Hacking Private Channels Of Ustream


Recently working on a custom player implementaion on ustream.com using their api, i found a huge loophole that i would like to share.  Ustream lets you create public/private channels and then broadcast on them using fmle or swf based publisher. Private channels can be password protected, so only people with right password can view it. But here is the catch !! The password based security system is pretty invalid in itself.

While programming on the platform i noticed that the player uses amf protocol to send receive data to server.  So here is how you can hack any one’s private channel (password protected).

1.  Go to https://addons.mozilla.org/en-US/firefox/addon/1843/ and install firebug extension for firefox.

2.  Go to the page which hosts the private channel and open the firebug debug panel. Make sure you have enabled the Net panel.

Firebug NetPanel

3.  Next without much effort if you see you will notice that, while going through the requests made by the site to ustream, the amf call with the password tagged to it is very clearly visible.

Password Reveal

So there you have it both channel id and password for the stream !. Not so protected is it now ? :)

Popularity: 27% [?]




August 13, 2010  Tags: , , ,   Posted in: General

8 Responses

  1. attracter - August 24, 2010

    I tried a friend’s channel and it didn’t work. Was I supposed to be logged in to Ustream or facebook?

    http://www.ustream.tv/channel/snen

  2. admin - August 24, 2010

    Ofcourse you need to be in the page where the video is playing. The link you posted is a login page. If you need to know just post the link of the page where the video plays.

  3. admin - August 25, 2010

    If you can view the video you can steal its password. right now i cannot view it means i cant get the password yet.

  4. Ganigfoancz - February 16, 2011

    dejwid dzons torebki dejwid dzons tanie torebki torebki skórzane torby skórzane david jones torebka damska torebki damskie torebki david jones torebki listonoszki

    _________________
    torebki dejwid dzons torebki wloskie torebka kuferek

  5. swagg - March 18, 2011

    I was trying to view this video

    http://www.ustream.tv/recorded/4762681

    I was wondering if the password could be found for it.

Leave a Reply