Security Issue in




Rating is available when the video has been rented.
This feature is not available right now. Please try again later.
Published on Sep 12, 2008

In this video you'll see a small bug in live chat system found by Siavash Mahmoudian in action.

Using this small security issue you are able to send chat messages from users you don't know their password, to any Cloob user you want.
It is also possible to send messages from an unknown user.

As you can see there are two browser windows opened. First we Logout from cloob in first browser so you'll notice we don't need to be logged in with any username in order to send chat messages.
After, we find our friend's userid using Inspect Element in second browser. In this case the userid is 981071.
We use that userid in the sendMessage url, and you see the message is received by user in second window.

By changing time_str value we can send messages from other users also. In this case I've just changed an "e" with "a".
You can send message from an unknown user by changing time_str value to "siavash".

For getting someone's chat messages we use another URL, and again the userid of that person is needed.

For more information about this bug visit:

مشكل امنیتی در كلوب . كام, جامعه مجازی, گفتگوی زنده, سیاوش محمودیان


When autoplay is enabled, a suggested video will automatically play next.

Up next

to add this to Watch Later

Add to

Loading playlists...