http://www.swfme.com/swfs/96357lalalala.swf

hidden=true flash embed please 1x

Um.

Apart from being painfully annoying...it's apparently a huge security hole which is EASILY exploited Sonatine.

It should be noted that allowing flash like this is a security risk as well since embedded flash can call external files to your server and manipulate data in cookies via actionscript.


A friend of mine was glancing over the forum yesterday and said it's a pretty huge security risk:

I see someone added a [flash] tag and people are posting flash on skatz

This is a pretty bad idea, very easy for someone to fuck up the forum and/or do nasty shit to the users.

One of your arch enemies could come and fuck up skatz with that.

:moonlanding

not to mention that it is annoying reding a thread then you realize that some video is half way through and you either have to watch it 1 1/2 times or just skip it and miss out on the fun,

removed, but one could point out that like 90% of banners are flash, etc etc.

having a media-rich site had equity vs security concerns for me but i actually run a fairly secure browsing environment as well.

fairly secure browsing environment is faggot

I'm trying to understand this situation a little more fully.

The way I see it is that, yes - we all see Flash every day but that Flash is sitting on commercial websites and that. It's not on a forum where basically anyone can code it to do nasty or malicious things to users.

I'm not even sure what "fairly secure browsing environment" means to be honest, so I doubt I have one - but I don't really access websites that are 'risky' either, at least I try not to.

So if the Flash was just available to Admin or something, that may be an acceptable / casual risk. Or if you first made sure every current user and every potential user had "fairly secure browsing environments" before adding it. But Flash being available to any user seems to me to be an unacceptable / high risk - especially when most users wouldn't be running "fairly secure browsing environments". Particularly when every coder I've asked whilst [flash] was there said they could use that tag to do malicious things to users, far beyond simply destroying the forum.

So I guess I'm confused as to why it was added in the first place?

I'm trying to understand this situation a little more fully.

The way I see it is that, yes - we all see Flash every day but that Flash is sitting on commercial websites and that. It's not on a forum where basically anyone can code it to do nasty or malicious things to users.

I'm not even sure what "fairly secure browsing environment" means to be honest, so I doubt I have one - but I don't really access websites that are 'risky' either, at least I try not to.

So if the Flash was just available to Admin or something, that may be an acceptable / casual risk. Or if you first made sure every current user and every potential user had "fairly secure browsing environments" before adding it. But Flash being available to any user seems to me to be an unacceptable / high risk - especially when most users wouldn't be running "fairly secure browsing environments". Particularly when every coder I've asked whilst [flash] was there said they could use that tag to do malicious things to users, far beyond simply destroying the forum.

So I guess I'm confused as to why it was added in the first place?

jesus christ.

there are a whole lot of sites with flash enabled. its fun.

if you view malicious flash on an insecure browser such as IE, you have problems.

if you listen to a malicious mp3 on an out of date version of winamp, you have problems.

if you open a malicious pdf with an out of date version of acrobat, you have problems.

i hope this mitigates your concerns and confusion.

also id very much like to learn how flash can destroy a forum. this allegation alone is either incredibly bleeding edge knowledge or evidence of someone with an attenuated capacity for drama and/or a peerless desire for attention.

i literally thought sonatine of all people would be the one to bring up security issues

security is ultimately a measure of function vs exposure. absolute security is powering down a server and physically severing its connectivity. however your functionality is 0.

scooter doesnt feel that the benefits of rich media outweigh the impact it can have. i absolutely respect his right to make that judgement call. i made a different call but its not my place to say no to his opinion.

i literally thought sonatine of all people would be the one to bring up security issues

------

As to how it can destroy the forum, after being alerted to the danger [flash] presents, the people who said it can EASILY destroy the forum are:

- vBulletin [creators of the forum software]
- 4/4 coders I've spoken to

------

bleeding edge knowledge?

Perhaps. I didn't know [flash] created risk until I was informed yesterday. But what I know about coding can be written on a fingernail. My gut says it's not bleeding edge knowledge though. mama luigi and the 4 coders I've asked basically echoed uige's :moonlanding response. So I'm gonna guess it's not. Bleeding edge knowledge.

peerless desire for attention?

vBulletin and the 4 coders I bothered weren't really after attention, no.

im just saying, i think a lot is getting lost in translation. perhaps they mean it can disrupt a community or something like that but all the [flash] code does is introduce the headers for flash embedding. that cannot impact the html render engine in apache and its unlikely that it can somehow introduce an exploitable weakness in the vb software itself.

so if they are saying that noise and video can destroy the functionality of a site, ok fine. or if it can be used to make a mess of things, sure ill go along with that. but when i think 'destroy the forum' i have far graver scenarios in mind.

You're the expert Sonatine!

I liked your flash stuff. But not when I was told the malicious things it could be used by ANYONE to do to me personally. Then, I did not like the flash.

Then, I thought "why was I exposed to that risk?"

...and just trying to understand that now.

Its a valid concern, dont get me wrong. An asshole could make a mess using the flash tag, and if youre running IE it can get pretty serious.

The awesome-factor made me hot for it, thats all. But youre talking to a guy who had emotionally committed relationships with strippers for years. Color me Icarus but I like the view from up there.

but when i think 'destroy the forum' i have far graver scenarios in mind.

So do I.

So do they.

I see someone added a [flash] tag and people are posting flash on skatz

This is a pretty bad idea, very easy for someone to fuck up the forum and/or do nasty shit to the users.

One of your arch enemies could come and fuck up skatz with that.

When I pushed for an example of the "nasty things", an example was given:

I could, right now, using the code on your forum, take control of anyone's webcam and video them

Whilst I admit there is a part of me that is vaguely amused at someone videotaping my 24/7 crack smoking and thinking "well fuck do something interesting already"....this is not good functionality to have on a public forum.

Im sure under certain scenarios, that end game is possible, but Im also instantly skeptical because the first thing anyone gets told when someone is trying to sell an Internet Boogeyman Security Scenario is the old "i can turn on your webcam" line.

There are a ton of off-the-shelf trojans and malware packages that do exactly that, and I have seen websites run by cossack teens with literally thousands of webcams running on compromised pcs, but that had nothing to do with flash being enabled on VB in those instances.

Is it possible he knows something I dont? 100%, of course. There are a lot of pies cooking in the security field and its impossible to keep a finger in all of them.

I would feel a lot better about this whole debate if he could simply point me at some Proof of Concept that defines the exploit vector.

Just like...it seems EVERYONE agrees it's a major security risk but you. The forums are covered with it...

http://www.vbulletin.com/forum/showthread.php?293146-Inserting-Flash-swf-in-Post-and-Threads

That requires enabling HTML which is a major security risk.

I have disabled html and will enable it when I want to add flash. I do not want anyone to be able to include flash, only me.

Does this seem to be a safe solution?

Not really. That's because you cannot limit HTML posts to specific users or usergroups. It's a per forum setting.

I turned off html in all forums. I will turn on only when adding flash myself and then turn off after adding flash. How does that sound?

That won't work either. As soon as you turn it off, then the flash will stop working.

....[ignore Steve and continue on....]....

one question: is flash save to use, meaning can a flash script mess up someone's comptuer?

Some friends told me that the flash signatures could be used for "cross site attacking" and that the cookie (which contains the username and password) of a moderator could be stolen with a malicious-code flash swf file in the sig.

x

who gives a shit about computer security in this temporary mundane faggot life

Flash movies are displayed "in browser" using embed html tags. You can either enable html code on your forums (not recommended) or create a custom vB code in your Admin CP for the embed tag.

I'm gonna stop looking. I'm sure I could find 20 pages worth of people saying it's a really bad idea.

who gives a shit about computer security in this temporary mundane faggot life

This is true. But unlike SK, I am not beautiful and I do not wish to share my beauty with the internetz.

Im going to start a thread on VB.com looking for clarification on this. First they are saying the issue is uploading malicious flash, then they are saying that you can piggyback malicious html into the embedded flash macro.. and Im left with the suspicion that at the end of the day, we are simply left with an effort being made to protect people who are running IE from browser based exploits, which is really like putting slightly finer-mesh screen doors on a submarine.

One final example as it relates to "likelihood of happening"...

Another thing you all may want to note is that using flash actionscript it is possible to access cookies and then send your cookies to a remote site.

how likley is this to happen?

very likely. Which is why Flashkit.com did away with anyone posting any thing remotely associated with flash files to their forums.

Originally Posted by Jake Bunce
Flash movies are displayed "in browser" using embed html tags. You can either enable html code on your forums (not recommended) or create a custom vB code in your Admin CP for the embed tag.



UGH. We created a custom VB code in AdminCP for the embed tag, thats what we did. This guy is saying that does not green light HTML site-wide. And yet the other authoritative source is claiming thats exactly what it does.




I give up. Lotta chefs in that McDonalds kitchen.

Cookie hijacking does sound like a legit concern however.

I should note I literally don't understand any of the stuff I quoted from those threads apart from people being fairly adamant that it's a bad idea.

And I'm scared of what I don't understand. Like black people and their hip-hop.

The cookie hijacking part is the only one that gave me real pause, I really dont have a retort for that.

Lets leave it disabled, or enable it for Mods/Admins so the occasional hilarity can be posted once files are properly vetted.

The cookie hijacking part is the only one that gave me real pause, I really dont have a retort for that.

Lets leave it disabled, or enable it for Mods/Admins so the occasional hilarity can be posted once files are properly vetted.

cool. Is cookie hijacking serious in terms of presenting any ongoing threat to my PC? I know this is likely a dumb question, but should I be cleaning my PC with any programs just on the off-chance one of my Slots opponents wished to reclaim their losses the unfair way by stealing my account information or anything?

i was surprised i could come here and post flash, like the flash game i posted. swf files/actionscript could get nasty.

as pointed out there is a huge difference between a site owner posting a flash banner and any random 15 year old kid from the soviet union.

just my guess but i would say about 0.1% of forums on the internet allow anyone to post flash

as pointed out there is a huge difference between a site owner posting a flash banner and any random 15 year old kid from the soviet union.

This little nigger E. European kid hacked into one of my poker accounts last year and, if he actually understood how P2P worked, he could have got rich quick. Unfortunately for him and fortunately for me, he didn't - he tried to make like 20 tiny transfers of under $100 in a row rather than a large txf. He was a little retarded cause he simply needed to look at cashier history. Anyway, obv his activity was flagged by Cake security and his face was owned.

But then he emailed me and we got into a long conversation. He was a funny little kid actually - fairly good sense of humour. He tried to lay some threats down initially and I had to give him a Common-Sense 101 lecture on why blackmail kinda only works on retards. He was like "oh yea i guess that makes sense thx" - then every few months he'd pop back up with a question about one thing or another asking advice but I haven't heard from him in ages.

just my guess but i would say about 0.1% of forums on the internet allow anyone to post flash

So what you're basically saying is that we should find them and fuck up their shit? aiight.

scooter actually hallucinated that story after being up for 9 days straight

scooter actually hallucinated that story after being up for 9 days straight

You fucking nigger. Your comment is only amusing to me because when the dozens of emails saying I'd transferred $84 and stuff were appearing and disappearing almost instantly in my Yahoo, I was 100% certain I was just hallucinating it after being up for 4 days or so.

I might not have actually clicked to anything until Cake locked my account about 10 min later as I was about to crash for some [apparently] needed sleep. Then receiving an email from myself in broken English demanding I return my stolen money to me...was a bit of a giveaway also. I guess.

Yeaaaaaaaaaaah right bro

To: "CakePoker Security" <security@cakepoker.com>
Subject: Fwd: Change of email for security reasons [Ticket#: 65776]
Attachments: <License.jpg>

Just realised no point in sending that document through again, you should ask for a new document as part of procedure. Because if he's still in my Yahoo, he would have access to that document now. Obviously.

I have attached another ID document.

Also, Tyler Johnson. Cardinals relief pitcher a couple yrs ago, pitched in the World Series.

http://en.wikipedia.org/wiki/Tyler_Johnson

Jonny


---------- Forwarded message ----------

Date: Nov 23, 2008 11:42 PM
Subject: Re: Change of email for security reasons [Ticket#: 65776]
To: CakePoker Security <security@cakepoker.com (mailto:security@cakepoker.com) >


Scan attached.

Jonny


On 23 Nov 2008 15:34:11 +0000, CakePoker Security <security@cakepoker.com (mailto:security@cakepoker.com) > wrote:
Hello Jonny,

Apologies for the repeated inconvenience, but for security reasons can you please again attach the scanned photo ID? By using a different email address we are unfortunately once again unable to verify that you are the true account-holder, since you still believe your registered email address to be compromised.


Regards,
Omar
Cake Poker Security





To: <security@cakepoker.com (mailto:security@cakepoker.com) >
Subject: Change of email for security reasons

He emailed me from my own email.

Let's talk on this email please for now.

Jonny


From: security@cakepoker.com (mailto:security@cakepoker.com) (mailto:security@cakepoker.com)
Date: Sun, 23 Nov 2008 15:11:11 +0000
Subject: Re: URGENT - Security compromised - money theft from my account [Ticket#: 65744]

Hello Jonny,

Can you please explain how you acquired this individual's email address?



Regards,

Omar

Cake Poker Security



To: <security@cakepoker.com (mailto:security@cakepoker.com) (mailto:security@cakepoker.com) >
Subject: RE: URGENT - Security compromised - money theft from my account [Ticket#: 65744]
Attachments: <Support.JPG> (Displayed)

I'm almost certain I know that name (Tyler Johnson) but I have no idea where from so I guess it could be like a sports player or B grade celebrity or something.

I'm in contact with the hacker, who sent me this message below. If there is excess money somehow, I don't really care what happens to it - maybe Cake staff xmas party fund...

------------

Re: Dude! Why?‏
From: bob mike
Sent: Sunday, 23 November 2008 2:45:40 PM
To: Jonny

Naaa man. You a good guy. I just really need money badly. I was hopping I could just hop on your account make money and leave your account as is and just transfer myself the winnings. Man I am sorry, but you did end up with all the money. If you could, would you transfer that guy who I transfered 400 dollars to 400 dollars because he gave me money and I dont know him and dont want to steal from him. It would mean everything to me if you could do that.







From: security@cakepoker.com (mailto:security@cakepoker.com) (mailto:security@cakepoker.com)
Date: Sun, 23 Nov 2008 14:48:11 +0000
Subject: Re: URGENT - Security compromised - money theft from my account [Ticket#: 65744]


Hello Jonny,
The account 'donkonmyface' was created in the name Tyler Johnson, though the other account details, such as '567 Main Street' for the mailing address, do not tend to indicate that the account details are legitimate. Since we were able to act before 'donkonmyface' could lose the funds to a third party, all of the funds transferred, as well as the funds dumped to the account during the hacked login session, are in that account's available balance and will be restored to your account on conclusion of this matter. In the meantime, access to your account is still suspended and will remain so until you contact us indicating that you have ensured your email is secure, at which time we will be able to arrange a password reset and restore access to your account.




Regards,

Omar

Cake Poker Security

<Image: Support.JPG>


To: <security@cakepoker.com (mailto:security@cakepoker.com) (mailto:security@cakepoker.com) >
Subject: RE: URGENT - Security compromised - money theft from my account [Ticket#: 65744]
Attachments: <Support.JPG> (Displayed); <passport.JPG>

I have attached a scan of my passport.

Please do not reopen my account yet until I have addressed the possibilities of keyloggers and trojans. I have pretty advanced and expensive anti-virus software on my PC so I'm hoping nothing like that exists, but I will proceed with full system scans anyway.

I've played online at almost every site for 5 years now and this is the first incident like this I have come across, so getting advice from internet security experts on how to handle it. Please leave my account LOCKED for now until I have cleaned this PC.

Also, I need the name of the holder of the account who attempted the scam as it may be someone I know, in which case I will need to do full damage control for a lot of more important things like banking access passwords etc. I have friends staying with me at the moment, and it would be comforting to rule them out, although I do not suspect them for this incident in the slightest despite their endless thieving of my liquor cabinet.

Jonny

From: security@cakepoker.com (mailto:security@cakepoker.com) (mailto:security@cakepoker.com)
Date: Sun, 23 Nov 2008 14:10:11 +0000
Subject: Re: URGENT - Security compromised - money theft from my account [Ticket#: 65744]


Hello Jonny,
At the time we received your email, the account which received the transfers was sitting at a heads-up cash table with your own account 'gayboy696969'. Access to both accounts has been suspended. We would advise that you run a full scan of your hard drive for any trojans, keyloggers etc, before changing your email password.
In order to restore access to your account and address the issue of the funds transferred and dumped, please forward us a copy of a Government-issued photo ID. Please scan the following and send as JPEG attachments to: support@cakepoker.com (mailto:support@cakepoker.com) (mailto:support@cakepoker.com) (mailto:support@cakepoker.com) .


Regards,
Omar
Cake Poker Security
<Image: Support.JPG>


To: <security@cakepoker.com (mailto:security@cakepoker.com) (mailto:security@cakepoker.com) >
Subject: URGENT - Security compromised - money theft from my account

293845923 11/23/2008 1:14:31 PM TRANSFER ($125.00) Transfer to donkonmyface
293840864 11/23/2008 12:58:26 PM TRANSFER ($40.00) Transfer to donkonmyface
293829049 11/23/2008 12:19:42 PM TRANSFER ($99.00) Transfer to donkonmyface

The above transfers and the rest are all unauthorised. I do not know how my password was compromised. But the emails notifying me of the transfers were deleted in front of my eyes so the thief had access to my yahoo account. I have have obviously changed the passwords at both my yahoo and Cake accounts.

Please freeze the above player's account immediately and notify me as to what procedure is followed from here to reopen my acc.

Jonny

Also that took me an annoyingly long time to find.

So if you don't read it all I'll hurt you with a Red rep. That's a threat.

i am never reading that

i was the hacker

omfg pls 2 people red rep gay sex for me

one to reverse my green

one for his deserved red

nice botch job guy who hallucinates things

lolz

I have no idea if this is even interesting as I'm high and everything is interesting atm. But I forgot how crafty he was - he hacked into a friend's email as well, hacked into my friend's tilt account and got onto chat requesting a transfer - I only clicked once he said something that was wat? then I tested him heaps with fake info and he screwed up by giving me his Stars username as well which I passed onto Stars security.

We had a good laugh about it afterwards...

----------


Tim: hey

me: sup

Tim: whats going on

me: i about to watch shield
did i tell you someone hacked into my cake account yesterday? crazy stuff

Tim: nice
really sorry about that

me: guy seems ok - spoke to him online, just kid i think - cake security shut it all down but won't let me back in my account

Tim: did you lose all your money?

me: i dunno - i don't think so - cake not emailing me cause they not sure if my email is secure
they called and said account will remain locked until everything sorted out

Tim: when will you be able to get back on your account

me: no idea - cake said they'll call me with news
as the investigation continues - it's annoying cause all my money pretty much in cake

Tim: ya i was gona ask you if you had any money on tilt

me: i got nothing in tilt - but i know stevo has heaps of tilt he wants to move cause he scored in big donkament the other day

if you need urgent transfer stevo can make it and you can fix me up in sydney next week at APPT

Tim: can he do it now?

me: yea he's online

Tim: that would really help me out

me: steve riggs says (11:32 PM):
how much and where am i sending?

Tim: could he do three shipments of 300 so 900 total?

me: i guess so - why not just 900 though?

Tim: goes faster as smaller shipments

the username is alwayssunny1
new acc
two 450
payments is fine
thanks again

me: fucken stevo - he's gone offline for a second - fat fuck probably just got pizza hut delivered - hang on

Tim: ok

me: stevo the fat fuck is probably face deep in cheesy crust pizza - is stars ok? chardy wants to get rid of some stars

Tim: yes thats fine

me: username and city?

Tim: alwayssunny1

me: how much you need on stars? chardy says he'll sent once his final table is over, he's 6th out of 8 left on a $22 rebuy
lol you hear stevo has put on 11kg since June?

Tim: haha
all those pizzas

me: he's like sick sick fat now, he telling me he can't even get out of his chair now without having a heart attack
yea and he's addicted to soda he says

Tim: haha

me: drinks 4 litres of pepsi max a day

Tim: jesus
hes really put on that much?

me: that's what he says, we'll see him next week at APPT, i wouldn't put it past him to have lost 10kg instead and making it all up

Tim: ya
let me know when he sends the transfer

me: kk i'm gonna get stuck back into Shield season 7

Tim: ok

Solved it. It was indianajim all along and I didn't even realise till now.

his last message:

Chat with bob mike
Reply
bob mike to me
show details 15 May
12:51
bob: how much?
i want 2 black girls wif amazing legs
one licking my ass the other licking me cock
how much is it going to cost me
me: with amazing legs...lots
if you can accept terrible stumpy legs we can get this done on the cheap

is this thing on?

niggers.

i dont know anythinga bout sercurity but i do know that i hate that there is no pause, stop or rewind buttons in flash

i dont know anythinga bout sercurity but i do know that i hate that there is no pause, stop or rewind buttons in flash

:this. I was going to have to block sonatine if that continued, I hated random music popping on every thread i opened.

i for one enjoyed it

The Queen song was hot. The Herrington Queen collage was god.

:this. I was going to have to block sonatine if that continued, I hated random music popping on every thread i opened.

right click press play god i bet even gamble knows this

Solved it. It was indianajim all along and I didn't even realise till now.

his last message:

Chat with bob mike
Reply
bob mike to me
show details 15 May
12:51
bob: how much?
i want 2 black girls wif amazing legs
one licking my ass the other licking me cock
how much is it going to cost me
me: with amazing legs...lots
if you can accept terrible stumpy legs we can get this done on the cheap

eww i wouldnt let a chick lick my ass

http://www.moviepink.com/tour2/movie02_4.mpg

BD8KbLbBZcE

eww i wouldnt let a chick lick my ass

I wouldn't either. But I do a USC occasionally. Fuck if I know how that makes sense.

girls b utts are cleaner than mine thats all i know

i have a feeling the true story behind tigers alleged "food poisoning" has yet to come out yet from this thread

undecided how i feel about a girl who would willingly lick my ass

undecided how i feel about a girl who would willingly lick my ass

And that's I think my main problem with it.

I know how I feel about myself. And that explains the other side of that ass coin.

dont get me wrong it would go down but any shot at a meaningful relationship goes down 90%

exactly 90%

i don't mind knowing that many other guys banged my wife, but if a bunch of guys knew what my wife's tongue felt like in their asses, that would be a dealbreaker.

http://www.getemgirls.com/wp-content/uploads/2009/08/kwame.jpg

Relevant turn of events. I just tried to lick my wife's ass and was denied.

http://www.getemgirls.com/wp-content/uploads/2009/08/kwame.jpg


:kwame

making that shit so tomorrow.

on the strength.

: kwame

:kwame

http://crownroast.attaq.org/nsfw/pussyface.gif

http://crownroast.attaq.org/nsfw/pussyface.gif

:kwame

ship to hof sons

:kwame

i don't mind knowing that many other guys banged my wife, but if a bunch of guys knew what my wife's tongue felt like in their asses, that would be a dealbreaker.

sounds like you should give your wife a lecture on not sleeping with so many guys

sounds like you should stop crying about empire records

nailed him

http://www.youtube.com/watch?v=SGpBUCjH950&feature=grec_index jims second favorite song

turns out flash embeds are what caused this downfall guys

Pretty sure it was over half our members being dead at this point

i think some of them are just in prison bro

I think we need another 408 proof of life.

anybody have any updates on our arch enemies?