Taking a look at Omegle

Hey guys, it's been a while since I've hung around these parts. I thought I'd come back for a little while at least and share some things I've been working on. One of these is Omegle, which is at http://omegle.com.
For those who don't know, it's basically a site that lets you chat with a stranger that you are randomly assigned. It's an interesting idea and has sparked an infinite number of funny conversations.
Everything that I'm about to say has been worked out simply by reading the source, packet sniffing and just generally prodding around. There may be errors in it and if you notice one, please correct me. :D

Omegle is one big ball of AJAX, running from a single page (and receiving data from a number of others) and using the Moo Tools JavaScript library (http://ajax.googleapis.com/ajax/libs/mootools/1.2.1/mootools-yui-compressed.js). The code that powers Omegle can be found at http://omegle.com/static/omegle.js

First things first, when you go to omegle.com you see a big button with "Start a chat" on it. Clicking it brings up a conversation window. However behind the scenes we are making our first AJAX request (minus the /count one, I'll mention that later). This request is a HTTP POST to http://omegle.com/start. The post request actually contains nothing but the result is what is interesting - the stranger ID. This is a 6 digit code such as "8Ekxwo" consisting of the characters a-z A-Z 0-9 _ -. This seems to be randomly generated. Right now I don't know whether your stranger will always have that ID, or just for your conversation and when disconnected will be generated a new one.

Overview

Each page corresponds to http://omegle.com/[page] so /events would be http://omegle.com/events
These pages accept post requests only. I have included HTML and PHP code at the bottom for posting to these URLs.

/events
This page sends the server's responses to the client (which is the javascript running in your browser). When your stranger types, your client learns of it here. Information is retrieved from it by sending the stranger's ID. This is a possible point for exploitation as there seems to be no validation to check whether the stranger ID that you provide is in fact yours. This is backed up by the lack of a session cookie to identify the user. By spoofing a correct stranger ID, you may be able to spy on other people's conversations.

Here are the various bits of information that /events will send out:
  • "waiting" - This is the first bit of information that /events will send to the client, indicating that the stranger has not yet connected.
  • "connected" - This simply shows that the stranger has connected and is ready to receive messages.
  • "typing" - This is shown each time the user starts typing and is used to display the message "Stranger is typing"
  • "gotMessage","data" - This is a message sent by the stranger (note that data would be replaced by the stranger's message. Your messages do not appear here.
  • "strangerDisconnected" - Pretty self-explanatory.

/send
This is where your messages are sent to and through it, are routed to the /events belonging to the stranger. This is where a nice vulnerability seems to lie in Omegle, though I haven't tested it myself. It would seem that you can send a message to whoever the hell you want, as long as you have their 6 character ID. In fact, it would seem that you can do whatever the hell you want to them - including disconnecting them.
Now in fairness, it's just a bit of fun - there shouldn't be any personal information being shared and besides, if you're sharing some data with one stranger - what does it matter if another stranger takes a look? Course, if it does extend to disconnects then things could get kinda annoying for Omeglers.

The HTTP looks like this:
Code: 
POST /send HTTP/1.1
Host: omegle.com
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-GB; rv:1.9.0.11) Gecko/2009060308 Ubuntu/9.04 (jaunty) Firefox/3.0.11
Accept: text/javascript, text/html, application/xml, text/xml, */*
Accept-Language: en-gb,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded; charset=utf-8
Referer: http://omegle.com/
Content-Length: 18
Pragma: no-cache
Cache-Control: no-cache

msg=test&id=Fd5r2P


/typing
You send the stranger ID to this to indicate you are typing and again to indicate that you stopped. Again you may be able to spoof the stranger ID, though why you'd want to I don't know. :)

/count
This is something I stumbled across and it made me chuckle at their cheekiness. Notice that "XXXX users online" thing? It's a randomly generated number gathered from /count. It's requested with the GET argument 'rand', which is a random number generated by javascript. A seemingly random number is then generated from this.

/disconnect
Displays a "Your conversational partner has disconnected." message to the stranger who's ID has been passed to it.

Some code and some more explanation..

Now, if you're interesting in writing a client or an Omegle bot (and if you succeed please tell me about it), here's some python code that might help:
Code:
import socket  # Whilst I first attempted to use urllib2, there were some really strange problems with it so turned to sockets.
def post(where, what):
...s = socket.socket()  # implicit, i know  ;)
...s.connect(("207.192.69.188",80))    # 207.192.69.188 is the Omegle IP
...s.send("POST /%s HTTP/1.1\r\n" % where)
...s.send("Host: omegle.com\r\n")
...s.send("Content-Length: %s\r\n" % str(len(what)))
...s.send("POSTDATA:"+what+"\r\n")
...s.send("\r\n")
...ret = s.recv(1024)
...s.close()
...return ret

data = post("start","").split("\r\n")
StrangerID = data[-1][1:-1]
print "Stranger ID:",StrangerID


Okay, yeah.. I admit that code is horrible - but it gets you your stranger ID.
Now Omegle posts that stranger ID, under the name 'id', to http://omegle.com/events - again using AJAX. For this I wrote a quick HTML form:
Code:





If you try that you'll probably be asked whether you want to download a file. Try downloading it and opening it in a text editor. This is what mine looked like:
[["waiting"], ["connected"], ["typing"], ["gotMessage", "hi"], ["strangerDisconnected"]]


Yeah.. they said hi to me and I ignored them.. whoops :p
But this little snippet has told us all we really need to know about the events protocol and it's pretty self-explanatory too.



Now let's go through this step by step.
While the conversation is running, the client (the javascript in your browser) is constantly checking /events for updates. With each check of /events, it sends the stranger ID it was given. If nothing has happened, the result is "null" - otherwise the data comes back in an array. It is then parsed and shown to the user in the chat box.

When the user starts to type something, the client detects this and sends the stranger ID to /typing. If they stop typing, they repeat this. If they then decide to send the message, it is posted to /send as msg=hello%20world&id=aj23SV, for example.

The /events page for your stranger will then show the message that you sent as [['gotMessage','hello%20world']]

If you wish to disconnect, the stranger ID is sent to /disconnect and /events page shown when entering your ID will be updated accordingly.
If your stranger decides to disconnect then the data is shown in /events when the stranger ID is passed to it.

Extra bits of code:
Code: 
// This function is from http://netevil.org/blog/2006/nov/http-post-from-php-without-curl
// It's pretty fab at posting stuff to websites.
function do_post_request($url, $data, $optional_headers = null) {
$params = array('http' => array(
                 'method' => 'POST',
                 'content' => $data
                 ));
if ($optional_headers !== null) {
  $params['http']['header'] = $optional_headers;
}
$ctx = stream_context_create($params);
$fp = @fopen($url, 'rb', false, $ctx);
if (!$fp) {
  throw new Exception("Problem with $url, $php_errormsg");
}
$response = @stream_get_contents($fp);
if ($response === false) {
  throw new Exception("Problem reading data from $url, $php_errormsg");
}
return $response;
}
?>


Code:
# An easier way to post something in Python, but does not seem to work for omegle (though works locally) as far as I can see.
# If anyone can figure out why, please say!
import urllib
import urllib2
def SaySomething(what,id):
...data = what.replace(" ","%20")
...data = urllib.urlencode([("msg",data)])
...request = urllib2.Request(o+"send")
...return urllib2.urlopen(request, data=urllib.urlencode({'msg':'data'}))


I hope this helps or at least interests people. Feel free to copy/distribute/modify - but please quote "dotty" as the source.
Please post any corrections to this, and your own code and comments. Thanks.

SOURCE
0 Komentar untuk "Taking a look at Omegle"