TeaChat IM Compromised

Forum problem solving, rules, contact information


User avatar
Oct 13th, '10, 23:41
Posts: 21651
Joined: Apr 22nd, '06, 20:52
Scrolling: scrolling
Location: Back in the TeaCave atop Mt. Fuji

TeaChat IM Compromised

by Chip » Oct 13th, '10, 23:41

Tonight the TeaChat IM was apparently [EDIT] compromised.

I would suggest disabling chat ... and do not respond, do not click on links!!!

User avatar
Oct 14th, '10, 00:28
Posts: 21651
Joined: Apr 22nd, '06, 20:52
Scrolling: scrolling
Location: Back in the TeaCave atop Mt. Fuji

Re: TeaChat IM hacked

by Chip » Oct 14th, '10, 00:28

And definitely ignore suspicious IM posts.

They had borrowed several members' names and avatars. So ... all is not as it appears on the IM at this time!

User avatar
Oct 14th, '10, 10:01
Posts: 21651
Joined: Apr 22nd, '06, 20:52
Scrolling: scrolling
Location: Back in the TeaCave atop Mt. Fuji

Re: TeaChat IM hacked

by Chip » Oct 14th, '10, 10:01

I just spoke to Ilya, the IM will be likely be down through the weekend while safeguards are integrated into the IM.

The forum was never compromised, nor were members' identities on the forum. The issue was with the IM which is a seperate application.

I believe 2 members' IDs were "borrowed" on the IM, Brandon's and EdKrueger's, so if you were reading the IM and saw their comments during this time, it was not actually them making the comments. Apologies to both members!

OK, see you on the forum ...

Chip
Immoderate TeaDrinker who happens to Moderate

User avatar
Oct 15th, '10, 13:52
Posts: 53
Joined: May 5th, '09, 09:13

Re: TeaChat IM Compromised

by rabbitsib » Oct 15th, '10, 13:52

That explains it all.

Oct 15th, '10, 15:20
Posts: 1501
Joined: Mar 19th, '06, 12:42
Scrolling: scrolling
Location: On the couch
Contact: Proinsias

Re: TeaChat IM Compromised

by Proinsias » Oct 15th, '10, 15:20

oh dear. I wouldn't be stealing Brandon's info, that guy owns a sword

User avatar
Oct 15th, '10, 17:34
Posts: 1508
Joined: Sep 25th, '07, 19:51
Scrolling: scrolling
Contact: brandon

Re: TeaChat IM Compromised

by brandon » Oct 15th, '10, 17:34

Proinsias wrote:oh dear. I wouldn't be stealing Brandon's info, that guy owns a sword
Haha! Actually, a friend of mine has a pretty serious sword collection, but I am blade-less.

I believe the attack went something like this. The chat box is an iframe with a basic HTML form in it. It is written in such a way that the username and icon are passed, in clear text, as part of the URL of the iframe (the GET string).This has been abused in the past to impersonate users, and has been improved slightly to include a secret token - in theory, known only to yourself.

The 'attacker' was mostly interested in spamming the chat with a link to his store. Anyone, including myself, who clicked the link for amusement (the guy WAS quite amusing), showed up in the web log of the attacker with a Referrer indicating the URL of the Chat iframe, including the 'secret' token. He could now post as this person quite effortlessly.

Lesson 1: Don't click the links of a spammer, they might be more clever than you give them credit for.

Lesson 2: Don't secure a web session using text that is part of the URL.

Chip, no apology necessary, thanks for looking out.

User avatar
Oct 15th, '10, 19:25
Posts: 675
Joined: Feb 14th, '06, 22:09
Location: A briar patch.

Re: TeaChat IM Compromised

by rabbit » Oct 15th, '10, 19:25

I was wondering if something like this would happen, those IM's a notoriously easy to mess with. Still can't wait to have it back though.

User avatar
Oct 15th, '10, 20:20
Posts: 21651
Joined: Apr 22nd, '06, 20:52
Scrolling: scrolling
Location: Back in the TeaCave atop Mt. Fuji

Re: TeaChat IM Compromised

by Chip » Oct 15th, '10, 20:20

Thanks for posting.

I too clicked on the link, moderator guinea pig. I immediately got a spyware alert/block. Perhaps this also prevented my name from being used. I sure antagonized "Brandon" and "Ed Krueger" and if they could, I suspect they would have used my ID as well.

To echo what Brandon mentioned, do not click on spammer or suspicious links on the IM ... or on the forum for that matter.

Yeah, TeaChat feels ... different w/o the IM.

User avatar
Oct 15th, '10, 21:57
Posts: 807
Joined: Jul 9th, '10, 11:17
Location: Florida

Re: TeaChat IM Compromised

by TwoPynts » Oct 15th, '10, 21:57

If anyone is interested, I have a servicable 2 handed bastard sword available to deal with spammer/hackers. I have a katana as well, but more just for show.

User avatar
Oct 17th, '10, 09:40
Posts: 1419
Joined: Oct 5th, '09, 05:03
Location: UK

Re: TeaChat IM Compromised

by Alex » Oct 17th, '10, 09:40

Chip wrote:TeaChat feels ... different w/o the IM.
:( :| :? :cry: These are some of the faces I've pulled over the weekend when logging on.

User avatar
Oct 17th, '10, 11:50
Posts: 21651
Joined: Apr 22nd, '06, 20:52
Scrolling: scrolling
Location: Back in the TeaCave atop Mt. Fuji

Re: TeaChat IM Compromised

by Chip » Oct 17th, '10, 11:50

BTW, I obviously "fully" banned the IM spammer member in question.

BTW II, he rejoined today, crafty little fellah. And this time spammed the forum. His links were not clickable due to spam prevention we have in place. However the links were there. His site is infected with spyware and who knows what else.


Which brings me again to this. Only click on links of members you recognize and trust. In the case of this spammer, I don't think anyone in their right mind would have clicked on such obvious spam ... so just use some common sense.

User avatar
Oct 17th, '10, 12:47
Posts: 1508
Joined: Sep 25th, '07, 19:51
Scrolling: scrolling
Contact: brandon

Re: TeaChat IM Compromised

by brandon » Oct 17th, '10, 12:47

Zensuji wrote:
Chip wrote:TeaChat feels ... different w/o the IM.
:( :| :? :cry: These are some of the faces I've pulled over the weekend when logging on.
toki wrote:Image*sniff* IM *sniff*

User avatar
Oct 17th, '10, 12:53
Posts: 675
Joined: Feb 14th, '06, 22:09
Location: A briar patch.

Re: TeaChat IM Compromised

by rabbit » Oct 17th, '10, 12:53

Image

User avatar
Nov 2nd, '10, 12:13
Posts: 21651
Joined: Apr 22nd, '06, 20:52
Scrolling: scrolling
Location: Back in the TeaCave atop Mt. Fuji

Re: TeaChat IM Compromised

by Chip » Nov 2nd, '10, 12:13

They're baaaaaaaaack. :evil: As of today around noon Eastern time.

Just to reinforce earlier comments. DO NOT CLICK ON LINKS ON THE IM UNLESS YOU ARE 100% CERTAIN OF THE AUTHOR.

Again, the hacker is using Brandon's and EdKrueger's ID on the IM only.

The IM was taken down within minutes of the compromise today. This hacker used the onfo obtained from the original compromise.

The links are for "go buy vogue" and "new fashion 4 biz" I believe these sites are dangerous and should not be accessed by members!!!

User avatar
Nov 2nd, '10, 12:23
Posts: 807
Joined: Jul 9th, '10, 11:17
Location: Florida

Re: TeaChat IM Compromised

by TwoPynts » Nov 2nd, '10, 12:23

Thanks chip. :(

Image

+ Post Reply