You are not logged in.
- Topics: Active | Unanswered
Pages: 1
Topic closed
#1 Jul 15, 2008 5:07 AM
- Doppelgangergang
- Banned
- Registered: Feb 15, 2008
- Posts: 5,033
- Gems: 0
Possible exploit found in Spyrochat
I noticed that the SpyroChat sends usernames and passwords in URLs. With the right stuff (I don't wanna go to details) I logged every URL I go to, including this:
http://www.spyrochat.com/index.php?rand=748745461&su=Doppelgangergang&pw=<REMOVED>&That's the actual URL, minus my password of course. Seriously, if I am running a network and applied my magic on a router, I would have captured your logins when you go on my network and went on Spyrochat.
What do you think?
EDIT: I can also see it on my History.
Offline
#2 Jul 15, 2008 3:43 PM
- DragonFireOKN
- Member
- From: Virginia, United States
- Registered: Apr 16, 2007
- Posts: 1,576
- Gems: 25
Re: Possible exploit found in Spyrochat
I've noticed this ever since I got on the site. Since you could have seen our passwords, something needs to be done.
Offline
#3 Jul 15, 2008 4:49 PM
- Doppelgangergang
- Banned
- Registered: Feb 15, 2008
- Posts: 5,033
- Gems: 0
Re: Possible exploit found in Spyrochat
Also, I have demonstrated that I can impersonate people.
I can use a program and punch in "DragonFireOKN" and I can chat under your name.
Change your passwords regularly.
Offline
#4 Jul 15, 2008 9:41 PM
- Spyrorocks
- Administrator
- From: Australia Mate!
- Registered: May 21, 2006
- Posts: 4,122
- Gems: 14
- Website
Re: Possible exploit found in Spyrochat
Communications from the SF server to everyone else are unencrypted.
If someone is sniffing your wireless, they can possibly capture your spyroforum password as you login, or any other password for any site that you visit that has unencrypted communications.
Its really not a big deal. If you are paranoid, get an anonymous VPN. Your spyroforum/spyrochat account is not useful to anyone who is looking for passwords, as they want banking info for credit cards, not a forum account to chat about a purple dragon.
As for impersonation, thats just how IRC works. You can change your nick to anything, unless you use this command in the chat to register your nickname:
/ns register <password> <your email>
To register your nickname so others cannot use it. BUT, if you do that, you will need to type this in every time you login:
/ns identify <password>
Offline
#5 Jul 17, 2008 8:29 AM
- cynderfan
- Member
- From: WHY ARE YOU READING MY LOCATIO
- Registered: Nov 21, 2007
- Posts: 1,863
- Gems: 0
- Website
Re: Possible exploit found in Spyrochat
Oh dear that is bad...
Clicks would be appreciated, Thank you!
Offline
#6 Jul 17, 2008 5:07 PM
- Spyrorocks
- Administrator
- From: Australia Mate!
- Registered: May 21, 2006
- Posts: 4,122
- Gems: 14
- Website
Re: Possible exploit found in Spyrochat
And doppel, you CANNOT sniff the communications from other people logging in UNLESS they are on the same LAN as you. Its all SERVER side, none of other people's login info passes through your router. It goes from their PC to the Spyroforum Server, where they are authenticated and get a session id unique to them.
I don't know where you came up with this crazy stuff about you being able to log other members over the internet.
Offline
#7 Jul 17, 2008 5:24 PM
- Doppelgangergang
- Banned
- Registered: Feb 15, 2008
- Posts: 5,033
- Gems: 0
Re: Possible exploit found in Spyrochat
No, it's just a "what-if" scenario for example. 
Also, do school/work administrators can log URLs the students/employees go to? I think they can. 
(But say hello to my SSL home proxy. :devil:)
Offline
#8 Jul 17, 2008 5:32 PM
- Spyrorocks
- Administrator
- From: Australia Mate!
- Registered: May 21, 2006
- Posts: 4,122
- Gems: 14
- Website
Re: Possible exploit found in Spyrochat
Say Hello to my VPN server.
Offline
#9 Jul 17, 2008 5:39 PM
- Doppelgangergang
- Banned
- Registered: Feb 15, 2008
- Posts: 5,033
- Gems: 0
Re: Possible exploit found in Spyrochat
I'm going to take a try on doing VPNs.
Offline
#10 Jul 27, 2008 12:09 AM
- Hail The Ice Dragon
- Member
- From: In your ear of course! (:
- Registered: May 25, 2008
- Posts: 750
- Gems: 0
Re: Possible exploit found in Spyrochat
>_< Sounds like a fight... *puts on whistle and black pants with striped shirt* Round 1! Doppel V.S. SR
Offline
#11 Jul 27, 2008 12:16 AM
- Aicebo
- Member
- From: Dark Hollow
- Registered: Apr 25, 2008
- Posts: 3,308
- Gems: 0
Re: Possible exploit found in Spyrochat
>_< Sounds like a fight... *puts on whistle and black pants with striped shirt* Round 1! Doppel V.S. SR
Um, this thread is from nine days ago...=S
Everyone knows I only eat Cynder fangirls.
Offline
#12 Jul 27, 2008 12:17 AM
- Spyrorocks
- Administrator
- From: Australia Mate!
- Registered: May 21, 2006
- Posts: 4,122
- Gems: 14
- Website
Re: Possible exploit found in Spyrochat
How the heck did you ever think this was a fight? Don't dig up old threads.
Offline
#13 Jul 27, 2008 12:17 AM
- DanteAndVergil
- Member
- From: UK
- Registered: Mar 25, 2007
- Posts: 2,622
- Gems: 0
- Birthday: 4 April
- Age: 36 years old
- Gender: Male
Re: Possible exploit found in Spyrochat
This is best to be locked now as well yeah I have no reason for a change <_>
Offline
Pages: 1
Topic closed