Article tells how it's easy to hack into MFC accounts

[mutantdonut]

An FYI to all members and models about your MFC accounts

http://motherboard.vice.com/read/th...te-is-making-its-models-accounts-easy-to-hack



MyFreeCams.com, which describes itself as “The #1 adult webcam community,” has terrible password security, for both its users and, more importantly, its models, Motherboard has learned.

The site actually undermines strong passwords created by its users, Motherboard has found.

If a password contains upper and lower case, as well as punctuation, it is bypassed by simply typing in the password in lowercase, while omitting any special characters.

For example, if a model's password is “!!!PASSword???”, simply typing in “password” would access the account.

This is especially concerning because cam girls may be at a heightened risk of stalking or harassment. Many of the girls on the site appear to use pseudonyms, perhaps to protect their identity. Having access to their account might reveal their real name or location.

"You may think the service is secure, and now, as you have information about, it's crap."
Motherboard independently verified that a similar situation happens when signing up to the site as a user, however user accounts are barred from using special characters in their password at all: another bad security policy from the site.

“That is an insanely stupid thing to do,” Per Thorsheim, founder of PasswordsCon, told Motherboard in a phone interview, referring to the forced lower-casing and removal of special characters.

MyFreeCams.com hosts more than 100,00 models and has over five million members.According to Alexa, it is just shy of being in the top thousand most popular websites worldwide.

Motherboard learned of the problem from an anonymous tipster, who said that MyFreeCams.com hosts “women whose real names and exact locations are a closely guarded secret.”

A cam girl who helped Motherboard verify the claims said “I had no idea it was like that. Makes me want to reconsider where I cam.”

Cam girls who work on the site should immediately change their passwords to something not used on any other services, and make sure the password consists of a high number of characters. They might also consider using a password manager, which automatically generates random, complex passwords and stores them securely on a computer.

It's not totally clear why MyFreeCams.com has implemented its password system in this way. “Generally it's done as a sort of balance between usability and security,” Troy Hunt, owner of breach data site haveibeenpwned.com told Motherboard in a phone call. Perhaps the site developers felt that people will forget the casing on their password, so the website automatically lower-cases everything instead.

Regardless of the motivation behind it, “If you were going to try to brute force the system, you've just made it significantly easier.”

MyFreeCams.com did not respond to multiple requests for comment.

Hunt added that this doesn't necessarily mean MyFreeCams.com is storing its models and users' passwords in plain text, which would make them more vulnerable to hackers. But “The counter argument is if you're stupid enough to dramatically reduce the character space by lower-casing everything, then you're probably stupid enough to store it insecurely as well,” he added.

However, an apparent user of MyFreeCams.com contacted Motherboard, and provided an email receipt for a purchase of tokens to use on the site. Included in that email was a section of the user's password.

Thorsheim told Motherboard in a follow up message that "in order to show/send you parts of your password, it is either stored in an encrypted form and they have the key to decrypt, or it is stored in plain text." Either way, both of those are not good security practices.

On top of the threat of having passwords brute-forced, there's also the more general concern that site users may be lulled into a false sense of security.

“You may think the service is secure, and now, as you have information about, it's crap,” added Thorsheim.

To combat that, “We would like to see all kinds of online services and websites to actually make a statement somewhere on their pages: how do you store my password?” said Thorsheim.

Update: This story has been updated to reflect that MyFreeCams.com also sends users parts of their passwords by email.

 

[JimsX]

I have noticed this. To login I can do it all lowercase but to delete my account, you must do it exactly as you set the password up. Utterly stupid.

 

[JerryBoBerry]

Since only numbers and lowercase letters count I would suggest making longer passwords. Use a random password generator to make one. If longer passwords are not to your liking I'd look into Keepass or some other password manager. Doesn't matter how long the password is then.

Basically there are only 36 characters for you to choose from it seems (alphabet and 10 numbers). So if you only make your password 2 characters long there would be 36^2 possibilities, or 72. Every character you add in length multiplies the previous possibilities by 36 again. So at 8 characters long there would be 2.821X10^12 combinations for a computer to try (that's 2,821,000,000,000). That seems like a lot, but to put it in perspective if you discount the time lag of trying them all over the internet it would only take:


At 14 characters long it would take the supercomputer 17 hours and the pc/gpu combo 39 years.

However, if you were using a password manager and didn't care how long the password was and went with 25 characters. (mfc will allow 25 characters btw, tested it already myself)



So the moral of the story is yeah it sucks mfc does such shitty password rules. But if you still want a secure password you can have it, but you're going to have to increase the length. Personally I wouldn't even bother with less than 20 characters on such a stupidly managed site as mfc.

 

[Puffin]

Long passwords are king!

1HaveGotA36CharacterPhrase4APassw0rd


Secure websites in 2015 using best practice are using two-factor(aka two-step or multi-factor) verification. ACF has the option here.

 

[AmberCutie]

Cam girls who work on the site should immediately change their passwords to something not used on any other services, and make sure the password consists of a high number of characters. They might also consider using a password manager, which automatically generates random, complex passwords and stores them securely on a computer.

Smart Internet users already know this, and I remind ACF girls to frequently change passwords as well as use different PWs for all the sites they use.

I think MFC does have other precautions in place to keep people from brute forcing their way into an account, though. I'm pretty sure we get locked out of our account if we fail multiple logins, and even then, our private information on our administration pages requires an emailed verification code to view. Not saying it's perfect, but maybe less scary than the article makes it out to be. People love to jump on the paranoia bandwagon when it comes to MFC, but this isn't really anything new and worth freaking out over.

 

[Guy]

Smart Internet users already know this, and I remind ACF girls to frequently change passwords as well as use different PWs for all the sites they use.

I think MFC does have other precautions in place to keep people from brute forcing their way into an account, though. I'm pretty sure we get locked out of our account if we fail multiple logins, and even then, our private information on our administration pages requires an emailed verification code to view. Not saying it's perfect, but maybe less scary than the article makes it out to be. People love to jump on the paranoia bandwagon when it comes to MFC, but this isn't really anything new and worth freaking out over.

Smart Internet users already know this, and I remind ACF girls to frequently change passwords as well as use different PWs for all the sites they use.

I think MFC does have other precautions in place to keep people from brute forcing their way into an account, though. I'm pretty sure we get locked out of our account if we fail multiple logins, and even then, our private information on our administration pages requires an emailed verification code to view. Not saying it's perfect, but maybe less scary than the article makes it out to be. People love to jump on the paranoia bandwagon when it comes to MFC, but this isn't really anything new and worth freaking out over.

MFC will not accept a password for a gallery if it is copied and pasted, even if its the correct one.

 

[AmberCutie]

MFC will not accept a password for a gallery if it is copied and pasted, even if its the correct one.

Really? That's interesting. That's not exactly what this article is about, but a fun fact nonetheless.

 

[Bellatrixxx]

Passphrases for the win.

 

[QuietLurker69]

That or a Password Manager like Lastpass

Also making sure that points of weakness like MFC and Recovery Emails have extra long/strong passwords
Lastly, Two Verification can be a hassle but the extra security is definitely worth it in my opinion

 

[JerryBoBerry]

MFC will not accept a password for a gallery if it is copied and pasted, even if its the correct one.

You're not pasting it right then. It's always worked for me on any models photo gallery i've bought. It works on my own profile now.

 

[JoleneBrody]

You're not pasting it right then. It's always worked for me on any models photo gallery i've bought. It works on my own profile now.

It's likely because you are getting a space at either the beginning or the end of the word you are copy pasting guy. Double check for that next time

Edit: sorry that was supposed to be replying to Guy

 

[weirdbr]

(mfc will allow 25 characters btw, tested it already myself)

Did you test if you can login with only the first 16 characters of your password for example? I've seen plenty of stupidly managed sites that let you use a long password, only to automatically truncate it to whatever fixed length they have set on their database schema.

 

[JerryBoBerry]

Did you test if you can login with only the first 16 characters of your password for example? I've seen plenty of stupidly managed sites that let you use a long password, only to automatically truncate it to whatever fixed length they have set on their database schema.

I tried it with 25 characters, then tried changing it. It required all 25 characters be entered to change. Also when I tried a password like this C!@o#$w%^B&*e()l{}[]<>L (cowbell with other stuff in it) it shows up as dots while i'm entering them, but as soon as I was done it visibly shortened it to 7 dots only (cowbell). It didn't visibly shorten it with 25 characters of just numbers and lowercase letters. So I do believe it will allow all 25 characters. I didn't test more.


Edit: I just went and narrowed it down. If you go over 34 characters in length it won't allow it and you'll get this message.



However, that is 34 continuous [non-spaced] characters. If you use a pass phrase that has over 34 characters, including spaces, it will seemingly allow it, but it will delete all the spaces and shorten it to just use the first 34 characters in a continuous pattern.

Example: if you try to change your password to the following...
"Our doubts are traitors and make us lose the good we oft might win by fearing to attempt"

It looks as if MFC shortens it and your password is actually going to be.
"Ourdoubtsaretraitorsandmakeusloset"

 

[HoldItNow]

If you guys want to send me your passwords I will let you know if they are secure

 

[JerryBoBerry]

If you guys want to send me your passwords I will let you know if they are secure

Here's mine.
_.3F6)+U.4C9\K0 (=T66H[&A4&T&/ "5S7#{H~I>7"T$<6]

 

[CherryChu]

I saw that article the other day. What is it with MFC sometimes -_-

 

[JoleneBrody]

People have been complaining about this for years but other than silly faces falling for the basic phishing scams of clicking on links... when have you ever heard of someone getting hacked and having there money stolen or whatever?

makes me wonder if MFC has a much more advanced security system than anyone is giving them credit for.... especially considering the amount of hate and venom that get's directed towards camgirls from obviously tech advanced people, I.E cappers and shit

 

[eclipse76]

Speaking of which MFC serves their page unencrypted by default (HTTP instead of HTTPS), so anyone between you and MFC servers could very easily intercept your password when you log in. You need to go to https://m.myfreecams.com or https:/www.myfreecams.com to log in in a secure way.

 

[JerryBoBerry]

Speaking of which MFC serves their page unencrypted by default (HTTP instead of HTTPS), so anyone between you and MFC servers could very easily intercept your password when you log in. You need to go to https://m.myfreecams.com or https:/www.myfreecams.com to log in in a secure way.

Good advice for any website. There's an extension for Chrome, Firefox and Opera called HTTPS Everywhere that requests https secure version of sites to be loaded if they exist. So you don't even have to think about it really.

HTTPS Everywhere is a Firefox, Chrome, and Opera extension that encrypts your communications with many major websites, making your browsing more secure.Encrypt the web: Install HTTPS Everywhere today.

HTTPS Everywhere is produced as a collaboration between The Tor Project and the Electronic Frontier Foundation. Many sites on the web offer some limited support for encryption over HTTPS, but make it difficult to use. For instance, they may default to unencrypted HTTP, or fill encrypted pages with links that go back to the unencrypted site. The HTTPS Everywhere extension fixes these problems by using clever technology to rewrite requests to these sites to HTTPS.

Their main site is here. Or you can get it in the Chrome web store directly here. Good extension to use.

 

[Johndoe91]

People have been complaining about this for years but other than silly faces falling for the basic phishing scams of clicking on links... when have you ever heard of someone getting hacked and having there money stolen or whatever?

makes me wonder if MFC has a much more advanced security system than anyone is giving them credit for.... especially considering the amount of hate and venom that get's directed towards camgirls from obviously tech advanced people, I.E cappers and shit

I did recently Have my account drained, all 23 tokens... But luckily I don't save my CC info to the forms so that's all they got. MFC temporarily froze my account, made me change my password, and suggested i run a full spyware/malware scan.
My cams.com account was also hacked at about the same time though, so that may be on me.
For the record, MFC reimburst the tokens, whereas cams did not, in case anyone was curious.

 

[Guy]

I did recently Have my account drained, all 23 tokens... But luckily I don't save my CC info to the forms so that's all they got. MFC temporarily froze my account, made me change my password, and suggested i run a full spyware/malware scan.
My cams.com account was also hacked at about the same time though, so that may be on me.
For the record, MFC reimburst the tokens, whereas cams did not, in case anyone was curious.

Is your computer a PC or a Mac?

 

[Johndoe91]

Is your computer a PC or a Mac?

I watch from both my PC and iPad

 

[AmberCutie]

MFC temporarily froze my account, made me change my password, and suggested i run a full spyware/malware scan.
My cams.com account was also hacked at about the same time though, so that may be on me.

Sounds like your common email account may have been compromised if both were logged into in rougtly the same time frame....?

 

[Miss_Lollipop]

People have been complaining about this for years but other than silly faces falling for the basic phishing scams of clicking on links... when have you ever heard of someone getting hacked and having there money stolen or whatever?

makes me wonder if MFC has a much more advanced security system than anyone is giving them credit for.... especially considering the amount of hate and venom that get's directed towards camgirls from obviously tech advanced people, I.E cappers and shit

Yes. ScarletRaven had her paycheck stolen. It was a few years ago, and is part of the reason why they put that extra step in when you click on 'payment info' (the area where you change payment information) if you're logging in from a different IP than normal you have to get a confirmation code from email. She got it back eventually, but it took months and it was a large paycheck. On the last day of the month someone hacked her account, changed the payment info to a payoneer card they had access too and took her paycheck.

 

[Johndoe91]

Sounds like your common email account may have been compromised if both were logged into in rougtly the same time frame....?

Actually, no. But I was one of those lazy people with the same username and password prior to that, so that was probably a factor

 

[Zoomer]

I wrote a long reply in another thread, but it was closed - and I couldn't get back the content. Shortened version - MFC security around passwords is shit - and it's stored in cleartext too. If you ask for a password reminder, they email your password don't they. People should complain as it's simply not good enough. Not in today's day and age.

But it's all fairly irrelevant when people are retarded anyway. 2.2% of passwords are derived from a list of 25 passwords (sample from leaked passwords).
Worse still, your PIN protects your bank account access via card right? So surprising to learn 11% of all PIN numbers are just a single, lone, pin code. The top 3 chosen PIN numbers are 20% of all PIN codes (1234, 1111, 0000) and rounding off the top 5 are 1212 and 7777.

Your risks are more likely behind MFC servers being "hacked" and leaking your plain text passwords and email addresses... than someone trying to brute force your individual account. Either way, I imagine a good proportion of users share the same password for account and email though.

MFC are poor on security. Users are even worse. Both need a bloody good slapping.

 

[eclipse76]

Err, banks decide of pin code over here, not card holders themselves.

 

[AmberCutie]

Err, banks decide of pin code over here, not card holders themselves.

I don't recall where you live, but in the US I think most banks have you choose your own when you open your account/get a new card.

 

[eclipse76]

France.
They sent it to us in a letter.

 

[AmberCutie]

But it's all fairly irrelevant when people are retarded anyway. 2.2% of passwords are derived from a list of 25 passwords (sample from leaked passwords).
Worse still, your PIN protects your bank account access via card right? So surprising to learn 11% of all PIN numbers are just a single, lone, pin code. The top 3 chosen PIN numbers are 20% of all PIN codes (1234, 1111, 0000) and rounding off the top 5 are 1212 and 7777.

I feel like a huge portion of incidents on MFC/cam sites are due to this stupidity. My first reaction when someone complains about an account being "hacked" is "it's probably your fault", as mean as it sounds it's probably true.