------------------------------------------------------------------ - EXPL-A-2003-023 exploitlabs.com Advisory 023 ------------------------------------------------------------------ -= Ifriends payment bypass =- Donnie Werner co-founder / CTO e2-labs http://e2-labs.com Vunerability: ---------------- PAYMENT BYPASS FOR REGISTERED USERS Description OF product: ----------------------- ifriends.com is a multi million dollar company ( webpower inc ) with a low ball income / profit of $300,000 per day. ( yes, per DAY ) they feature live, pornographic and non pornographic webcam and chatting on a fee based structure. the primary business format is a 50/50 split of revenue generated via a per minute fee from over 1000 live hosts at any one time charging on average between $2-$9 per MINUTE, the rate set by the chathost themselves. quick math, avg. low figures.. LH = 200 hosts live in a PAYING session at any given time PR = $2 fee per minute ( lowest ) HR = 60 minuts PCT =50 percent of fee LH x PR x HR = 200 x $2 x 60 = $24,000 gross x .5 = $12,000 net profit per hour $12,000 x 24 x 365 = $105,120,000 net profit per year... this is a low est. quick math, proable figures 300 x $4 x 60 = $72,000 x .5 = $36,000 net per hour or a bit over $300 million a year. VUNERABILITY / EXPLOIT ====================== 1. bypassing payment timekeeping scenario #1 =========== Authorized ( V.I.P or registered ) "user" starts a "session" with a "chathost" in normal fashion via browser. user concurently starts a webcam viewing program such as "webcam-watcher 3" viewing the source in browser reveals video host-ip:port ( see http://www.securityfocus.com/archive/1/320267 ) user enters into webcam viewer "http://host-ip:port/java.jpg and presses "go" user closes browser, image continues, fees stop acruing. exploit detail: =============== ifriends uses a combination of html, javascript and java in their viewing, and more importantly, timekeeping functions. the basis of this is 3 main applets. 1. video 2. audio 3. timekeeping we will focus on the 3rd and see below how the session timekeeping is done via javascript, and recorded in the java applet parameters. ------------ SNIP --------------- function reportTime() { var expdate = new Date() expdate.setTime(expdate.getTime()); window.status='Done' document.ReportTime.src = 'http://apps.iFriends.net/cgi/iJsChck.exe?screenname=CHATHOST-NAME&sessionID=1234567&PARM5=EILRAHC&Time=' + expdate.getTime(); setTimeout("reportTime()",60000) }
---------- SNIP ------------------