#1 Jul 15, 2008 5:07 AM

Doppelgangergang

Banned

Registered: Feb 15, 2008

Posts: 5,033

Gems: 0

Possible exploit found in Spyrochat

I noticed that the SpyroChat sends usernames and passwords in URLs. With the right stuff (I don't wanna go to details) I logged every URL I go to, including this:

http://www.spyrochat.com/index.php?rand=748745461&su=Doppelgangergang&pw=<REMOVED>&

That's the actual URL, minus my password of course. Seriously, if I am running a network and applied my magic on a router, I would have captured your logins when you go on my network and went on Spyrochat.

What do you think?

EDIT: I can also see it on my History.

DragonFireOKN

Member

From: Virginia, United States

Registered: Apr 16, 2007

Posts: 1,576

Gems: 25

Re: Possible exploit found in Spyrochat

I've noticed this ever since I got on the site. Since you could have seen our passwords, something needs to be done.

Doppelgangergang

Banned

Registered: Feb 15, 2008

Posts: 5,033

Gems: 0

Re: Possible exploit found in Spyrochat

Also, I have demonstrated that I can impersonate people.

I can use a program and punch in "DragonFireOKN" and I can chat under your name.

Change your passwords regularly.

Spyrorocks

Administrator

From: Australia Mate!

Registered: May 21, 2006

Posts: 4,120

Gems: 4

Website

Re: Possible exploit found in Spyrochat

cynderfan

Member

From: WHY ARE YOU READING MY LOCATIO

Registered: Nov 21, 2007

Posts: 1,863

Gems: 0

Website

Re: Possible exploit found in Spyrochat

Oh dear that is bad...

Spyrorocks

Administrator

From: Australia Mate!

Registered: May 21, 2006

Posts: 4,120

Gems: 4

Website

Re: Possible exploit found in Spyrochat

And doppel, you CANNOT sniff the communications from other people logging in UNLESS they are on the same LAN as you. Its all SERVER side, none of other people's login info passes through your router. It goes from their PC to the Spyroforum Server, where they are authenticated and get a session id unique to them.

I don't know where you came up with this crazy stuff about you being able to log other members over the internet.

Doppelgangergang

Banned

Registered: Feb 15, 2008

Posts: 5,033

Gems: 0

Re: Possible exploit found in Spyrochat

No, it's just a "what-if" scenario for example.

Also, do school/work administrators can log URLs the students/employees go to? I think they can.

(But say hello to my SSL home proxy. :devil:)

Spyrorocks

Administrator

From: Australia Mate!

Registered: May 21, 2006

Posts: 4,120

Gems: 4

Website

Re: Possible exploit found in Spyrochat

Say Hello to my VPN server.

Doppelgangergang

Banned

Registered: Feb 15, 2008

Posts: 5,033

Gems: 0

Re: Possible exploit found in Spyrochat

I'm going to take a try on doing VPNs.

Hail The Ice Dragon

Member

From: In your ear of course! (:

Registered: May 25, 2008

Posts: 750

Gems: 0

Re: Possible exploit found in Spyrochat

>_< Sounds like a fight... *puts on whistle and black pants with striped shirt* Round 1! Doppel V.S. SR

Aicebo

Member

From: Dark Hollow

Registered: Apr 25, 2008

Posts: 3,308

Gems: 0

Re: Possible exploit found in Spyrochat

Spyrorocks

Administrator

From: Australia Mate!

Registered: May 21, 2006

Posts: 4,120

Gems: 4

Website

Re: Possible exploit found in Spyrochat

How the heck did you ever think this was a fight? Don't dig up old threads.

DanteAndVergil

Member

From: UK

Registered: Mar 25, 2007

Posts: 2,622

Gems: 0

Birthday: 4 April

Age: 35 years old

Gender: Male

Re: Possible exploit found in Spyrochat

This is best to be locked now as well yeah I have no reason for a change <_>