DEV Community

Dheirya Tyagi
Dheirya Tyagi

Posted on • Edited on

Why is Social Rumbles (aka RumbleChat) down?

EDIT: Social Rumbles is back online! Yay! Go to https://socialrumbles.com/home/ to check it out!

Let me preface this by saying that it WAS NOT HACKED.

I repeat, NOT HACKED.

Ahem. Lemme explain.

Today at 3:45, I was moderating on RumbleChat when I noticed spam messages, I deleted them and thought nothing of them. They kept coming, so I deleted the guy who was making them (there were only 2 people online and I knew one of them so I deleted the other guy).

But he kept coming back.

Then at about 4:05, I saw these message:

4:05 Image

Now was that me? No. So what did I do.... PANIC!

I immediately shut down the server, the websockets, everything. All shut down.

I had to this quick cuz I had swim at 4:20, so I did this quickly and went to swim.

Now, I don't know if I was high or something, when I shut down everything but uhh I was 100% NOT HACKED. Here's why.

While swimming I realized oh wait he didn't hack me. And here's why:

A) Nothing changed except new chat messages were made.
B) If he had hacked it, then wouldn't he make himself admin?

So whilst swimming I did some thinking and realized I was an idiot. He didn't hack it. He just created a web socket and then spoofed his username. This is all he did it:

chat = new WebSocket('wss://socialrumbles.com/dm/someroom');
chat.send({
# Whatever message/username he wanted!
});

So yeah I am a complete idiot. I didn't get hacked. No one is in danger. I just wrote my chat wrong.

This made me rethink my chatting app. I decided that there was too high a risk with sockets, and I am shutting it down until further notice. (I also don't have enough experience with it so I'm stopping it). I know that this wasn't a "hack" but I'm worried that there may be an actual exploit which is why I am removing it for the time being.

We may fix the chat app and rerelease it, but only after more experience with web sockets.

So what does this mean for you?

Well since I overreacted and shut down EVERYTHING, it'll take at least two days to get it up and running again. So ummm y'all will just get this jazzy 503 error until it starts running again, so sorry for overreacting!

Now that chat is being removed what can you do? Well you can do it's main, safe feature: posting. You can still post videos, articles, images, etc, once it starts running. And soon, after we remake the chat site and have some help, we may re add it.

For now, the site is going to be off until at least Saturday, and you all are safe. I just overreacted, and now here we are.

Top comments (4)

Collapse
 
sixbeeps profile image
Brandon Lee • Edited

Howdy, I'm the person who """hacked""" Social Rumbles chat and ruined it for you all (sorry about that).

Let me preface this by saying I have no beef against Dheirya whatsoever. They're just an innocent Replit user who made a neat little site, and I happened to come across it at just the right time. In the past, I've been responsible for a few attacks like these, and most of them involve this same vulnerability. I didn't even need to write my own client script like the post mentioned, I simply hit F12 and accessed the site's premade socket through the console.

It's vulnerabilities like this which make for good learning experiences, and furthermore I don't think this was too much of an overreaction. Although I find it a bit weird that it takes two whole days to get the site back up and running again, it beats having the exploit leaked and having to deal with multiple attackers.

A solution to preventing people from accessing the socket directly from the console: use an IIFE. Any variables and things like that are blocked from the global scope, meaning you can't access them in the browser. Unfortunately, that does not cover writing an external client, though how you go about fixing that is up to you.

Was what I did right? No. Was what I did funny? At the time, yes. Will I keep doing this? Probably not, but still at my own expense if so. Definitely not to Social Rumbles, I think Dheirya has had enough of this.

P.S. I was not actually the one to send the impregnation message, that was a friend of mine.

Collapse
 
vulcanwm profile image
Medea

lmao

Collapse
 
dheirya_tyagi profile image
Dheirya Tyagi • Edited

Lol yeah looking back it was kinda funny. My servers are kinda designed strangely so when I shut it all off, it takes some time to get them back running.

Honestly I knew something was kinda up before the fake messages because I kept getting spam messages from fake usernames (anon12438911 or something) but I decided not to stop it because I thought you were just changing your username or something.

The only reason I shut down the whole server in all honesty was because A) I though the admin got hacked B) I kind of got pissed by the impregnation messages lol.

In all honesty, I would've never realized the problem until your friend sent that message, because it used my username.

I feel like there are better ways you could've told me about this exploit, maybe send me a message or report it, buh ehh you can't change the past. (plus it was kinda funny)

About the fix, I had my dad (an experienced programmer since 2001) review my code and he decided that I should temporarily remove the chatting section since there are a lot of potential vulnerabilities (especially with how the sockets are written), bigger and more dangerous vulnerabilities. Also if I was to put it back I would also make sure to verify in the socket backed that the username that was sent from the user was the same user. I'll also not hold plain usernames in the db and actual user objects so you can't make fake usernames.

So yeah no beef with ya, honestly what you did was kinda funny. Just maybe next time just tell the site owner about the exploit before you use it?

Collapse
 
sixbeeps profile image
Brandon Lee

Good idea.