Privacy Flaws In Chatroulette Expose Users

itwbennett writes "In a paper posted online this week, researchers from the University of Colorado at Boulder and McGill University outline three different types of attacks that could be launched against Chatroulette users. While the new research doesn't expose any gaping privacy holes, it does show how the service could be misused by determined criminals. For example, the researchers were able to use IP-mapping services to get a general idea of users' location (a public Web site, called Chatroulettemap.com already does this). Then by searching Facebook using information obtained in chats and comparing pictures, researchers were able to identify chatters. 'Even in a city as big as Chicago, you can drill down and find the person you're actually talking to,' said Richard Han, an associate professor with the University of Colorado who co-authored the paper."

Re:For those not stupid enough to know:

[ByOhTek]

Actually, if you RTFS, it's more along the line of combining the IP address of the other party, and the picture to narrow down who/where.

I think they are missing the bigger flaw here. Flash, or even worse, peer-to-peer flash...

Re:For those not stupid enough to know:

[Restil]

I can always sniff out the ip address of the host I'm communicating with, even if all of the data is encrypted. The only way to prevent that is to run all of the data (video, audio, and text) through a central server (or multiple central servers) or some type of proxy. The point is, someone is going to have to pay for a huge amount of bandwidth, as opposed to the way it works now where all the main server has to do is arrange the connections.

-Restil

Nothing New

[Ziekheid]

At least 2 of the 3 things mentioned in the paper can be done on ANY cam site (blogtv, ustream, tinychat, etc).
It's truly ridiculous to only mention Chatroulette here and I don't consider any of the things mentioned a real security flaw. 4chan has been "exploiting" these sites for years already, it's nothing new.

Re:Question about chatroulette

[Anonymous Coward]

No regular point of contact, but I have had interesting conversations with some people the 2-3 nights I tried it. It's also fun just to mess around telling bullshit. Just innocent, maybe PG-13 bullshit, nothing offensive or related to genitals. :)

You've probably seen videos of that piano-singer guy on chatroulette. There are genuine, nice and fun people too on it. Well there used to be at least, it may have (and probably has) degenerated...

Dupe?

[MonsterTrimble]

I thought this was the exact issue the U.S. miltary had when they had soldiers posting geotagged pictures to facebook which identified where they were in Afghanistan. Same idea - people, given a few small details, can very easily find out about you by the use of Google.

Back when I was in first year university (1996) it was still pretty wild west on the internet. I was talking to a friend who I had never given any of my real details (name, address, etc) when she popped up and asked if I went to AMHS (my high school). After picking my jaw off the floor I found out that I had mistakenly forwarded them an E-mail which I had originally forwarded from my school account to my hotmail account. They found the e-mail address, and googled it. It was all laid out there on the Universities' website.

Re:researchers?

[Rijnzael]

I'm actually a CU-Boulder student and had a class with Han last semester. He's a great prof and really cares about the students' understanding. I was surprised to see that he put out research on something so common-knowledge; "Oh once you have a picture of someone you can look for another picture that looks like it and you know you've found your target". He's more of an operating systems/networking kind of guy. This just seems like fluff research to keep the department chair happy while he actually does his teaching and "real" research. Academia has this tendency to prioritize quality over quantity, and I think this provides an example of the pressures even good profs feel from the top re: publishing.