Tonight the TeaChat IM was apparently [EDIT] compromised.
I would suggest disabling chat ... and do not respond, do not click on links!!!
Oct 13th, '10, 23:41
Posts: 20891
Joined: Apr 22nd, '06, 20:52
Scrolling: scrolling
Location: Back in the TeaCave atop Mt. Fuji
Oct 14th, '10, 00:28
Posts: 20891
Joined: Apr 22nd, '06, 20:52
Scrolling: scrolling
Location: Back in the TeaCave atop Mt. Fuji
Re: TeaChat IM hacked
And definitely ignore suspicious IM posts.
They had borrowed several members' names and avatars. So ... all is not as it appears on the IM at this time!
They had borrowed several members' names and avatars. So ... all is not as it appears on the IM at this time!
Oct 14th, '10, 10:01
Posts: 20891
Joined: Apr 22nd, '06, 20:52
Scrolling: scrolling
Location: Back in the TeaCave atop Mt. Fuji
Re: TeaChat IM hacked
I just spoke to Ilya, the IM will be likely be down through the weekend while safeguards are integrated into the IM.
The forum was never compromised, nor were members' identities on the forum. The issue was with the IM which is a seperate application.
I believe 2 members' IDs were "borrowed" on the IM, Brandon's and EdKrueger's, so if you were reading the IM and saw their comments during this time, it was not actually them making the comments. Apologies to both members!
OK, see you on the forum ...
Chip
Immoderate TeaDrinker who happens to Moderate
The forum was never compromised, nor were members' identities on the forum. The issue was with the IM which is a seperate application.
I believe 2 members' IDs were "borrowed" on the IM, Brandon's and EdKrueger's, so if you were reading the IM and saw their comments during this time, it was not actually them making the comments. Apologies to both members!
OK, see you on the forum ...
Chip
Immoderate TeaDrinker who happens to Moderate
Oct 15th, '10, 15:20
Posts: 1483
Joined: Mar 19th, '06, 12:42
Scrolling: scrolling
Location: On the couch
Contact:
Proinsias
Re: TeaChat IM Compromised
Haha! Actually, a friend of mine has a pretty serious sword collection, but I am blade-less.Proinsias wrote:oh dear. I wouldn't be stealing Brandon's info, that guy owns a sword
I believe the attack went something like this. The chat box is an iframe with a basic HTML form in it. It is written in such a way that the username and icon are passed, in clear text, as part of the URL of the iframe (the GET string).This has been abused in the past to impersonate users, and has been improved slightly to include a secret token - in theory, known only to yourself.
The 'attacker' was mostly interested in spamming the chat with a link to his store. Anyone, including myself, who clicked the link for amusement (the guy WAS quite amusing), showed up in the web log of the attacker with a Referrer indicating the URL of the Chat iframe, including the 'secret' token. He could now post as this person quite effortlessly.
Lesson 1: Don't click the links of a spammer, they might be more clever than you give them credit for.
Lesson 2: Don't secure a web session using text that is part of the URL.
Chip, no apology necessary, thanks for looking out.
Re: TeaChat IM Compromised
I was wondering if something like this would happen, those IM's a notoriously easy to mess with. Still can't wait to have it back though.
Oct 15th, '10, 20:20
Posts: 20891
Joined: Apr 22nd, '06, 20:52
Scrolling: scrolling
Location: Back in the TeaCave atop Mt. Fuji
Re: TeaChat IM Compromised
Thanks for posting.
I too clicked on the link, moderator guinea pig. I immediately got a spyware alert/block. Perhaps this also prevented my name from being used. I sure antagonized "Brandon" and "Ed Krueger" and if they could, I suspect they would have used my ID as well.
To echo what Brandon mentioned, do not click on spammer or suspicious links on the IM ... or on the forum for that matter.
Yeah, TeaChat feels ... different w/o the IM.
I too clicked on the link, moderator guinea pig. I immediately got a spyware alert/block. Perhaps this also prevented my name from being used. I sure antagonized "Brandon" and "Ed Krueger" and if they could, I suspect they would have used my ID as well.
To echo what Brandon mentioned, do not click on spammer or suspicious links on the IM ... or on the forum for that matter.
Yeah, TeaChat feels ... different w/o the IM.
Re: TeaChat IM Compromised
If anyone is interested, I have a servicable 2 handed bastard sword available to deal with spammer/hackers. I have a katana as well, but more just for show.
Re: TeaChat IM Compromised
Chip wrote:TeaChat feels ... different w/o the IM.
These are some of the faces I've pulled over the weekend when logging on. Oct 17th, '10, 11:50
Posts: 20891
Joined: Apr 22nd, '06, 20:52
Scrolling: scrolling
Location: Back in the TeaCave atop Mt. Fuji
Re: TeaChat IM Compromised
BTW, I obviously "fully" banned the IM spammer member in question.
BTW II, he rejoined today, crafty little fellah. And this time spammed the forum. His links were not clickable due to spam prevention we have in place. However the links were there. His site is infected with spyware and who knows what else.
Which brings me again to this. Only click on links of members you recognize and trust. In the case of this spammer, I don't think anyone in their right mind would have clicked on such obvious spam ... so just use some common sense.
BTW II, he rejoined today, crafty little fellah. And this time spammed the forum. His links were not clickable due to spam prevention we have in place. However the links were there. His site is infected with spyware and who knows what else.
Which brings me again to this. Only click on links of members you recognize and trust. In the case of this spammer, I don't think anyone in their right mind would have clicked on such obvious spam ... so just use some common sense.
Re: TeaChat IM Compromised
Zensuji wrote:Chip wrote:TeaChat feels ... different w/o the IM.
toki wrote:*sniff* IM *sniff*
Nov 2nd, '10, 12:13
Posts: 20891
Joined: Apr 22nd, '06, 20:52
Scrolling: scrolling
Location: Back in the TeaCave atop Mt. Fuji
Re: TeaChat IM Compromised
They're baaaaaaaaack. 
As of today around noon Eastern time.
Just to reinforce earlier comments. DO NOT CLICK ON LINKS ON THE IM UNLESS YOU ARE 100% CERTAIN OF THE AUTHOR.
Again, the hacker is using Brandon's and EdKrueger's ID on the IM only.
The IM was taken down within minutes of the compromise today. This hacker used the onfo obtained from the original compromise.
The links are for "go buy vogue" and "new fashion 4 biz" I believe these sites are dangerous and should not be accessed by members!!!
As of today around noon Eastern time.Just to reinforce earlier comments. DO NOT CLICK ON LINKS ON THE IM UNLESS YOU ARE 100% CERTAIN OF THE AUTHOR.
Again, the hacker is using Brandon's and EdKrueger's ID on the IM only.
The IM was taken down within minutes of the compromise today. This hacker used the onfo obtained from the original compromise.
The links are for "go buy vogue" and "new fashion 4 biz" I believe these sites are dangerous and should not be accessed by members!!!
