morning_wood
http://exploit.wox.org

   For the past year Ifriends.com ( WP Associates ) has known about a
security
compromise in its chathost software ifcam96d. The program is coded in such a
way, and the structure of Ifriends.com Java/Browser based traction scheme
that makes it possible to bypass all security measures and payment, alowing
compromised viewing of private chathost sessions. I will briefly detail the
problem, the compromise, and the resolve taken as of this posting.

 Ifcam96d is a software platform for dellivering private, live, pay per view
adult content.

 The issues and vunerability outlined here are in direct contrast to
WP / Ifriends own statements at http://www.ifriends.net/faq.htm and I quote
:

"
What type of content can I show?
  That's a private matter, between you and the viewing customer.
Note: When an iFriends customer enters your live videochat room,
the customer receives the content directly from your computer.
It's called a "one-to-one" connection. And it guarantees privacy
for both you and the customer. Nobody can snoop and watch for free.
Remember - what you and your customer(s) do online is a private
matter between you and them, and both the video and audio travel
directly between you and the customer.


Can I trace or locate the iFriend through their IP address?

 No. The "IP address" of performing iFriends cannot be traced to the
point of origin without a court order. Also, the IP address is "randomly
assigned" by their provider each time they transmit. Privacy laws vary
from state to state, but in most cases, attempts to locate an iFriend
through their IP addresses, however useless, nevertheless violate
anti-stalking and anti-harassment statutes. Also, attempts to incapacitate
or disable an video chathost's session constitute theft of services and are
aggressively prosecuted to the fullest extent of the law.
 (All attempts to do so are automatically logged and are easily traced
 to the point of origin)

"
 Indeed it is a "one-to-one" connection and viewing IS possible WITHOUT the
parent company
aware that this is taking place. And chathost IP addresses are available by
going
to www.ifriends.net/livewebcamviewer/if/51/index.htm  click on a image, the
next page
shows a "live thumbnail" , simply view html source for IP and Port.

So they are decieving their chathosts as well.

 In Jan 2002 I personally retained a lawyer to contact WP associates
regarding a chathost that had noticed people were viewing their cam
although they were not even logged into the service, simply having the
software
running. Their reply at that date was "we are aware of the problem and there
really nothing we can do for you, sorry"

Details:

 Examining the ifcam.exe binary in Bintext or similar, reveals
that the program is comprised of a combination of VB, Java and HTML code.
Simply by examnining this, making a text copy of the binary and subsituting
a file name present in a java class for a parameter in the applet tags,
presents you with a crude but effictive viewer for these "private shows".
With only the information for ip address and port of any operating ifcam
setup, allows you total view of the chathosts webcam video.

 Further examination reveals embedded ip addresses that informs ifriends
that the software is running even if not logged in, much like a trojan, full
unrestricted access to your video at any time, and the ability to send
a "please return to your cam" announce ability. Finaly there is an
undocumented access port 7903.
The binary can be modified by a "Delta Patch®" as there is a patch file
present.

This software is NOT exclusive for Ifriends chatosts as evidenced here
http://www.online-shopping-links.com/what_is_videochat.htm and
http://download.com.com/3000-2348-10146565.html

 Webpower Inc. has been informed of a development of a proof of concept
program, CamScam, http://exploit.wox.org/thecore/camscan.jpg to
fully exploit these flaws and to show the lack of privacy commitment of a
very large internet company. They were offered the oportunity to have us
develop this into an integrated part of their operation as it can be
modified very easily to their specifications and completly would remove the
vunerabilities that exist.

 As of March 14 4:25 pm Ifriends has released a new version of thier
chathost software, addressing some of these issues while not completly
curing the problem. As well.. Upon review of thier public and chathost
forums, I see they have not taken the steps to inform thier members/hosts of
the privacy issues discussed here.

Full exploit info and discussion available,

http://exploit.wox.org/ifriends/
morningwood@thepub.co.za

Pro Active Security
http://take.candyfrom.us
http://exploit.wox.org