Before login

You are here: Home » Researchers Discover Privacy Vulnerabilities in ChatRoulette

Researchers Discover Privacy Vulnerabilities in ChatRoulette

/ by / Mr. P / on / July 16, 2010 @ 6:57 pm
References
Sources: 
http://www.theregister.co.uk/2010/07/15/chatroulette_privacy_flaws/
http://www.cs.colorado.edu/department/publications/reports/docs/CU-CS-1068-10.pdf
Man in the Middle

Some researchers from the University of Colorado at Boulder, and McGill University, discovered that the website "ChatRoulette" is vulnerable to a number of different attacks, including a mixture of Social Engineering, IP Geolocation, and possible "Man in The Middle" attacks. The full attack demo's will not be released until ChatRoulette has patched the problem, though.

The Social Engineering attack is a fairly obvious one - pre-recorded video's of attractive women were played back to the target users selected at random (as is ChatRoulette's style), and then was used to encourage the targets to divulge personal information (as they are mostly men, which are by nature more susceptible to female influence), which was then used in combination with the next attack to gain more information.

IP Geolocation was the next step. After the initial communication with ChatRoulette, the TCP handshake for videos was performed direct from each user to the other, and therefore, the IP address of the other user could be obtained from packet captures of this handshake. It is then trivial to take the IP address and trace it to a fairly accurate location using tools such as http://ip-adress.com/ip_tracer/ (or, IP Triangulation tools, which work based on ping times from precise known server locations around the world).

Man in The Middle was the next phase of their attack. They propose this be done on the client side, rather than the server side, making this not a traditional MiTM Attack, but rather a "Social MiTM". They proposed to do this by opening up two separate chats with different users, and then relaying each users webcam to the other, instead of you own. By doing so, each user would be interacting with the other, without ever realising someone was in-between. In this manner, the interaction between the two could be recorded, and - they propose - used for blackmail.

Combining this all together, they proposed using Social Engineering vectors such as simple questions, or Facebook, to gather more precise information about the user and possibly even use in a Phishing attack.

/tags/