PDA

View Full Version : VERY IMPORTANT MSG FOR ALL CHATF1 USERS



nz_liam
25-11-2002, 12:55 PM
This message concerns ALL chatf1 users (www.chatf1.co.nz)

I have recently uncovered a BIG security hole in the chaf1 software, the hole arises from the way the passwords are handled by the chatroom, when you sign up your password is converted into a MD5 hash, and then stored on the server, every time you login the login page converts the PWD you typed to a MD5 hash, sees whether it matches the stored value, and if it does it logs you in.

This is a problem because I have found a way to suck out the MD5 hashes out of the server (this is not a server problem, but a flaw in the chatroom software, and no I'm not going to tell you how to do it), once these hashes have been sucked out they can be cracked using a brute force method. This involves taking a number/letter combination making a MD5 hash of it, and comparing it to the MD5 hash you have obtained from the server, if they match the you have found your password, if they donít match then it increments the number/letter combination by one and tries again, and so on, and so on, until you find a match. Now for a 6 digit alphanumeric password you would have to do this around 4,000,000,000 times (this takes about 5 hours on an Athalon 1.53 GHZ machine, I know because I tested it).

The major problem arises when a user uses the same password for everythingÖ e.g. internet banking and chatf1Ö.

SO YOU HAVE BEEN WARNED, DONíT USE THE SAME PASSWORD FOR CHATF1 AS YOU USE FOR EVERYTHING ELSE, UNLESS IT 12 DIGITS, (Will take around a year to crack, on one machine, but many hands (PCís) make light work!), AND YOU CHANGE IT EVERY DAY, (EVEN THIS IS NOT RECOMMENDED)!

If you have any further questions then post them here or ask me on chaf1, and if in doubt CHANGE YOUR PASSWORD!


Cheers

Liam

robsonde
25-11-2002, 05:06 PM
when can we expect the issue to be fixed??

Chilling_Silence
25-11-2002, 05:09 PM
I doubt it... Any security could be cracked using Brute Force method. I cracked a Lotus Notes User File, 12 Characters long... I used a dictionary though coz it was my password and was using only word combo's.
Anything IMHO could be cracked with a FAST PC and a lot of patience!

Chilling_Silence
26-11-2002, 09:58 AM
BTW, be on the look-out for godfather's cat, it has a tendancy to change to chocolate at will... ;)

nz_liam
26-11-2002, 10:42 AM
>
>
> when can we expect the issue to be fixed??
>

robsonde; Unfortunately we cant give you any exact timeframe as to when this will be fixed, or infact whether it will be fixed at all, like this forum we didnít develop the phpMyChat software, we just made a few modifications and hosted it on our server.

The developers of PhpMyChat have of course been informed, but as of yet we donít even know if it can be fixed, as it would require radical changes to the way the software handles access to database.

Currently we are working on a 'proof of concept' hack, to prove this can be done, however because the possibly of this particular hack exists we feel it is in everyoneís best interest to be informed.

We feel it is better to say "We know someone could hack into out system using a certain technique, so make sure you donít you internet banking password on our chatroom", rather than 6-Mths down the track to say "Sorry about that, we knew someone COULD steel your password, but we didnít think anyone would".


Cheers

Liam

Chilling_Silence
26-11-2002, 10:55 AM
>
> Currently we are working on a 'proof of concept'
> hack, to prove this can be done, however because the
> possibly of this particular hack exists we feel it is
> in everyoneís best interest to be informed.
>

godfathers cat can do it man.. What more proof do you need?

nz_liam
26-11-2002, 11:07 AM
>
> >
> > Currently we are working on a 'proof of concept'
> > hack, to prove this can be done, however because
> the
> > possibly of this particular hack exists we feel it
> is
> > in everyoneís best interest to be informed.
> >
>
> godfathers cat can do it man.. What more proof do you
> need?

That is another totally unrelated hole CS; which allows unregistered users to sneak into the chat (using a bit of Kiwi ingenuity), it is absolutely nothing to do with hacking the database, (nor have we done so yet.... however the possibility does exist).


Cheers

Liam

nzStan
26-11-2002, 11:29 AM
QUESTION:

How do you change your password? I've looked at "My Settings" and there is nothing for changing password....

nz_liam
26-11-2002, 11:39 AM
nzStan, This is the chatF1 chatroom (www.chatf1.net.nz) youíre talking about right, NOT pressF1, I have already had a user confuse the two.

ChatF1 is completely separate from PressF1.

If you need to change your 'ChatF1' password then email me (liam@farr.net.nz) and I'll send you a graphical guide which I have already created on for another user.


Cheers

Liam

raddersnz
26-11-2002, 01:46 PM
> godfathers cat can do it man.. What more proof do you
> need?

not only can his cat do it, so can your laptop, Tim(c)*^@# and your alter ego
:p

Chilling_Silence
26-11-2002, 01:51 PM
What about my OJ and the Chocolate I was using to dip my strawberries in?! Cant forget those two!

Chilling_Silence
26-11-2002, 01:51 PM
I thought they shot my other personality too :kill:

nz_liam
26-11-2002, 02:07 PM
Are you guys still too hung over from last night............ :D


That is another totally unrelated hole

Further more; if you read my original post youíll realise that you donít need to access the DB and crack the PWD for an unregistered user who has snuck in......... Because their unregistered/not on the database/donít have a password, DUH :p


Cheers

Liam

Brendonny
27-11-2002, 12:15 PM
So if it would take about one year to crack a 12 digit password what about a windows 2000 password which is below. It is one of my old passwords. My first one actually. I change it regularly. I use computers on a network so I make sure to regularly change it. Everyone here says that it is a waste of time but I want to make sure no one can hack my password easily. So how long would that password below take??

SpiDerBaIT In ThE form oF 1963450 cArrOtS

I am guessing a password like that would take ages to crack

Brendonny

Chilling_Silence
27-11-2002, 12:41 PM
Dont Ask... I'm not gonna try... Depends on whether you're doing Grid Computing or not?! :p

nz_liam
27-11-2002, 12:45 PM
> So if it would take about one year to crack a 12
> digit password what about a windows 2000 password
> which is below. It is one of my old passwords. My
> first one actually. I change it regularly. I use
> computers on a network so I make sure to regularly
> change it. Everyone here says that it is a waste of
> time but I want to make sure no one can hack my
> password easily. So how long would that password
> below take??
>
> SpiDerBaIT In ThE form oF 1963450 cArrOtS
>
> I am guessing a password like that would take ages to
> crack
>
> Brendonny

Firstly, you would be mad to try and crack that password, (unless you had a proper multiple PC super-computing centre), secondly it would be a lot easier (would take about a minute) to use a NT password change boot disk to gain administrator access to the computer.


Cheers

Liam

nz_liam
27-11-2002, 12:52 PM
Oh, and hereís the link to the NT (Win 2000/XP) password change boot disk; http://home.eunet.no/~pnordahl/ntpasswd/, behave yourself now wont you ;) :p