SpinChat Fun - In Case Someone Thought SpinChat is Secure

Es tut mir leid aber mein Deutsch ist nicht gut genug um diesen post auf
Deutsch schreiben . . .

.. . . aber SpinChat is a German company and apparently it can be hacked and
broken into.  DirectSex (which uses spinchat) has customers who have done
it.

DirectSex limited the chat to 3 commands, '/msg' and the ignore and unignore
commands.  However, 3 customers were able to restore all the commands plus
use a word filter, clear the screen, etc. (2 customers were banned but the
third one has not been banned).

The allowable commands are defined in the language.txt file and the html
code below is the original code from the directsex server:

<applet name="chat" code="de/spin/chat/small/ChatLoader.class"
codebase="http://chat1.directsex.com/classes/" archive="chat.jar"
width="360" height="340" align="top" VIEWASTEXT>
<param name="virtual" value="default">
<PARAM name="color" value="FFDE01">
<param name="properties"
  value="http://chat1.directsex.com/membernew/properties2.txt">
<param name="language"
  value="http://chat1.directsex.com/membernew/language.txt">
<param name="port" value="8001">
<param name="channel" value="College Girls">
<param name="nick" value="my name">
<param name="password" value="my password">
Please use a Java capable browser to use this chat!
</applet>

I changed the above to load local properties.txt and language.txt files but
it does not work.  The '.txt' files were copied from the directsex server,
no other changes were made.  The 2 lines changed were:

 <param name="properties" value="properties.txt">
 <param name="language" value="language.txt">

I suspect they found some product to connect to the directsex server because
DS' version of spinchat does not allow local loading of the above files.
The files must be loaded from the DS server.

Here is other info that may be useful.  The spinchat clients below only
connect to spinchat, not to a 3rd party server using spinchat:
http://pluto.brain-killer.org/index-en.html
http://www.dulky.org/nozchat/

Spinchat demos can be seen at:
http://chat.spin.de/en/demos/index.shtml

-g

Geoff wrote:

> Here is other info that may be useful.  The spinchat clients below only
> connect to spinchat, not to a 3rd party server using spinchat:
> http://pluto.brain-killer.org/index-en.html
> http://www.dulky.org/nozchat/


do the clients allow you to specify a different server?
if not why don't you try mapping the spinchat server hostname
to the DS ip address - maybe that's the trick.

haven't done this on windows in a while, but maybe it still
works by having a hosts.txt file in the c:\windoze\ dir.

good luck & fun :)

Carlo v. Loesch wrote:


> haven't done this on windows in a while, but maybe it still
> works by having a hosts.txt file in the c:\windoze\ dir.


Das wird ihm nichts helfen. Die Systeme haben - anders als er vermutet - 
nichts miteinander zu tun. Vollkommen unterschiedliches Protokoll etc.

Der gute Mann wurde auch bereits darauf aufmerksam gemacht, dass er 
einfach den kostenlosen E-Mail Support unserer Firma in Anspruch nehmen 
koennte, wenn er Kunde ist - sein Bestehen darauf, dies nicht zu tun 
sondern stattdessen im Usenet mit Crossposts rumzunerven, legt 
zumindestens den Verdacht nahe, dass er sich einfach irgendwo eine Kopie 
gezogen hat.

-- 
Markus Peter

> Der gute Mann wurde auch bereits darauf aufmerksam gemacht, dass er
> einfach den kostenlosen E-Mail Support unserer Firma in Anspruch nehmen
> koennte, wenn er Kunde ist - sein Bestehen darauf, dies nicht zu tun
> sondern stattdessen im Usenet mit Crossposts rumzunerven, legt
> zumindestens den Verdacht nahe, dass er sich einfach irgendwo eine Kopie
> gezogen hat.


Lol, I am not a customer of spinchat.  I'll try the question again.  DS has
a web page that most users go to and use the spinchat chat software.  The
chat software has removed all the commands except '/msg', /'ignore', and
'unignore'.  Those are the only things a person can do.

However, 3 people have found a way to extend spinchat or they are using a
different product to connect to DS.  When I saw these people, they were able
to do, '/users', /locate', '/who', etc.  Also, they  could clear the screen,
use a word filter, etc.

Two of the people went too far because they were banned but the third person
is not banned.  I am simply asking how it is possible to restore all the
functionality back like that?

BTW, even tho I am not a customer of spinchat, I sent an e-mail to your
support section and asked but received no reply.

-g

> do the clients allow you to specify a different server?
> if not why don't you try mapping the spinchat server hostname
> to the DS ip address - maybe that's the trick.


The clients have a dropdown and allow one to select a spinchat server,
nothing else.  It seems like this secret will remain with the 3 people who
figured out how to do it (unless they tell someone else).   SpinChat won't
say anything because it makes them look bad to directsex.com.  DirectSex
bought their product and configured it the way they want it to work, giving
users 3 commands.  Now, these 3 people have found a way to bypass that
configuration completely.  Originally I thought they were spinchat employees
but 2 of them were banned, so, I guess not.

There are smart people and really smart people.  The really smart ones
figured it out . . .

-g

Geoff wrote:

> Two of the people went too far because they were banned but the third person
> is not banned.  I am simply asking how it is possible to restore all the
> functionality back like that?


I'd suppose there's a quite simple way: use a packet sniffer and a pinch of
analysis skills, then roll your own client. Of course, the protocol could be
using public key cryptography (in this case, "public" meaning that some sort
of secret key is embedded in the official client), in which case you would
have to do more work, some of which possibly illegally.

By the way, being able to use flashy colors doesn't seem like a noteworthy
security issue to me, much like I don't think this is all that much fun.
Don't let that stop you, though. After all, there's still lots of fun left
in analyzing the protocol.

Good luck then.
Jan