AmberCutie's Forum
An adult community for cam models and members to discuss all the things!

How to deal with malicious CB apps?

  • ** WARNING - ACF CONTAINS ADULT CONTENT **
    Only persons aged 18 or over may read or post to the forums, without regard to whether an adult actually owns the registration or parental/guardian permission. AmberCutie's Forum (ACF) is for use by adults only and contains adult content. By continuing to use this site you are confirming that you are at least 18 years of age.
Status
Not open for further replies.
Sep 2, 2024
29
4
6
This is a question I hope that @punker barbie can help with, please.

I have clear proof that there is malicious functionality contained in one or more CB apps. I know the username of an alt account used by the developer to execute said functionality and a list of the apps running in a room where this functionality was executed. Using the list of apps I can narrow down who the developer actually is.

My question is: even with clear proof of malicious behaviour by apps, how can one get CB to take it seriously enough to take action, i.e., to remove the apps and ban the developer?

Thank you!
 
I could block your mods, or known top tippers, or a user I'm jealous of, etc. I could block users by color or beacause of things they say that I do not agree with.
i can guarantee thats going to be misunderstood, when you say block you mean prevent their messages from showing up in chat right

edit: and the only impact you can really have on a models position on the list is really to trigger a hidden cam show right?
 
Upvote 0
Yes, by block I mean from speaking in chat. You can't "block" a user from your bio/room with either API. Yes, you could trigger a hidden cam anytime and pull the model off their page. However, I think it would show that the cam was hidden because there would be a tiny delay between entry and adding that username to the allow list.

Cheers,
Cexmental
 
Upvote 0
@cexmental maybe you can make a list of things bots and apps can do that could be used negatively. There are a ton of people spreading ridiculous rumors right now and they actually believe the bots and apps they use are to blame for their low traffic.

This might be a good place to start: https://chaturbate.com/smoker919/


I only say this about V1 apps, in which case I am unfair and judgmental AF. However, it is my understanding that starting with V2 apps undergo code review, so hiding the code isn't as much of an issue with V2 apps. There have been enough malicious V1 apps released that it is better safe than sorry. For every V1 app with hidden/obfuscated code there are dozens that do the same thing with open source code. Why expose yourself to potential risks?

There are no code reviews taking place for V2 apps, so those apps are still capable of implementing malicious functionality.


Apps/bots can not control your traffic, who is in your room, stop you from receiving tips, access your PMs, stalk your users, shadow ban (or whatever), hide your media, hide you from the front page, change the CB ranking, access your personal computer, change your CB bio or settings, know who you take private, know the amount of tokens a user has, etc. They are truly slimplified and limited by design.

I disagree with this. The error handling in the V1 framework is very poor and exposes private APIs in stack traces. Someone with enough time could theoretically map the topology of those APIs and potentially use them.
 
Upvote 0
I didn't understand this one at all, could you give an example?

A stack trace shows the path through the code that was traversed from the point of entry up until an error occurred. Usually it names the code constructs that are used at each point and the functions executed on those constructs. For V1 apps, the stack traces expose constructs and function that seem to underpin the internal CB API. Knowing that internal API could allow someone to try to execute code against it directly instead of just using the public API.
 
Upvote 0
A stack trace shows the path through the code that was traversed from the point of entry up until an error occurred. Usually it names the code constructs that are used at each point and the functions executed on those constructs. For V1 apps, the stack traces expose constructs and function that seem to underpin the internal CB API. Knowing that internal API could allow someone to try to execute code against it directly instead of just using the public API.

Probably nothing to be concerned it's been many years now and I recall at some point (not sure if still doing it) but CB was rewarding people for finding exploits.
 
Upvote 0
You both need to work your shit out and stop reporting each other's posts to me. Or I could just ban both of you.

@cute_kristall @striped_speedo
 
Upvote 0
You both need to work your shit out and stop reporting each other's posts to me. Or I could just ban both of you.

@cute_kristall @striped_speedo
Just so that anyone else reading knows: @cute_kristall is the very same pigley I mentioned twice in my previous post. If he wants to report anything about my apps then he should do it to CB Support the same way I reported The Menu and let them decide.

His hate-on for my apps is because my Ad Blocker anti-spam app detected and reported his use of backdoor commands in one of his apps, i.e., he got caught.

At this point, since CB Support did actually investigate and confirm my report on The Menu, I will take the screenshots collected from the incident with pigley and submit them with the details and ask them to investigate. @punker barbie
 
Upvote 0
Just so that anyone else reading knows: @cute_kristall is the very same pigley I mentioned twice in my previous post. If he wants to report anything about my apps then he should do it to CB Support the same way I reported The Menu and let them decide.

His hate-on for my apps is because my Ad Blocker anti-spam app detected and reported his use of backdoor commands in one of his apps, i.e., he got caught.

At this point, since CB Support did actually investigate and confirm my report on The Menu, I will take the screenshots collected from the incident with pigley and submit them with the details and ask them to investigate. @punker barbie

Thank you for reporting the malicious backdoor but after that i doubt the majority cares about the drama between app developers.
 
  • Like
Reactions: AmberCutie
Upvote 0
as you banned Pigley
I am unsure who you speak of.

I just want you both to work out your issues with each other privately, and leave it to CB to sort out what is/isn't OK on their site. It isn't necessary to hash it out here, and definitely not cool to add more moderation for me to deal with.

As stated above, nobody really cares about the beef.
 
Upvote 0
Look folks.

There is a very simple and standard process in the IT industry for investigating and reporting CVE's (security vulnerabilities). CB support is responsive, concerned with our safety and always within a few days, responds. This flame war is total crud.

Real IT pros and security experts follow industry guidelines and best practices.

https://cve.mitre.org/ is where anyone can see the documented process real security researchers use.

This is not professional conduct in the IT industry (smoker, pigley, kentos, etc). You are all not doing it correctly. So in my model opinion, after your apps and advice my show dies

No, I do NOT endorse flame wars and I do fully endorse the correct procedures. Please be mindful. thank you.

(CB support, thanks for all the help folks!)
 
Upvote 0
This is a question I hope that @punker barbie can help with, please.

I have clear proof that there is malicious functionality contained in one or more CB apps. I know the username of an alt account used by the developer to execute said functionality and a list of the apps running in a room where this functionality was executed. Using the list of apps I can narrow down who the developer actually is.

My question is: even with clear proof of malicious behaviour by apps, how can one get CB to take it seriously enough to take action, i.e., to remove the apps and ban the developer?

Thank you!
CB support, despite repeated reports of hacking by Pigsley, thank you smoker919 allow him to continue to hack models. He's hacking my stuff and rooms I moderate.

CB support KNOWS about this. And CB. If you can't fix it, I am quite happy to go to the Florida AG, where you are based and start the legal criminal complaints. I made the call this morning.

You need to fix this now. I am going to get the law involved for the cybersecurity failure of CB to provide a SAFE working environment in the US. And the rest of the world, in violation of US labor laws.

CB, you have my ticket. Please address this now. Thank you.
 
Upvote 0
I am unsure who you speak of.

I just want you both to work out your issues with each other privately, and leave it to CB to sort out what is/isn't OK on their site. It isn't necessary to hash it out here, and definitely not cool to add more moderation for me to deal with.

As stated above, nobody really cares about the beef.
BS, CB covers up and closes over actual financial and physical injuries to models and consumers.

This US based model is sick of it. And as a consumer also, I do both roles. I am filing the criminal complaints. OK.
 
Upvote 0
BS, CB covers up and closes over actual financial and physical injuries to models and consumers.

This US based model is sick of it. And as a consumer also, I do both roles. I am filing the criminal complaints. OK.
I'm making phone calls right now boys. The non-US models may not be able to deal with this this way, but I can. 1099 is still as far as I understand labor law in the US, under the protections of US law. So guys, let's be smart.
 
Upvote 0
CB support, despite repeated reports of hacking by Pigsley, thank you smoker919 allow him to continue to hack models. He's hacking my stuff and rooms I moderate.

CB support KNOWS about this. And CB. If you can't fix it, I am quite happy to go to the Florida AG, where you are based and start the legal criminal complaints. I made the call this morning.

You need to fix this now. I am going to get the law involved for the cybersecurity failure of CB to provide a SAFE working environment in the US. And the rest of the world, in violation of US labor laws.

CB, you have my ticket. Please address this now. Thank you.


Pigsley is the one I am aware of too (I know he has multiple apps) and have warned models about plenty of times, but sadly, even models I was a regular with and "friends", didn't listen at all. They had this random grey guy come in and tell them to use his app and they did. I tried explaining to her/them and it fell on deaf ears.

Luckily one of them already knew how much of a scam it was. I think she DID try it but then noticed some weird things happening.

But sadly, you can only warn and if they don't wish to listen or CB wants to let it continue, then it's not your problem.


Edit:
To add, the Pigsley guy is the one who continuously goes around trying to discredit and call Noiett (sorry can't remember the exact spelling of the name) a hacker and all sorts of stuff).
 
Upvote 0
Edit:
To add, the Pigsley guy is the one who continuously goes around trying to discredit and call Noiett (sorry can't remember the exact spelling of the name) a hacker and all sorts of stuff).

noiett is perfect ?

Unfortunately, app developers are making a poor job at creating an environment that feels safe and easy to trust for broadcasters. However, I believe that all these continuous fights and reports increase the perception of unsafety to a point that, in my opinion, is not realistic.

Unless you're sharing sensitive information with on-chat PM (you probably shouldn't) or storing such information in the app (be more careful in this case), the worst (and unlikely) case scenario would be that your app happens to block messages from one of your users (who will probably realize and tell you in PM or tipnote), or stops working. After such event, which I repeat is unlikely, you would change the app and forget forever, and no one will die (oh, surprise).

If you're a kind of person that needs that 100% safety feeling, then make your choices accordingly with the information available, but otherwise I would encourage you to ignore the drama and use the apps that you like or find useful, no matter whether they are V1, V2, open source, close source, by noiett, bobo, mmm32, basket or whoever, and just enjoy them. 99,99% of the times nothing bad will happen.

I leave my umbrella open, just in case. ☂️
 
Upvote 0
noiett is perfect ?

Unfortunately, app developers are making a poor job at creating an environment that feels safe and easy to trust for broadcasters. However, I believe that all these continuous fights and reports increase the perception of unsafety to a point that, in my opinion, is not realistic.

Unless you're sharing sensitive information with on-chat PM (you probably shouldn't) or storing such information in the app (be more careful in this case), the worst (and unlikely) case scenario would be that your app happens to block messages from one of your users (who will probably realize and tell you in PM or tipnote), or stops working. After such event, which I repeat is unlikely, you would change the app and forget forever, and no one will die (oh, surprise).

If you're a kind of person that needs that 100% safety feeling, then make your choices accordingly with the information available, but otherwise I would encourage you to ignore the drama and use the apps that you like or find useful, no matter whether they are V1, V2, open source, close source, by noiett, bobo, mmm32, basket or whoever, and just enjoy them. 99,99% of the times nothing bad will happen.

I leave my umbrella open, just in case. ☂️

I'll agree with you that most of the time nothing bad will happen, but when it does happen it's pretty bad. The most egregious cases, in my opinion, are when apps whitelist access to ticket and hidden shows which are then recorded and used as blackmail material. This is pigley's MO, and others have been accused of it, too. So, yes, enjoy the apps you use, but take some care about not picking the worst of them. Avoid The Menu. Avoid kentos' apps. Avoid pigley's apps. Most others will be fine, but I will continue to highlight others that are proven to be malicious or scams.
 
Upvote 0
noiett is perfect ?

Unfortunately, app developers are making a poor job at creating an environment that feels safe and easy to trust for broadcasters. However, I believe that all these continuous fights and reports increase the perception of unsafety to a point that, in my opinion, is not realistic.

Unless you're sharing sensitive information with on-chat PM (you probably shouldn't) or storing such information in the app (be more careful in this case), the worst (and unlikely) case scenario would be that your app happens to block messages from one of your users (who will probably realize and tell you in PM or tipnote), or stops working. After such event, which I repeat is unlikely, you would change the app and forget forever, and no one will die (oh, surprise).

If you're a kind of person that needs that 100% safety feeling, then make your choices accordingly with the information available, but otherwise I would encourage you to ignore the drama and use the apps that you like or find useful, no matter whether they are V1, V2, open source, close source, by noiett, bobo, mmm32, basket or whoever, and just enjoy them. 99,99% of the times nothing bad will happen.

I leave my umbrella open, just in case. ☂️

None of the reports amount to anything anyway at the moment noiett. Chaturbate have admitted they don't actively deal with reports on Chaturbate Apps supposedly due to the fact they think the Sandbox is safe enough. I think if anything there is a case of under reporting because if Chaturbate isn't willing to do anything about it whats the point other than warning users & Models in any way possible.

The worst case scenarios are far worse than what you've described. Remember that apps can collect a LOT of information on users and Models without them knowing anything.
You could easily make a malicious app that has regex checks for sensitive data like credit card info, addresses and grabs + stores it before the Model or other apps have a chance to intercept it.
For example I could use an app that whitelists and stops users from posting my address or variations of it but an app can just use $message.orig to grab this original message before it's set as spam. Once this data is stored in KV pairs I the developer could run a secret command in a room when it's online to send the data back.

Now you could do the same with a scraper bot for checking chat messages but:
  • You would have to host this bot and Chaturbate could detect or rate limit it
  • If another bot detected a message as spam or a Model deletes the message in time before it's sent it wont appear in public chat
The limitcam access issues are a problem as well as @smoker919 has described. Especially with the new Premium Private shows.
 
Upvote 0
The most egregious cases, in my opinion, are when apps whitelist access to ticket and hidden shows which are then recorded and used as blackmail material.
The limitcam access issues are a problem as well as @smoker919 has described. Especially with the new Premium Private shows.
Are you saying that private shows, not just ticket and hidden shows as stated in the first quote above, could be accessed and recorded by someone who has a backdoor through one of these apps?
 
Upvote 0
Are you saying that private shows, not just ticket and hidden shows as stated in the first quote above, could be accessed and recorded by someone who has a backdoor through one of these apps?

No-spy private shows are being uploaded and redistributed so it's fact that private shows are vulnerable. I believe the only apps that might be capable of viewing private shows are kentos' apps (DJ Lovense Tip Goal and Horny Tip Goal), but no-spy private shows have been uploaded from rooms that don't use those apps, so that points to a networking vulnerability within CB.
 
Upvote 0
I believe the only apps that might be capable of viewing private shows are kentos' apps (DJ Lovense Tip Goal and Horny Tip Goal)
....what? How exactly?

Edit: and be more responsible about what you say because you know stuff you have said has been twisted and repeated all over reddit and discord and caused a lot of unnecessary panic.
 
  • Like
Reactions: noiett
Upvote 0
@smoker919 I would make an exception with Pigley, as he is particularly active and harmful, and I'd also recommend to stay away from any copies of the app My Secret Show not uploaded by me (most include backdoors), but that's it.

@NaomiNSFW As far as I know, support has taken acction many times, removing apps and even banning creators permanently. By the way, I've never seen a credit card number in chat in 10 years, and an actual address just a couple of times.

@cbhours Sure, I made the Dream Bot ?
 
Upvote 0
@smoker919 I would make an exception with Pigley, as he is particularly active and harmful, and I'd also recommend to stay away from any copies of the app My Secret Show not uploaded by me (most include backdoors), but that's it.

@noiett I'm asked almost daily to review broadcasters' app setups and I recommend, or at least endorse, your apps regularly along with those from other developers. The only ones I warn models again are the ones I've already listed in my bio, i.e., The Menu, those from kentos, pigley, and streamersuite, and bobodeluxe's My New Followers. I'm happy to add the My Secret Show copies to that list.
 
Upvote 0
....what? How exactly?

Edit: and be more responsible about what you say because you know stuff you have said has been twisted and repeated all over reddit and discord and caused a lot of unnecessary panic.

This discussion has caused a great deal of incorrect information to be spread around. I'm being contacted by models saying they will not use v1 apps now. There is a lot of assumption here, some pretentious wording, and little to no facts.

Regards,
Cexmental
 
  • Like
Reactions: noiett
Upvote 0
@noiett I'm asked almost daily to review broadcasters' app setups and I recommend, or at least endorse, your apps regularly along with those from other developers. The only ones I warn models again are the ones I've already listed in my bio, i.e., The Menu, those from kentos, pigley, and streamersuite, and bobodeluxe's My New Followers. I'm happy to add the My Secret Show copies to that list.
I've been in touch with bobo for years and he's always had a nice attitude with me. He even send me models that need apps sometimes, and they are happy with him also.

By the way, Chelsea once told me that she got banned for keeping a list of account names in her profile that were fooling models into changing her bot for another one. Her claims were legit, but Chaturbate considered that such list of users was harassing behaviour. If I was you, I would definitely not keep that list in your page and probably consider also removing or cooling down the tone of the safety recommendations section.
 
Upvote 0
@smoker919 I would make an exception with Pigley, as he is particularly active and harmful, and I'd also recommend to stay away from any copies of the app My Secret Show not uploaded by me (most include backdoors), but that's it.

@NaomiNSFW As far as I know, support has taken acction many times, removing apps and even banning creators permanently. By the way, I've never seen a credit card number in chat in 10 years, and an actual address just a couple of times.

@cbhours Sure, I made the Dream Bot ?

I haven't seen Chaturbate take action on any individual apps since i've joined Chaturbate but I may be out of the loop.
If you have ever seen an actual address in chat even once that's already worrying. An app developer doesn't need to be online or even active to collect this info easily.

Think about this right...
  • A user finds out my address and decides to keep Doxxing me in chat via different accounts (not an un-common thing to happen)
  • A malicious app collects this address before it can be filtered by other apps or collected by a scraper
  • This malicious app developer makes it so as soon as they enter any Models room this data is dumped to them only. They don't even have to run a command.
  • This app developer can also see all the current models that use their app making it easy
  • Even if Chaturbate finds out that an app is malicious after seeing these chat messages pop up the damage is already done
and there is absolutely no way the streamer or their moderators will know confidential data was just stolen.
 
Upvote 0
I've been in touch with bobo for years and he's always had a nice attitude with me. He even send me models that need apps sometimes, and they are happy with him also.

By the way, Chelsea once told me that she got banned for keeping a list of account names in her profile that were fooling models into changing her bot for another one. Her claims were legit, but Chaturbate considered that such list of users was harassing behaviour. If I was you, I would definitely not keep that list in your page and probably consider also removing or cooling down the tone of the safety recommendations section.

I had a nice conversation with him in December, too, but it bothers me that he has denied for years that My New Followers blocks messages but changed something in the app when I gave him evidence that it is blocking messages and then after his change some messages were no longer being blocked but others still were being blocked. That's sketchy to me.
 
  • Wat?!
Reactions: stormythunder
Upvote 0
Status
Not open for further replies.