Here is the contents of the e-mail I sent to iFriends on Sunday, February 4th:
It has come to my attention that guests have the ability to view private and pay sessions free of charge. This is due to the weak security of the "privacy screen". Using a flash decompiler, one can download the flash used on your website, decompile it, remove the privacy filter, and recompile it... then, using a proxy configured to pass through all traffic, except for the flash files on your end, the person wishing to exploit your system can serve their modified flash files in place of yours. This allows complete and 100% uncensored access to the stream, that does not end when a session is taken private... This uncensored guest access access applies to the entire Cat Call platform, plus iFriends.net for any chathost utilizing the flash "EasyCam" software. Since users are guests, all region blocking in place by the chathost is also completely ignored. This is a huge privacy issue, and demands your immediate attention.
This exploit effects the websites iFriends.net, TotallyFreeCams.com, SizzlingCams.com, and IncredibleCams.com. Chathosts are encourages to stop using the EasyCam method until iFriends has announced a solution.
Let me again make it clear... the reason I am releasing information about this exploit is that I feel that if such an exploit effects the privacy of the chathosts of iFriends.net, those chathosts have the right to know about such an exploit.
12 comments:
yea... they dont wanna admit they got issues...
really interesting exploit you got there... i'll be sure to use this to pentest some of my applications... what other type of flash related exploits/security holes do you know of?
i'm very interested in flash related security...
i liked how you used a proxy to bullshit the server into using your own conent... is this how you got past the crossdomain issue with the flash player?
how about ifriends v2?
i think that they have fixed the problem with the new chat platform. does anyone else have any information?
They totally misinformed me about this to the point I am extremely ticked off. I am a female ejaculator and like anyone else, what I do is not for people to see FREE on a paysite !!
Hi, this is me again...I found out about you from hony's forum...Ifriends is never going to have me put links to websites for them as they need to have the brain know what the hand is doing and stop losing chathosts !!!!!!!They are a nightmare if someone is a chathost/webmaster joysquirt dot com aka squirtlady
Mister Nobody - do you have the archive scanner script(s) SneayJoe from Strix came up with? If so, would you mind posting them or sending them my way? Thanks.
shanevictoATgmail.com
I just posted my old camera hack up on http://www.somedodgywebsite.com/phpbb/viewtopic.php?f=5&t=37&p=38#p38
With my applet you could get all the video for free, without the host even knowing you're watching. Worked for 2 years, maybe some of the code would be good for someone.
Does anyone by any chance know the link for the Archive scanner, i am trying to experiment with my page to see if i can find hidden files....Thank You all for any help
strange but i dont have REGISTER NOW letters in front of video, whole video is clear and good.
jaanpht AT starline.ee
I just posted my old camera hack up on http://www.somedodgywebsite.com/phpbb/viewtopic.php?f=5&t=37&p=38#p38
>>>the site is blocked. Can you please host the file on another server?
regards, jaanpht AT starline.ee
iFriends
Join iFriends
Post a Comment