*** HXD Private Chat Security Flaw *** Well pretty much what this allows you to do in the hxd server is allow a user to enter a private chat room in hx that he/she was not invited to. If you use hx you know when someone invites you into a private chat you get some codes... In Hotline Server 1.2.3 (http://www.hotlinesw.comwhen a user invites a user into a private chat they get this infomation: <¥> [nodozE(1)] invites you to chat 0xbdc9ab01 So if the person wants to enter they type: /join 0xbdc9ab01 But as you can see if you keep getting invited into a private chat you get all these numbers. As you can see there's no pattern. There's no way of knowing what the next invite code will be because it's random. <¥> [nodozE(1)] invites you to chat 0xe0af5102 <¥> [nodozE(1)] invites you to chat 0x9ab45503 <¥> [nodozE(1)] invites you to chat 0x3e41bc04 But in HXD by rorschach (http://www.krazynet.com/hx) the Unix Hotline Server when it gives the code for the private chat it comes out in a pattern such as shown below: <¥> [nodozE(1)] invites you to chat 0x3 <¥> [nodozE(1)] invites you to chat 0x4 <¥> [nodozE(1)] invites you to chat 0x5 Now you can see the pattern here. The syntax is 0x#. If you follow this you can find out what other user chat rooms they're in by just typing /join 0x# So if you know some people are in a private chat just invite yourself into a chat room (you are "Private Chat Hacker" :P): /who socket | nick | icon | level | stat | 1 | nodozE | 161 | ADMIN | | 2 | Private Chat Hacker | 161 | ADMIN | | 3 | Admin | 0 | USER | | /chat 2 [chat 0x666] join: nodozE [2:161:2] Now you know that the last private chat code that the server gave was 666 so try: /join 665 socket | nick | icon | level | stat | 1 | nodozE | 161 | ADMIN | | 3 | Admin | 0 | ADMIN | | 2 | Private Chat Hacker | 161 | USER | | And what happend here? nodozE and the admin are in a private chat... and guess who just showed up? You sure did. And they both think the other user in the private chat invited you. This isn't a huge security risk here. But it is something that needs to be fixed. I asked ror about it and he reply'd "Its not a flaw its a feature". I tried this out with the PC version of the server b8 and it did the same thing as the mac version, it gave random private chat codes. Partly the reason for Hotline 1.2.3 is because of this reason i've been told because in 1.2.1 you could do the same thing. If you wanted to you could make a hx script that looks something like this: --------------------------------------------------------------------------- join 1 join 2 join 3 join 4 join 5 join 6 join 7 join 8 join 9 join 10 --------------------------------------------------------------------------- ...etc all the way up to 1000 or so... then you would be in every private chat that would be open at that time. # Thanks: phraq: for letting me run a hxd server off of his box. Foo: for letting me try out the pc version of the server. HotlineSW Sucks (http://www.hotlineswsucks.com): For being the "underground" of Hotline. Bad Moon: All Bad Moon admins, the makers of the best hotline icons known to mankind :) Bad Moon URL: http://205.182.92.245/ Bad Moon Hotline Server: right now 208.24.56.203:666 but if the IP changes just look on tracked.group.org - nodozE