TeaChat IM Compromised


Forum problem solving, rules, contact information

TeaChat IM Compromised

Postby Chip » Oct 13th, '10, 23:41

Tonight the TeaChat IM was apparently [EDIT] compromised.

I would suggest disabling chat ... and do not respond, do not click on links!!!
User avatar
Chip
Mod/Admin
 
Posts: 22113
Joined: Apr 22nd, '
Location: Back in the TeaCave atop Mt. Fuji

Re: TeaChat IM hacked

Postby Chip » Oct 14th, '10, 00:28

And definitely ignore suspicious IM posts.

They had borrowed several members' names and avatars. So ... all is not as it appears on the IM at this time!
User avatar
Chip
Mod/Admin
 
Posts: 22113
Joined: Apr 22nd, '
Location: Back in the TeaCave atop Mt. Fuji

Re: TeaChat IM hacked

Postby Chip » Oct 14th, '10, 10:01

I just spoke to Ilya, the IM will be likely be down through the weekend while safeguards are integrated into the IM.

The forum was never compromised, nor were members' identities on the forum. The issue was with the IM which is a seperate application.

I believe 2 members' IDs were "borrowed" on the IM, Brandon's and EdKrueger's, so if you were reading the IM and saw their comments during this time, it was not actually them making the comments. Apologies to both members!

OK, see you on the forum ...

Chip
Immoderate TeaDrinker who happens to Moderate
User avatar
Chip
Mod/Admin
 
Posts: 22113
Joined: Apr 22nd, '
Location: Back in the TeaCave atop Mt. Fuji

Re: TeaChat IM Compromised

Postby rabbitsib » Oct 15th, '10, 13:52

That explains it all.
User avatar
rabbitsib
 
Posts: 57
Joined: May 5th, '0

Re: TeaChat IM Compromised

Postby Proinsias » Oct 15th, '10, 15:20

oh dear. I wouldn't be stealing Brandon's info, that guy owns a sword
Proinsias
 
Posts: 1535
Joined: Mar 19th, '
Location: On the couch

Re: TeaChat IM Compromised

Postby brandon » Oct 15th, '10, 17:34

Proinsias wrote:oh dear. I wouldn't be stealing Brandon's info, that guy owns a sword


Haha! Actually, a friend of mine has a pretty serious sword collection, but I am blade-less.

I believe the attack went something like this. The chat box is an iframe with a basic HTML form in it. It is written in such a way that the username and icon are passed, in clear text, as part of the URL of the iframe (the GET string).This has been abused in the past to impersonate users, and has been improved slightly to include a secret token - in theory, known only to yourself.

The 'attacker' was mostly interested in spamming the chat with a link to his store. Anyone, including myself, who clicked the link for amusement (the guy WAS quite amusing), showed up in the web log of the attacker with a Referrer indicating the URL of the Chat iframe, including the 'secret' token. He could now post as this person quite effortlessly.

Lesson 1: Don't click the links of a spammer, they might be more clever than you give them credit for.

Lesson 2: Don't secure a web session using text that is part of the URL.

Chip, no apology necessary, thanks for looking out.
User avatar
brandon
 
Posts: 1542
Joined: Sep 25th, '

Re: TeaChat IM Compromised

Postby rabbit » Oct 15th, '10, 19:25

I was wondering if something like this would happen, those IM's a notoriously easy to mess with. Still can't wait to have it back though.
User avatar
rabbit
 
Posts: 713
Joined: Feb 14th, '
Location: A briar patch.

Re: TeaChat IM Compromised

Postby Chip » Oct 15th, '10, 20:20

Thanks for posting.

I too clicked on the link, moderator guinea pig. I immediately got a spyware alert/block. Perhaps this also prevented my name from being used. I sure antagonized "Brandon" and "Ed Krueger" and if they could, I suspect they would have used my ID as well.

To echo what Brandon mentioned, do not click on spammer or suspicious links on the IM ... or on the forum for that matter.

Yeah, TeaChat feels ... different w/o the IM.
User avatar
Chip
Mod/Admin
 
Posts: 22113
Joined: Apr 22nd, '
Location: Back in the TeaCave atop Mt. Fuji

Re: TeaChat IM Compromised

Postby TwoPynts » Oct 15th, '10, 21:57

If anyone is interested, I have a servicable 2 handed bastard sword available to deal with spammer/hackers. I have a katana as well, but more just for show.
User avatar
TwoPynts
 
Posts: 875
Joined: Jul 9th, '1
Location: Florida

Re: TeaChat IM Compromised

Postby Alex » Oct 17th, '10, 09:40

Chip wrote:TeaChat feels ... different w/o the IM.

:( :| :? :cry: These are some of the faces I've pulled over the weekend when logging on.
User avatar
Alex
 
Posts: 1012
Joined: Oct 5th, '0
Location: UK

Re: TeaChat IM Compromised

Postby Chip » Oct 17th, '10, 11:50

BTW, I obviously "fully" banned the IM spammer member in question.

BTW II, he rejoined today, crafty little fellah. And this time spammed the forum. His links were not clickable due to spam prevention we have in place. However the links were there. His site is infected with spyware and who knows what else.


Which brings me again to this. Only click on links of members you recognize and trust. In the case of this spammer, I don't think anyone in their right mind would have clicked on such obvious spam ... so just use some common sense.
User avatar
Chip
Mod/Admin
 
Posts: 22113
Joined: Apr 22nd, '
Location: Back in the TeaCave atop Mt. Fuji

Re: TeaChat IM Compromised

Postby brandon » Oct 17th, '10, 12:47

Zensuji wrote:
Chip wrote:TeaChat feels ... different w/o the IM.

:( :| :? :cry: These are some of the faces I've pulled over the weekend when logging on.


toki wrote:Image*sniff* IM *sniff*
User avatar
brandon
 
Posts: 1542
Joined: Sep 25th, '

Re: TeaChat IM Compromised

Postby rabbit » Oct 17th, '10, 12:53

Image
User avatar
rabbit
 
Posts: 713
Joined: Feb 14th, '
Location: A briar patch.

Re: TeaChat IM Compromised

Postby Chip » Nov 2nd, '10, 12:13

They're baaaaaaaaack. :evil: As of today around noon Eastern time.

Just to reinforce earlier comments. DO NOT CLICK ON LINKS ON THE IM UNLESS YOU ARE 100% CERTAIN OF THE AUTHOR.

Again, the hacker is using Brandon's and EdKrueger's ID on the IM only.

The IM was taken down within minutes of the compromise today. This hacker used the onfo obtained from the original compromise.

The links are for "go buy vogue" and "new fashion 4 biz" I believe these sites are dangerous and should not be accessed by members!!!
User avatar
Chip
Mod/Admin
 
Posts: 22113
Joined: Apr 22nd, '
Location: Back in the TeaCave atop Mt. Fuji

Re: TeaChat IM Compromised

Postby TwoPynts » Nov 2nd, '10, 12:23

Thanks chip. :(

Image
User avatar
TwoPynts
 
Posts: 875
Joined: Jul 9th, '1
Location: Florida

Next

Instant Messenger

Permissions
You cannot post new topics
You cannot reply to topics
You cannot edit your posts
You cannot delete your posts
You cannot post attachments
Navigation