- Apocalipsa dupa Nemessis
- Cand dorinta de afirmare depaseste granitele bunului simt – PaxNwo un leecher ordinar
- Cum sa iti protejezi adresa e-mail si datele confidentiale din aceasta
- Mi s-a furat id-ul de messenger/adresa e-mail. Ce sa fac?
- Experiment social II – andimoisescu.ro
- Pentru posteritate
- In curand…
- “Hot” de id-uri messenger
- Chiar ca sunteti retardati
- Ce nu se invata la scoala – Vendetta (6)
- Apocalipsa dupa Nemessis in (103 Visits)
- Ce servicii de mail folositi? in (42 Visits)
- This is the end in (28 Visits)
- Hackersblog.org is now blog.rstcenter.com in (27 Visits)
- Short news in (22 Visits)
- La multi ani România, la multi ani românilor in (22 Visits)
- Azi este ziua userilor hackersblog.org in (15 Visits)
- Raportare vulnerabilitati in (14 Visits)
- Inca o pierdere de timp in (14 Visits)
- Update in (11 Visits)
- Mi s-a furat id-ul de messenger/adresa e-mail. Ce sa fac? in (313 Visits)
- Hi5.com coders read this in (36 Visits)
- SMS scam (1) in (28 Visits)
- Phishing Bancpost in (12 Visits)
- Dezinformare sau proasta informare? in (10 Visits)
- Si tentativele de phishing pot fi amuzante in (9 Visits)
- Phishing Raiffeisen cu atasament html in (6 Visits)
- Cum sa iti protejezi adresa e-mail si datele confidentiale din aceasta in (95 Visits)
- [Utilitare] Suna gratis de pe internet sau de pe iPhone in (54 Visits)
- Ce nu se invata la scoala - Tipuri si tehnici spam/Hi5 (4) in (49 Visits)
- Despre CSRF, hi5.com, cum sa trisezi la concursuri s.a.m.d. in (42 Visits)
- Ce nu se invata la scoala - (D)DOS (5) in (34 Visits)
- Virusi in clipuri video [how to] in (32 Visits)
- Ce nu se invata la scoala - Tipuri si tehnici spam/mail (2) in (29 Visits)
- Ce nu se invata la scoala - Tipuri si tehnici spam (1) in (24 Visits)
- Yahoo! redirects - a big issue (with video) in (14 Visits)
- Ca musca in... in (12 Visits)
- usa.kaspersky.com hacked ... full database acces , sql injection in (172 Visits)
- Simpatie.ro, matrimoniale3x.ro, apetisant.ro, deliciu.ro , etc Sql injection in (112 Visits)
- Yahoo! epic fail - permanent xss unleashed in (90 Visits)
- Telegraph.co.uk hacked, sql injection in (66 Visits)
- RedTube.com ... The Free Sex Video Community in (59 Visits)
- Kaspersky Thailand hacked by TinKode in (48 Visits)
- Conquiztador Hacked Again in (48 Visits)
- Telegraph.co.uk hacked - when will they learn? in (43 Visits)
- Simona Sensual si profilul ei de hi5 in (40 Visits)
- F-Secure.com - SQL Injection + Cross Site Scripting in (39 Visits)
- Wannabe Hackers [2] - cum sa faci un virus by sppy_hacker in (33 Visits)
- Wannabe Hackers [1] - Cum sa hack-uiesti RapidShare-ul in (28 Visits)
- Digital Photocopiers Loaded With Secrets in (26 Visits)
- Hacker Uses XSS and Google Street View Data to Determine Physical Location in (16 Visits)
- Oldies but goodies - Freedom Downtime - The Story of Kevin Mitnick in (11 Visits)
- OWASP Phishing demo in (9 Visits)
- Christopher "moot" Poole: The case for anonymity online in (9 Visits)
- [Video] The History Of Hacking in (8 Visits)
- Hope 2603 – Kevin Mitnick - Life a Computer Hacker – Revealed in (8 Visits)
- Owasp5005 Part1 - New zero-day browser exploits - ClickJacking in (8 Visits)
- Se poate sparge parola de Yahoo? in (344 Visits)
- phpBB.ro hacked in (105 Visits)
- Experiment social in (70 Visits)
- Cand dorinta de afirmare depaseste granitele bunului simt - PaxNwo un leecher ordinar in (61 Visits)
- Oare cum e pana la urma? in (57 Visits)
- "Hot" de id-uri messenger in (52 Visits)
- Concurs fara premii in (51 Visits)
- Forumul Andreei Balan spart in (47 Visits)
- Ce nu se invata la scoala – Vendetta (6) in (45 Visits)
- Experiment social II - andimoisescu.ro in (44 Visits)
Posted on May 28th, 2010
Sometimes making fun of people using xss tricks can be very entertaining. Today I will talk about xlovecam.com, a belgian adult videochat website with huge amount of traffic from France.
Our purpose is to make models believe that their accounts are suspended. For them this means a lot of money and time wasted.
Some real examples:
http://img339.imageshack.us/img339/5881/buahahahaq.png
http://img706.imageshack.us/img706/2575/hihihihiz.png
http://img227.imageshack.us/img227/2604/pwnedd.png
http://img534.imageshack.us/img534/2424/95603479.png
How to do it:
Go to http://www.xlovecam.com and register a new account.
Log in using the new account.
Open http://iphone.xlovecam.com in another browser instance and login there too.
Go in a girl room from the iphone page.
Search the same girl on xlovecam.com front page (check page footer for the entire list of online models) and go in her room to see her reaction after everything is completed.
Now from the iphone page we will use basic html and some javascript to pwn that chatroom. Iphone chat interface is vulnerable to cross site scripting so it will be easy.
First of all I need to use a different font to catch the model attention because in normal circumstances all users type with the same font. So I just type this in her iphone chat room and she will see a text like the one from my screencaps.
How to make this prank more convincing? We use a little code from RSnake xss cheatsheet to freeze her room. No one including the model will be able to write anything in the chat. This little piece of code affects many flash based chatrooms so you can test it in another circumstances too. Btw, you can see on that iphone page what she will try to type, but in normal chat nothing will appear.
So the final version of the code looks like this http://pastebin.com/QtiWnS1s. With a simple copy/paste you can make fun of them when you are bored. Of course you could use that iphone subdomain to redirect visitors from the room (if they are using iphone interface) or steal their cookies but most of the users use the normal site interface not the iphone subdomain.
Other tricks:
In the rooms type html tags like <i><u><b> but don’t close them. You will see by yourself what’s the catch.
Leave a Reply