MFCSucks

[mfcsucks]

As a premium user of mfc for many years, some things really suck at their website.
OK, there are many, many websites about camgirls out there, but here mfc is the topic.

I’m not a programmer nor a security expert, but looks like they have to do a lot of work.

Thats why i post here some thoughts about what’s wrong with mfc in my opinion.

http://mfcsucks.hol.es

#mfcsucks

 

[JerryBoBerry]

As a premium user of mfc for many years, some things really suck at their website.
OK, there are many, many websites about camgirls out there, but here mfc is the topic.

I’m not a programmer nor a security expert, but looks like they have to do a lot of work.

Thats why i post here some thoughts about what’s wrong with mfc in my opinion.

#mfcsucks

Not gonna click that link. :snooty:

 

[mfcsucks]

Feel free not to click it. I just wrote down my personal opinion. Nobody needs to follow me.

 

[SexySteph]

Feel free not to click it. I just wrote down my personal opinion. Nobody needs to follow me.

I think he's saying he won't click cuz that link looks super sketchy. I clicked on it on mobile and it took me someplace that seemed spammy.

 

[mfcsucks]

Sorry, i didn't invest money into webspace and domain. But there should be no ads. Just a wordpress blog.

 

[justjoinedtopost]

Clicked it. Read. No ads or spam. Would be interested in knowing how big of a concern the pw issue really is.

 

[Red7227]

Clicked it. Read. No ads or spam. Would be interested in knowing how big of a concern the pw issue really is.

Really interesting about the password. I'm glad now that I use a unique password for MFC. That is an epic level of incompetence if its true

 

[justjoinedtopost]

Really interesting about the password. I'm glad now that I use a unique password for MFC. That is an epic level of incompetence if its true

OP suggests contacting support, and I believe that is what I will do. If it is a legitimate concern, they deserve to know that people have taken notice.

 

[Jessi]

Maybe you could explain/copy the point you are trying to make here so we don't have to go to an external website.
Some people are not comfortable with links of dubious origin.

 

[PunkInDrublic]

lol it's a fucking camsite, no shit the security is terrible. Groups of 13 year olds hone their craft at camsites because they know they have nothing to worry about. It took MFC years to even attempt to make groups and private shows not be free to view by people that know even the tiniest bit about the streams. At least MFC eventually tries to fix these problems I guess, more than what most camsites do.

 

[justjoinedtopost]

Maybe you could explain/copy the point you are trying to make here so we don't have to go to an external website.

He says that MFC's handling of user passwords is insecure, potentially putting users at risk.

 

[SaffronBurke]

Maybe you could explain/copy the point you are trying to make here so we don't have to go to an external website.

He says that MFC's handling of user passwords is insecure, potentially putting users at risk.

I think we all figured that out when we had the LindaSoGentle spammers a while back. It's not exactly news.

 

[justjoinedtopost]

It's not exactly news.

Ah. Since I have not yet heard back from support, I can only assume the problem has already been addressed. That is a relief.

 

[ACFFAN69]

Here is what his blog post discusses for those curious:

Do you know, that MFC does not encrypt your password?

Usually passwords are encrypted and salted during the registering process of almost all websites and systems i know. Only MFC stores the password in plain text in their databases.

Do you get a confirmation email from MFC, when you purchase tokens?
Then you can see, that they really don’t care about the security of the passwords. Only the first characters are replaced by asterisks.

The only way to prevent this risk is to go to your email settings in MFC and disable the confirmation email.
Just go to “My Account” – “Email Settings”:

Even more worse they handle the option to retrieve your password in case you can’t log in or just forgot your password. Then they send you an email containing your username and your full password.

This fact makes it so easy for hackers and maleware to spy out your login credentials for MFC.

I’m sure you also heard, that websites got hacked and complete databases have been copied. If your password is not protected by encryption, they just can use it to log into the site.
So, never use the MFC password twice (no password should be used for several logins), for example for any other login, like amazon, ebay, paypal, facebook or your e-mail account.

MFC should be forced to store our passwords in a secure way. Maybe it helps, when we contact the support often enough?

This isn't even the most dangerous thing with MFC's login security.
While on an insecure public network and using a tool like wireshark to monitor packets. One can find the login information of anyone else on that network that logs into MFC. The login packet for MFC sends the username and password in clear text. MFC members/models should therefore be very nervous about logging into MFC on any public network.

It's still an issue.

 

[ACFFAN69]

Sorry for the double post, just thought you guys might want some proof so you knew I wasn't full of bullshit.
I could post instructions so you can see for yourself (it's extremely easy), but I'm not sure what the rules are on this forum for giving details on how to hack myfreecams. :lol:
I hope I haven't already said too much in fact.

In the screenshot below (note the date and time showing it's still an issue) you can see the packet that wireshark picked up, and in it, plaintext of the username (which I didn't black out) and password (which for obvious reasons I did).

 

[JerryBoBerry]

Sorry for the double post, just thought you guys might want some proof so you knew I wasn't full of bullshit.
I could post instructions so you can see for yourself (it's extremely easy), but I'm not sure what the rules are on this forum for giving details on how to hack myfreecams. :lol:
I hope I haven't already said too much in fact.

In the screenshot below (note the date and time showing it's still an issue) you can see the packet that wireshark picked up, and in it, plaintext of the username (which I didn't black out) and password (which for obvious reasons I did).

For me that stresses the need to use a VPN even more when using any sort of public wifi connection. If mfc doesn't encrypt it, at least you can take the step and make sure everything you do while there is encrypted by you.

 

[JessieWolfe]

My password is "iliketoeatpussyandasshole"
Do you think that is secure enough?

Should i lean more towards more special characters like this?
"1l1k3t0eatpu55y4nd4ssh0l3"

It's really only a password i use for porno sites since it fits the theme of the websites and all.
My bank passwords are

"1h4v3en0m0n3y1nh3r3g04w4yn0w"
and
"1fy0uh4ckmysh1t1llhunty0u"


Tell me your opinions plz.

 

[Jesse0328]

In terms of MFC, plaintext passwords are only an issue if people reuse them on different sites. Logins over HTTPS and hashed/salted passwords are always preferable. but MFC isn't a bank.

I don't know what the model admin stuff looks like, but I'm curious if all their tax ID and banking info is all sent unencrypted. If that's the case and I were running MFC, implementing TLS for the model admin stuff would be more of immediate concern for me than fixing the password database and login system.

 

[HiGirlsRHot]

In terms of MFC, plaintext passwords are only an issue if people reuse them on different sites. Logins over HTTPS and hashed/salted passwords are always preferable. but MFC isn't a bank.

I don't know what the model admin stuff looks like, but I'm curious if all their tax ID and banking info is all sent unencrypted. If that's the case and I were running MFC, implementing TLS for the model admin stuff would be more of immediate concern for me than fixing the password database and login system.

I group my passwords by function, and so almost all of my porn passwords are the same. Encrypting password is pretty much computer science 102, so it does make me wonder what security MFC uses for credit cards and such. As far as MFC not being bank, I am not sure I agree plenty of banks have less revenue than MFC. Lets see they average 1,000+ models logged on, 24 hours x 365. The average camscore is approx 400/tokens and hour and let say MFC gets $.08/token. Multiple these all together and you get annual revenue of at least $280 million.

Anyway thanks for the heads up on their lax security, I went and gave MFC it is own special password.

 

[weirdbr]

Encrypting password is pretty much computer science 102, so it does make me wonder what security MFC uses for credit cards and such.

Until now, they didn't need to deal with credit card data - if you look closely at the purchase pages, after you choose a token package and payment processor, it redirects you to the payment processor's page, which is then HTTPS and subject to all that fun set of regulations. But since they added an option to pre-populate the credit card data on the token purchase forms, that changes things a bit.

I group my passwords by function, and so almost all of my porn passwords are the same.

I suggest looking into something like Lastpass/keepass/1password so you can (easily) have one password per site instead of one password per function type - from being in the tech industry, I've seen so many scarily broken implementations that I would advise anyone to never reuse their password anywhere unless they are willing to deal with the consequences.

Personally, I am a bit more low tech - I have an encrypted device where I keep text files with all my passwords that I generate randomly whenever I need a new password.

 

[mfcsucks]

I never said its a new issue, that mfc does not encrypt passwords. I already know this since a very long time and contacted their support. But i pisses me kind of off that they didn't do anything about it. Not even answer my emails. That's why i started this post in the hope more members can force mfc to react.

 

[HiGirlsRHot]

Encrypting password is pretty much computer science 102, so it does make me wonder what security MFC uses for credit cards and such.

Until now, they didn't need to deal with credit card data - if you look closely at the purchase pages, after you choose a token package and payment processor, it redirects you to the payment processor's page, which is then HTTPS and subject to all that fun set of regulations. But since they added an option to pre-populate the credit card data on the token purchase forms, that changes things a bit.

I group my passwords by function, and so almost all of my porn passwords are the same.

I suggest looking into something like Lastpass/keepass/1password so you can (easily) have one password per site instead of one password per function type - from being in the tech industry, I've seen so many scarily broken implementations that I would advise anyone to never reuse their password anywhere unless they are willing to deal with the consequences.

Personally, I am a bit more low tech - I have an encrypted device where I keep text files with all my passwords that I generate randomly whenever I need a new password.

I do realize that payment information is processed by separate companies who presumably take security more seriously.

I've considered many options for password management. The biggest issue I have is somebody hacks the Password Manager and then I'm suddenly totally screwed as opposed to somebody find my porn, forum, news organization etc. passwords. Ideally i want something this uses biometric data, and most importantly isn't connected to the internet at all.

 

[mfcsucks]

Biometric systems are almost already hacked. They are not secure.

 

[weirdbr]

I've considered many options for password management. The biggest issue I have is somebody hacks the Password Manager and then I'm suddenly totally screwed as opposed to somebody find my porn, forum, news organization etc. passwords. Ideally i want something this uses biometric data, and most importantly isn't connected to the internet at all.

In theory you are OK if you use one option that is primarily offline - I havent looked at those password managers to know which one is offline-only because I trust *nobody* with my data. Worst case you can do something like I do and do encrypted offline storage - buy an IronKey and use that to store the file with your passwords.. Then if anyone wants my passwords, they need to steal my encrypted storage and use torture (or more likely a court order) to get me to give them the decryption key.

And biometric data so far is not that great - last I checked, fingerprint scanners are easily hacked (IIRC that was even on Mythbusters); retina scanners are a bit better but are expensive as hell.

 

[Jesse0328]

The better online password managers have their system engineered where the company is just storing your encrypted data (typically AES-256), and your master password is never transmitted or stored.

KeePass is probably the most popular offline password manager.

I personally have been using LastPass for years and trust them, but I know that a lot of people are weary of online password managers, and you'll never be able to convince them otherwise.

 

[mfcsucks]

Design matters http://wp.me/p5YIS9-J

 

[justjoinedtopost]

Design matters http://wp.me/p5YIS9-J

I agree with you here. I can live with it, but it's a pain when you are a beginner trying to learn your way around.

I am curious. Why go to this trouble on account of MFC? Bad experience?

 

[ACFFAN69]

In terms of MFC, plaintext passwords are only an issue if people reuse them on different sites. Logins over HTTPS and hashed/salted passwords are always preferable. but MFC isn't a bank.

I don't know what the model admin stuff looks like, but I'm curious if all their tax ID and banking info is all sent unencrypted. If that's the case and I were running MFC, implementing TLS for the model admin stuff would be more of immediate concern for me than fixing the password database and login system.

Until now, they didn't need to deal with credit card data - if you look closely at the purchase pages, after you choose a token package and payment processor, it redirects you to the payment processor's page, which is then HTTPS and subject to all that fun set of regulations. But since they added an option to pre-populate the credit card data on the token purchase forms, that changes things a bit.

Pre-populating the values when entering in your credit card information actually just populates the billing address, not the actual credit card information, so no biggy there. As far as members are concerned getting your password stolen on MFC wouldn't be that severe. At worst you may lose a few tokens.

From a models perspective though, the model admin stores a models:
- full address
- full name
- banking information (for US models)
- social insurance number (correct me if I'm wrong!).

A very simple MitM attack could really mess up a models life, if a nefarious individual decided to do such a thing at a large event where camgirls are streaming.

 

[mfcsucks]

I am curious. Why go to this trouble on account of MFC? Bad experience?

They don't do anything for their users. Just take their money.
During the years i got some experiences and now i started to write them down.
Specially the security thing is so important but they keep the doors wide open.
If we reach enough users, maybe we can change some things. *dreaming*

 

[Sevrin]

I am curious. Why go to this trouble on account of MFC? Bad experience?

They don't do anything for their users. Just take their money.
During the years i got some experiences and now i started to write them down.
Specially the security thing is so important but they keep the doors wide open.
If we reach enough users, maybe we can change some things. *dreaming*

And yet, you'd think that if their security was as lacking as all that, we'd have heard a lot more about actual accounts actually getting compromised from members who frequent ACF or from models who would certainly hear about it from their regulars. I'm not saying it never happens, because I don't know that it doesn't, but, we don't seem to hear about anyone we know having many problems.