*** HXD Private Chat Security Flaw ***

	Well pretty much what this allows you to do in the hxd server is allow a user 
to enter a private chat room in hx that he/she was not invited to.  If you use
hx you know when someone invites you into a private chat you get some codes...

In Hotline Server 1.2.3 (http://www.hotlinesw.comwhen a user invites a user 
into a private chat they get this infomation: 

<¥> [nodozE(1)] invites you to chat 0xbdc9ab01

So if the person wants to enter they type:

/join 0xbdc9ab01
 
 But as you can see if you keep getting invited into a private chat you get all
 these numbers.  As you can see there's no pattern.  There's no way of knowing what 
 the next invite code will be because it's random.
 
 <¥> [nodozE(1)] invites you to chat 0xe0af5102
 <¥> [nodozE(1)] invites you to chat 0x9ab45503
 <¥> [nodozE(1)] invites you to chat 0x3e41bc04
 
 But in HXD by rorschach (http://www.krazynet.com/hx) the Unix Hotline Server when it
 gives the code for the private chat it comes out in a pattern such as shown 
 below:
 
 <¥> [nodozE(1)] invites you to chat 0x3
 <¥> [nodozE(1)] invites you to chat 0x4
 <¥> [nodozE(1)] invites you to chat 0x5
 
 Now you can see the pattern here.  The syntax is 0x#.  If you follow this you can
 find out what other user chat rooms they're in by just typing 
 
 /join 0x#
 
 So if you know some people are in a private chat just invite yourself into a chat 
 room (you are "Private Chat Hacker" :P): 
 
 /who
 
 socket | nick                            |  icon | level | stat |
      1 | nodozE                          |   161 | ADMIN |      |
      2 | Private Chat Hacker             |   161 | ADMIN |      |
      3 | Admin                           |     0 |  USER |      |
      
/chat 2
 
[chat 0x666] join: nodozE [2:161:2]  

Now you know that the last private chat code that the server gave was 666 so try:

/join 665       
 socket | nick                            |  icon | level | stat |
      1 | nodozE                          |   161 | ADMIN |      |
      3 | Admin                           |     0 | ADMIN |      |
      2 | Private Chat Hacker             |   161 |  USER |      |
      
And what happend here?  nodozE and the admin are in a private chat... and guess
who just showed up?  You sure did.  And they both think the other user in the
private chat invited you.  

This isn't a huge security risk here.  But it is something that needs to be
fixed.  I asked ror about it and he reply'd "Its not a flaw its a feature".
I tried this out with the PC version of the server b8 and it did the same
thing as the mac version, it gave random private chat codes.  Partly the reason
for Hotline 1.2.3 is because of this reason i've been told because in 1.2.1 you
could do the same thing.

If you wanted to you could make a hx script that looks something like this:

---------------------------------------------------------------------------
join 1
join 2
join 3
join 4
join 5
join 6
join 7
join 8
join 9
join 10
---------------------------------------------------------------------------

...etc all the way up to 1000 or so... then you would be in every private chat
that would be open at that time.

# Thanks:
phraq: for letting me run a hxd server off of his box.  

Foo: for letting me try out the pc version of the server.

HotlineSW Sucks (http://www.hotlineswsucks.com):  For being the "underground" of
Hotline.

Bad Moon: All Bad Moon admins, the makers of the best hotline icons known 
to mankind :)
Bad Moon URL:  http://205.182.92.245/
Bad Moon Hotline Server:  right now 208.24.56.203:666 but if the IP changes 
just look on tracked.group.org

- nodozE