )
they feature live, pornographic and non pornographic webcam and chatting
on a fee based structure. the primary business format is a 50/50 split of
revenue generated via a per minute fee from over 1000 live hosts at
any one time charging on average between $2-$9 per MINUTE, the rate
set by the chathost themselves.
quick math, avg. low figures..
LH = 200 hosts live in a PAYING session at any given time
PR = $2 fee per minute ( lowest )
HR = 60 minuts
PCT =50 percent of fee
LH x PR x HR =
200 x $2 x 60 = $24,000 gross
x .5 = $12,000 net profit per hour
$12,000 x 24 x 365 = $105,120,000 net profit per year... this is a low est.
quick math, proable figures
300 x $4 x 60 = $72,000
x .5 = $36,000 net per hour
or a bit over $300 million a year.
VUNERABILITY / EXPLOIT
======================
1. bypassing payment timekeeping
scenario #1
===========
Authorized ( V.I.P or registered ) "user" starts a "session" with
a "chathost" in normal fashion via browser.
user concurently starts a webcam viewing program such as "webcam-watcher 3"
viewing the source in browser reveals video host-ip:port
( see http://www.securityfocus.com/archive/1/320267 )
user enters into webcam viewer "http://host-ip:port/java.jpg and
presses "go"
user closes browser, image continues, fees stop acruing.
exploit detail:
===============
ifriends uses a combination of html, javascript and java in their
viewing, and more importantly, timekeeping functions.
the basis of this is 3 main applets.
1. video
2. audio
3. timekeeping
we will focus on the 3rd and see below how the session timekeeping is
done via javascript, and recorded in the java applet parameters.
------------ SNIP ---------------
function reportTime()
{
var expdate = new Date()
expdate.setTime(expdate.getTime());
window.status='Done'
document.ReportTime.src =
'http://apps.iFriends.net/cgi/iJsChck.exe?screenname=CHATHOST-NAME&sessionID=123
4567&PARM5=EILRAHC&Time=' + expdate.getTime();
setTimeout("reportTime()",60000)
}
<input type="hidden" name="SCREENNAME" value="CHATHOST-NAME">
<input type="hidden" name="SESSIONID" value="1234567">
<input type="submit" value=" Begin Video Chat (Free-Registration Members Only)
"></form>
<FORM METHOD="POST" NAME="iReqFeed"
ACTION="http://access.Ifriends.net/cgi/showcam.exe?" target="_parent">
<input type="hidden" name="SCREENNAME" value="CHATHOST-NAME">
<input type="hidden" name="PARM5" value="AHPLA">
<input type="hidden" name="SESSIONID" value="1234567">
<input type="hidden" name="CUSTSESA" value="0">
<input type="hidden" name="CUSTSCREENNAME" value="">
<input type="hidden" name="recordcode"
value="lhost__CHATHOST-NAME__1234567_YEARMODA_12345">
<input type="submit" value=" Begin Guest Chat with CHATHOST-NAME (Available to
all) " ></form>
---------- SNIP ------------------
<script language="JavaScript">
<!--
document.writeln('<APPLET CODE="ifchat20.class"
CODEBASE="http://chat.iFriends.net/" ARCHIVE="/ifchat20.jar" WIDTH=320 HEIGHT='
+ sHeight +'>');
document.writeln('<PARAM name="viewer"
value="REGISTERED-USERNAME">');
document.writeln('<PARAM name="session" value="1234567">');
document.writeln('<PARAM name="exhib" value="CHATHOST-NAME">');
document.writeln('<PARAM name="server"
value="chat.iFriends.net">');
document.writeln('<PARAM name="port" value=8086>');
document.writeln('<PARAM name="timeseq"
value="5627127506012727078775743189">');
document.writeln('</APPLET>');
//-->
</script>
</TD>
</TR>
</TABLE>
<IMG name="ReportTime"
src="http://apps.iFriends.net/cgi/iJsChck.exe?screenname=CHATHOST-NAME&sessionID
=1234567&PARM5=EILRAHC" width=1 height=1>
<script language="Javascript">
<!--
setTimeout("reportTime()",60000)
//-->
</script>
---------- SNIP --------------------
the actual authorization takes place in the ifcam software residing on the
chathosts
system. once the ifcam software recieves a valid authorization code, your ip
address
is then authorized for the remainder of the chathost session. the timekeeping
for payment
is controlled via the browser and maintains state with ifriends.com servers.
thus, by connecting to the video source independantly of the original browser
window,
then closing that browser, ( or by modifying the source, re-rendering... etc, )
closing the original browser applet effectivly signals ifriends to stop the
tracking / timekeeping of that user. this is done to prevent overcharges in case
of a connection break.
Result is continued video viewing with no acruing charges.
this issue has been a problem for over 2 years, as is a continuation of the
privacy
disclosure originaly discussed in http://www.securityfocus.com/archive/1/320267
Local:
------
not realy
Remote:
-------
yes
vendor contact:
---------------
I spoke to legalat_private and prepared
a proposal as per their request.
toll free - (800)243-9726
alrogersat_private
WPI/IFriends
7765 Lake Worth Road, Suite 341
Lake Worth, FL 33467
legalat_private
vendor response:
----------------
they never respond after first contact cuz they do not care,
they continualy break thier own promises
( http://www.ifriends.net/legal/privacy.htm )
hint: they make $300 mil a year, they dont care.
I have repeatadly called and spoke to the complaint
department ( he forwarded all requests ) and he was
very concerned. Nevertheless.... no formal response.
credits:
--------
Donnie Werner
morning_wood@e2-labs.com
http://e2-labs.com
http://exploitlabs.com
http://nothackers.org
thanks:
=======
i would like to thank a very nice couple who helped in verifying the
effectiveness
of this exploit. ( both are registered chathost and VIP members of
ifriends.com )
fun link:
--------
http://www.myifriends.net/general/acw.htm?VIDEOCAMS&http://www.sec.gov/divisions
/enforce.shtml
( hint: click "enter" )
Original advisory available at
http://exploitlabs.com/files/advisories/EXPL-A-2003-023-ifriends-bypass.txt
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
This archive was generated by hypermail 2b30 : Mon Sep 01 2003 - 10:41:44 PDT
