| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 27536 | 2002-11-24 23:55:00 | VERY IMPORTANT MSG FOR ALL CHATF1 USERS | nz_liam (845) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 101192 | 2002-11-24 23:55:00 | This message concerns ALL chatf1 users (www.chatf1.co.nz) I have recently uncovered a BIG security hole in the chaf1 software, the hole arises from the way the passwords are handled by the chatroom, when you sign up your password is converted into a MD5 hash, and then stored on the server, every time you login the login page converts the PWD you typed to a MD5 hash, sees whether it matches the stored value, and if it does it logs you in. This is a problem because I have found a way to suck out the MD5 hashes out of the server (this is not a server problem, but a flaw in the chatroom software, and no I'm not going to tell you how to do it), once these hashes have been sucked out they can be cracked using a brute force method. This involves taking a number/letter combination making a MD5 hash of it, and comparing it to the MD5 hash you have obtained from the server, if they match the you have found your password, if they don’t match then it increments the number/letter combination by one and tries again, and so on, and so on, until you find a match. Now for a 6 digit alphanumeric password you would have to do this around 4,000,000,000 times (this takes about 5 hours on an Athalon 1.53 GHZ machine, I know because I tested it). The major problem arises when a user uses the same password for everything… e.g. internet banking and chatf1…. SO YOU HAVE BEEN WARNED, DON’T USE THE SAME PASSWORD FOR CHATF1 AS YOU USE FOR EVERYTHING ELSE, UNLESS IT 12 DIGITS, (Will take around a year to crack, on one machine, but many hands (PC’s) make light work!), AND YOU CHANGE IT EVERY DAY, (EVEN THIS IS NOT RECOMMENDED)! If you have any further questions then post them here or ask me on chaf1, and if in doubt CHANGE YOUR PASSWORD! Cheers Liam |
nz_liam (845) | ||
| 101193 | 2002-11-25 04:06:00 | when can we expect the issue to be fixed?? | robsonde (120) | ||
| 101194 | 2002-11-25 04:09:00 | I doubt it... Any security could be cracked using Brute Force method. I cracked a Lotus Notes User File, 12 Characters long... I used a dictionary though coz it was my password and was using only word combo's. Anything IMHO could be cracked with a FAST PC and a lot of patience! |
Chilling_Silence (9) | ||
| 101195 | 2002-11-25 20:58:00 | BTW, be on the look-out for godfather's cat, it has a tendancy to change to chocolate at will... ;) | Chilling_Silence (9) | ||
| 101196 | 2002-11-25 21:42:00 | > > > when can we expect the issue to be fixed?? > robsonde; Unfortunately we cant give you any exact timeframe as to when this will be fixed, or infact whether it will be fixed at all, like this forum we didn’t develop the phpMyChat software, we just made a few modifications and hosted it on our server. The developers of PhpMyChat have of course been informed, but as of yet we don’t even know if it can be fixed, as it would require radical changes to the way the software handles access to database. Currently we are working on a 'proof of concept' hack, to prove this can be done, however because the possibly of this particular hack exists we feel it is in everyone’s best interest to be informed. We feel it is better to say "We know someone could hack into out system using a certain technique, so make sure you don’t you internet banking password on our chatroom", rather than 6-Mths down the track to say "Sorry about that, we knew someone COULD steel your password, but we didn’t think anyone would". Cheers Liam |
nz_liam (845) | ||
| 101197 | 2002-11-25 21:55:00 | > > Currently we are working on a 'proof of concept' > hack, to prove this can be done, however because the > possibly of this particular hack exists we feel it is > in everyone’s best interest to be informed . > godfathers cat can do it man . . What more proof do you need? |
Chilling_Silence (9) | ||
| 101198 | 2002-11-25 22:07:00 | > > > > > Currently we are working on a 'proof of concept' > > hack, to prove this can be done, however because > the > > possibly of this particular hack exists we feel it > is > > in everyone’s best interest to be informed. > > > > godfathers cat can do it man.. What more proof do you > need? That is another totally unrelated hole CS; which allows unregistered users to sneak into the chat (using a bit of Kiwi ingenuity), it is absolutely nothing to do with hacking the database, (nor have we done so yet.... however the possibility does exist). Cheers Liam |
nz_liam (845) | ||
| 101199 | 2002-11-25 22:29:00 | QUESTION: How do you change your password? I've looked at "My Settings" and there is nothing for changing password.... |
nzStan (440) | ||
| 101200 | 2002-11-25 22:39:00 | nzStan, This is the chatF1 chatroom (www.chatf1.net.nz) you’re talking about right, NOT pressF1, I have already had a user confuse the two. ChatF1 is completely separate from PressF1. If you need to change your 'ChatF1' password then email me (liam@farr.net.nz) and I'll send you a graphical guide which I have already created on for another user. Cheers Liam |
nz_liam (845) | ||
| 101201 | 2002-11-26 00:46:00 | > godfathers cat can do it man.. What more proof do you > need? not only can his cat do it, so can your laptop, Tim(c)*^@# and your alter ego :p |
raddersnz (684) | ||
| 1 2 | |||||