Monday, September 15, 2014

Omegle Indonesia Webcam Hack

hello guys Aditya here, it has been quite some time since I've hung around these parts. but I'm back for a
second at least and want to share some crazy sfuff I've been working on. One of these is
Omegle, which is at http://omegle.com. (anybody still didn't hear about it?)

For those who don't know, it's basically one of most popular (also outside Indonesia, really) chatting site (adult type) that lets you talk online with a stranger that you are randomly assigned. It's
an interesting idea and as you might guess it causes an endless number of funny or weird
conversations, trolling etc.
So lately came with a very interesting trick about Omegle. This is a script based trick. Taa-Daaam!!

Omegle Indonesia Webcam Hack

Everything that I'm about to say has been worked out simply by reading the source, packet
sniffing and just generally prodding around. There may be errors in it and if you notice one,
please correct me.  :D


Omegle is one big silo of AJAX, running from a just single page (and receiving data from a
number of others) and using the Moo Tools JavaScript library
(http://ajax.googleapis.com/ajax/libs/mootools/1.2.1/mootools-yui-compressed.js). The code
that powers Omegle can be found at http://omegle.com/static/omegle.js

First things when you go to omegle.com you see a big button with "Start a chat" on it.
Clicking it brings up a conversation window. However behind the scenes we are making our
first AJAX request (minus the /count one, I'll mention that later). This request is a HTTP
POST to http://omegle.com/start. The post request actually contains nothing but the result is
what is interesting - the stranger ID. This is a 6 digit code such as "8Ekxwo" consisting of
the characters a-z A-Z 0-9 _ -. This seems to be randomly generated. Right now I don't know
whether your stranger will always have that ID, or just for your conversation and when
disconnected will be generated a new one.
Each page corresponds to http://omegle.com/[page] so /events would be http://omegle.com/events
These pages accept post requests only and page send the server's responses to the client (which is the javascript running in your browser). When your stranger types, your client learns of it here. Information is retrieved from it by sending the stranger's ID. This is a possible point for exploitation as there seems to be no validation to check whether the stranger ID that you provide is in fact yours. This is backed up by the lack of a session cookie to identify the user. By spoofing a correct stranger ID, you may be able to spy on other people's conversations.

not going into details script allows you to enter a video chat as there are two unknown people in. You can watch them, talk to them and disconnect them(!). In chat room you can see them and everything they write ( you can also write as one of them without the other to know it, or write as "the third one" but of course thereby unmasking yourself and causing the fury of these two, lol)


here's instructions It's easy.
1 download java and make sure its installed  
2 goto omegle.com and start a chat,
3 double click the .jar and open spy tool
3 click 'go' in right corner it will automatically capture the webcam and will hold the cam
as long as stranger is online even after he/she disconnects you. Stranger will think that cam
is disconnected but it wont.