The past two days were very interesting. In the post, I’m going to go into a full disclosure of two vulnerabilities that exist (or hopefully by now, existed) at Tinychat.
Tinychat is a really awesome way to create instant, disposable cam/chat rooms. Unlike the way competitors like Stickam handle their service, Tinychat preaches simplicity. Rooms are created by URI by a simple GET request. You can create a room in seconds just by your address bar. Here’s an example: http://tinychat.com/wfti
At the moment, Tinychat is sitting on a healthy 3,280 Alexa ranking. Tinychat recently launched their mobile app for iOS. They recently reeled in $1.5mil in funding from celebrity startup fans P. Diddy and Ashton Kutcher. The startup’s growth has been huge thus far with 300,000 new users and users putting in over 500,000,000 minutes online every month. Here’s a graph from that article:
With all of that information on your mind, you’d be shocked if I told you that vulnerabilities exist on the service that would allow anyone to (quite easily) compromise user accounts.
Bryan—probably my closest internet-strict friend and someone who I’ve mentioned here before—and I started out an IM conversation yesterday discussing Tinychat and the way that “chat rooms” have essentially evolved and still exist online, just only in the form of cam rooms. From there, our imaginations drifted to troublesome concepts.
It took Bryan all of 30 seconds to discover that the Tinychat login is not limited or rated in any way. No CAPTCHA, no IP bans, nothing. For a multimillion-dollar company in the year 2011, this is practically a sin.
In as much time as it takes you to join a Tinychat room, we have discovered that the Tinychat login server is essentially vulnerable to brute force/dictionary attacks on user accounts.
My question was, “How do we find user accounts on Tinychat?” Tinychat’s account system is a little quirky. Even while logged in, you’re still given the chance to set your nickname or join by Twitter or Facebook when you join a room. The likelihood of a user using their account name as their in-room name isn’t very high. Conveniently enough, you’re able to right click on the users in the room list and view their profile with just another click. Their account name is displayed there. Even better, their followers count and views are displayed.
Interesting. I mention to Bryan that it’s probably a 50/50 chance that Tinychat accounts are simply incremental IDs. Let’s go ahead and do some sniffing with Wireshark to analyze the HTTP request upon checking out someone’s profile.
The result is exactly what we were looking for: http://tinychat.com/api/tcinfo?id=3324&format=xml
<result name=”strapstarbayb33″ background=”http://upload.tinychat.com/bg/632611/pixel_freak.png” backgroundcolor=”#000000″ backgroundpos=”top center” backgroundtile=”none” biography=”” boxbgcolor=”#0f0f0f” boxbgheadcolor=”#0a0a0a” boxlinkcolor=”#6b6b6b” boxtextcolor=”#ecd7fa” description=”” embedbg=”#262626″ id=”3324″ imageurl=”” is_vip=”0″ largelogo=”http://upload.tinychat.com/logo/2be606/large/C__Users_kasia_Desktop_Desktop_1109091649_1_.jpg” last_active=”1258579175″ location=”” mediumlogo=”http://upload.tinychat.com/logo/2be606/medium/C__Users_kasia_Desktop_Desktop_1109091649_1_.jpg” smalllogo=”http://upload.tinychat.com/logo/2be606/small/C__Users_kasia_Desktop_Desktop_1109091649_1_.jpg” username=”strapstarbayb33″ views=”52″ website=””>
<following followers=”1″ following=”0″ is_following=”false” />
That API call gives us everything we want in a format that is incredibly easy to parse. Doing some poking around, we notice that user IDs range from 25 to nearly 5,500,000. ID #25 is a Tinychat developer named Cole who I’ve noticed has 0 followers. He must be lonely, so I decide to follow his account. This is a good time to mention that my account on Tinychat is “hacker“. I have a thing for vanity usernames and I registered for the service very early when it happened to be available.
We now have two things at our disposal:
- A login server for one of the most popular cam-to-cam services on the internet that just so happens to be completely unrated
- A method of harvesting the account name of every single Tinychat user, as well as their follower and view counts
The next step came to both of us without much of a thought process. Bryan happens to be pretty nice with Java, so it’s time to code up something to harvest five million Tinychat accounts and statistics.
This took about 20 hours to complete. Upon completion, we had a CSV file that was 115MB.
Using CSVed, we filtered and deleted rows that contained 0-3 (because we don’t care about inactive, useless accounts) or blanks. This left us with 62,856 rows. Yes, only 1% of Tinychat users are technically “active.” This is almost meaningless data when you consider that the only benefit of registering an account is having the ability to follow another user.
Thankfully, that’s just within the realm that Excel can handle! Having to work with Access or SQL would have been a little annoying, but this worked nicely. We decided that we’d sort our spreadsheet by followers instead of views. Here is a peek at the results:
At this point, we have the account names and analytics of the top 60,000 users on Tinychat. When it comes to cracking accounts, Acunetix’s Authentication Tester is a huge luxury. It works nicely on just about 80% of the sites I’ve played with. Bryan is an overachiever though and wanted to code up own own customized cracker tailored exactly to Tinychat.
That is exactly what he did, and he did a great job of it also (don’t worry about the overlapping window, it’s unrelated to this):
The cracker worked simply and was very effective. You just needed accnts.txt and passwds.txt in the same directory. We decided to run the entire list using the three most common passwords. We’re going for quantity over quality.
Right now is a good time to pause and let you know that doing this is practically pointless. Bryan is hilarious and tends to pull off little hacks just to troll and bother people. I am more concerned with monetization. When we come together and collaborate like this, it can go either way. What do we gain from these accounts? Nothing really. At this point, we had practically concluded that it would be next to impossible to hijack any of these accounts to attempt to monetize them. At the very most, we could kick a few people from a room for laughs. We never did any of that though. As a matter of fact, we only logged in to a total of two of the accounts that were cracked as a way of ensuring that we weren’t hitting false positives. We changed nothing and did nothing. This was a hobby hack, one of interest and one that really intrigued us because it was easy and unexpected.
It took hours to finish the list, and here’s what we had when we were done:
You guys have got to stop using passwords like these. That’s just unacceptable. Again, that’s a 60,000 account run of using only three passwords. None of the accounts were compromised or tampered with.
We were amused by this and Bryan went as far as to code up a version of the cracker that was a little more flexible and would let you crack single user accounts by inputting the account name and specifying the name of the password list you wish to use.
It was a little overkill, but we were enjoying ourselves. Again, no harm was done!
A day later (on the 23rd of this month) and at at 8:30 AM in the morning when I was laying down for bed (yep), I happened to have my iPod on hand and I was checking a few RSS feeds and browsing through emails. A new email had come in from Tinychat Abuse:
I immediately send an IM to Bryan. It’s 5:30 AM for him on the west coast, but he happened to have just woke up. I let him know about the email and express a little bit of regret. No, not because I am afraid that I am going to be locked up for 20 years and pursued legally TrainReq style, but because a few rookie mistakes on my end seem as if they’re going to cause an abrupt ending to our playtime. We exchange emails back and forth and I’m requested for a brief chat on AIM (after putting up a complete fib of an explanation). I go ahead and get on my laptop. Here’s that email from there:
Let me go ahead and explain now. No, I was not sending out tweets bragging about this little breech. I’m not that type and I’ve been annoyed in the past when others have tried to spin situations in that way. You may be aware of my obsession with ifttt, though. If you’ll look at item #6 in that post, it is completely related.
My Facebook is private to everyone but my friends. I associate with a lot of people who you could consider to be “hackers.” I like those people. Add me on Facebook and you’ll see me having casual conversations with people like Captain Crunch:
(Obvious namedrop, I’m so fucking cool.) So, I decided to send out a series of status updates relevant to this Tinychat situation. I needed help with a few things. Forgetting that all of my status updates are being publicly broadcasted to Twitter, things ended up looking like this:
Well, no one at Tinychat is a moron. If that first tweet wasn’t sinister enough, the second—namely the mention of 5.5mil rows—was awful. Not sure how things could go, I offered this explanation:
Hi. About to head to bed here, but sparing time for a few short answers. I am involved in the affiliate marketing community and have had experiences with large users on YouTube and Twitter (Kandee Johnson, Kim Kardashian) who are open to paid broadcasts on social networks. Have a particular offer that I believe would do well by that same channel on Tinychat.
The Excel tweets, I’m not seeing a corelation. I’ve been attempting to sort a very large email list for use of marketing again.
I noticed my “hacker” account was either deleted or suspended and I’m a little curious why, was it because I followed Cole? I’d like to get that back if I could, I have a thing for vanity screen names.
Sent from my iPod
As mentioned before, I was requested on AIM. Then, Tinychat instead (http://tinychat.com/heartattack to be exact). That made me a little uneasy and I decided that AIM would be the better option.
From there, I am communicating over AIM with Dan Blake, co-founder and CEO of Tinychat.
Right from the start, Dan was very easy to talk to and I was very comfortable. He didn’t come at me as if he was in a suit and tie and ready to throw accusations and legal threats my way. He was very polite and curious.
Again, the guy isn’t stupid and could tell by the nature of those tweets that something was going on. I mentioned that Tinychat had a few vulnerabilities. He asked for me to turn them over. I mention that I am only half of the brain behind this and I’m not totally convinced that Bryan will be alright with me disclosing that information. Dan motivates me. I send Bryan an IM discussing things and he gives me the nod.
From there, I offer a brief and simple explanation of what went down. If Dan looks a little bothered in those emails, I believe it’s because he was under the impression that we had found an SQL injection and we had database tables complete with emails and encrypted passwords. He was thrilled to hear that we did not. Nonetheless, it’s still a vulnerability that could be leveraged to compromise many accounts.
From there, the conversation becomes a little more casual. I’m not going to publicly post it in its entirety because it was a private conversation between the two of us, but there were a few things about Dan that I found really cool and interesting:
- He IMed me from a three-character AIM username. This means that he’s either been around AOL for a long time or he knows the same circle of people I do. AOL is notorious for, well, having accounts compromised and cracked. Later in the conversation he reveals that he has frequented several forums that I have, also.
- He is a CEO, but behaves like a normal dude. He was just like me. He told me several times that I reminded him of himself and that’s pretty cool.
- He never threatened me or tried to make himself seem like he’s a huge CEO and I’m just a peon, and I appreciated that.
- He shared several ideas with me and gave me good advice.
I told Dan how I was involved in affiliate marketing and he shared a startup idea with me that basically summed up to be a broader version of CPABull. I linked him up and he was a little bummed that something similar already existed. He let me in on another of his ideas, one I won’t share here.
I will share two pieces of advice Dan shared with me on the subject of startups:
- Spend the most money on design. You can have a stupid website, but if the design and domain is great, you rise to the top.
- Focus on ideas that are not big at all. If it can be the next Google, eBay or Facebook then skip it. Focus on way smaller things like “a better system for posting to Craigslist” or “an iPhone app that counts bananas”.
The former, I agree with to an extent. He knows more about that than me though. The latter, I completely agree with.
The conversation ended with Dan telling me to “stay the fuck off Tinychat”, to which I replied, “Get reCAPTCHA on your login.” He wasn’t being serious (well, I think) or rude, just a funny guy that was easy to talk to. He also asked for the spreadsheet of Tinychat users. I sent him that later and he then unsuspended my account.
It’s not been long after this exchange, but the vulnerability still exists on Tinychat. Perhaps it isn’t as much of a priority or maybe we’ll see it get patched up within the next couple of days. Either way, please don’t consider me irresponsible for making such an early post. I’m not recommending any of you go and try to crack any Tinychat accounts. It’s basically pointless, anyway.
So, thanks to Dan Blake for the chat and advice. It was cool to talk to a big name in the startup space like him, especially at 8:30 AM in the morning on no sleep.
If you have a userbase that you value, please limit your login attempts!