------------------------------------------------------------------ - EXPL-A-2003-023 exploitlabs.com Advisory 023 ------------------------------------------------------------------ -= Ifriends payment bypass =- Donnie Werner co-founder / CTO e2-labs http://e2-labs.com Vunerability: ---------------- PAYMENT BYPASS FOR REGISTERED USERS Description OF product: ----------------------- ifriends.com is a multi million dollar company ( webpower inc ) with a low ball income / profit of $300,000 per day. ( yes, per DAY ) they feature live, pornographic and non pornographic webcam and chatting on a fee based structure. the primary business format is a 50/50 split of revenue generated via a per minute fee from over 1000 live hosts at any one time charging on average between $2-$9 per MINUTE, the rate set by the chathost themselves. quick math, avg. low figures.. LH = 200 hosts live in a PAYING session at any given time PR = $2 fee per minute ( lowest ) HR = 60 minuts PCT =50 percent of fee LH x PR x HR = 200 x $2 x 60 = $24,000 gross x .5 = $12,000 net profit per hour $12,000 x 24 x 365 = $105,120,000 net profit per year... this is a low est. quick math, proable figures 300 x $4 x 60 = $72,000 x .5 = $36,000 net per hour or a bit over $300 million a year. VUNERABILITY / EXPLOIT ====================== 1. bypassing payment timekeeping scenario #1 =========== Authorized ( V.I.P or registered ) "user" starts a "session" with a "chathost" in normal fashion via browser. user concurently starts a webcam viewing program such as "webcam-watcher 3" viewing the source in browser reveals video host-ip:port ( see http://www.securityfocus.com/archive/1/320267 ) user enters into webcam viewer "http://host-ip:port/java.jpg and presses "go" user closes browser, image continues, fees stop acruing. exploit detail: =============== ifriends uses a combination of html, javascript and java in their viewing, and more importantly, timekeeping functions. the basis of this is 3 main applets. 1. video 2. audio 3. timekeeping we will focus on the 3rd and see below how the session timekeeping is done via javascript, and recorded in the java applet parameters. ------------ SNIP --------------- function reportTime() { var expdate = new Date() expdate.setTime(expdate.getTime()); window.status='Done' document.ReportTime.src = 'http://apps.iFriends.net/cgi/iJsChck.exe?screenname=CHATHOST-NAME&sessionID=1234567&PARM5=EILRAHC&Time=' + expdate.getTime(); setTimeout("reportTime()",60000) }
---------- SNIP ------------------ ---------- SNIP -------------------- the actual authorization takes place in the ifcam software residing on the chathosts system. once the ifcam software recieves a valid authorization code, your ip address is then authorized for the remainder of the chathost session. the timekeeping for payment is controlled via the browser and maintains state with ifriends.com servers. thus, by connecting to the video source independantly of the original browser window, then closing that browser, ( or by modifying the source, re-rendering... etc, ) closing the original browser applet effectivly signals ifriends to stop the tracking / timekeeping of that user. this is done to prevent overcharges in case of a connection break. Result is continued video viewing with no acruing charges. this issue has been a problem for over 2 years, as is a continuation of the privacy disclosure originaly discussed in http://www.securityfocus.com/archive/1/320267 Local: ------ not realy Remote: ------- yes vendor contact: --------------- I spoke to legal@webpower.com and prepared a proposal as per their request. toll free - (800)243-9726 alrogers@ifriends.net WPI/IFriends 7765 Lake Worth Road, Suite 341 Lake Worth, FL 33467 legal@webpower.com vendor response: ---------------- they never respond after first contact cuz they do not care, they continualy break thier own promises ( http://www.ifriends.net/legal/privacy.htm ) hint: they make $300 mil a year, they dont care. I have repeatadly called and spoke to the complaint department ( he forwarded all requests ) and he was very concerned. Nevertheless.... no formal response. credits: -------- Donnie Werner morning_wood@e2-labs.com http://e2-labs.com http://exploitlabs.com http://nothackers.org thanks: ======= i would like to thank a very nice couple who helped in verifying the effectiveness of this exploit. ( both are registered chathost and VIP members of ifriends.com ) fun link: -------- http://www.myifriends.net/general/acw.htm?VIDEOCAMS&http://www.sec.gov/divisions/enforce.shtml ( hint: click "enter" )