Follow Us

We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message

Chatroulette security breached by researchers

Anonymous chatting may not be as private as you thought

Article comments

Perhaps there is finally something to deter Chatroulette.com users from their more offensive behaviour: University researchers say that users of the popular video chat site may not be as anonymous, or as private, as they think. In a paper posted online this week, researchers from the University of Colorado at Boulder and McGill University outline three different types of attacks that could be launched against Chatroulette users.

Founded just last year by 17-year-old Russian entrepreneur Andrey Ternovskiy, Chatroulette links web surfers randomly into one-on-one video chat conversations. The site has come under fire, however, because of nudity and inappropriate behaviour.

The new research doesn't expose any gaping privacy holes, but it does show how the service could be misused by determined criminals. For example, researchers describe a type of video phishing attack, where the criminals would simply play a video of an attractive woman who appears to be chatting with the victim, with audio disabled.

In a test, they were able to trick users into thinking they were actually chatting with a prerecorded video of a cute woman. They did this by making the video choppy, as if it came from a low-bandwidth network and using text-based chat, instead of audio chat. Only one of the 15 users who chatted with the video asked the researchers to prove that it was of a real, live person. Otherwise, the researchers were regularly able to get people to chat for an hour using this technique.

The novelty and apparent intimacy of a chat session could make it easier to con people into friending scammers on Facebook or even visiting malicious websites, said Richard Han, an associate professor with the University of Colorado who co-authored the paper. "If you can present an attractive persona there," he said, "people start to trust the person on the other side and they lower their guard and they start to reveal information about themselves."

They also found a way to make Chatroulette's anonymous chats much less anonymous.

Because Chatroulette's backend system shares user IP addresses, researchers were able to use IP-mapping services to get a general idea of user's location (a public website, called Chatroulettemap.com already does this). Then by searching Facebook using information obtained in chats and comparing pictures, researchers were able to identify chatters. "Even in a city as big as Chicago, you can drill down and find the person you're actually talking to," Han said.

Privacy takes a hit too, in the paper. Han and his team also believe that it would be easy to listen in on chat conversations by writing a simple computer program that could act as a middleman between Chatroulette conversations, connecting two users and recording what they say. Though Han believes it would be easy to do, his team didn't write the software to conduct this attack. "We did not implement this attack because we thought it was so dangerous," he said.

Chatroulette's Ternovskiy sees things a little differently, however. In an email interview he described the research as "not a big deal."

"I think it's an interesting piece of work, and I am thankful to the people who made it," he said. "However, I think that it would be exaggeration of some sort to look at it too seriously. You should be aware - don't trust strangers. But it shouldn't stop you from entertaining yourself," he added.

Han's team notified Chatroulette of its findings prior to going public, and Ternovskiy said that he would be making some changes to the site "so some things mentioned in the article wouldn't be possible to accomplish."

For example, Chatroulette is now testing a new feature called Localroulette, which connects people from specific cities with one another. "Phishing techniques usually involving tricking people into thinking that you are from a particular place and you have a particular identity," Ternovskiy said. "This will not exactly work here."



Share:

More from Techworld

More relevant IT news

Comments



Send to a friend

Email this article to a friend or colleague:

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

Techworld White Papers

Choose – and Choose Wisely – the Right MSP for Your SMB

End users need a technology partner that provides transparency, enables productivity, delivers...

Download Whitepaper

10 Effective Habits of Indispensable IT Departments

It’s no secret that responsibilities are growing while budgets continue to shrink. Download this...

Download Whitepaper

Gartner Magic Quadrant for Enterprise Information Archiving

Enterprise information archiving is contributing to organisational needs for e-discovery and...

Download Whitepaper

Advancing the state of virtualised backups

Dell Software’s vRanger is a veteran of the virtualisation specific backup market. It was the...

Download Whitepaper

Techworld UK - Technology - Business

Innovation, productivity, agility and profit

Watch this on demand webinar which explores IT innovation, managed print services and business agility.

Techworld Mobile Site

Access Techworld's content on the move

Get the latest news, product reviews and downloads on your mobile device with Techworld's mobile site.

Find out more...

From Wow to How : Making mobile and cloud work for you

On demand Biztech Briefing - Learn how to effectively deliver mobile work styles and cloud services together.

Watch now...

Site Map

* *