Rating is available when the video has been rented.
This feature is not available right now. Please try again later.
Published on Sep 12, 2008
In this video you'll see a small bug in Cloob.com live chat system found by Siavash Mahmoudian in action.
Using this small security issue you are able to send chat messages from users you don't know their password, to any Cloob user you want. It is also possible to send messages from an unknown user.
As you can see there are two browser windows opened. First we Logout from cloob in first browser so you'll notice we don't need to be logged in with any username in order to send chat messages. After, we find our friend's userid using Inspect Element in second browser. In this case the userid is 981071. We use that userid in the sendMessage url, and you see the message is received by user in second window.
By changing time_str value we can send messages from other users also. In this case I've just changed an "e" with "a". You can send message from an unknown user by changing time_str value to "siavash".
For getting someone's chat messages we use another URL, and again the userid of that person is needed.