Python script lets you download random chats from Omegle

Aug 22, 2016 13:33 GMT  ·  By

Indrajeet Bhuyan, a security researcher from India, has discovered that the Omegle anonymous video chat service is storing private text conversations on its servers in an insecure way that allows attackers to retrieve them.

Omegle is an online website that lets random people start a text or video chat without registering. The service became extremely popular at the outset of the 2010s, and in the meantime entered Internet lore as the place where creeps go to flash their private parts to random people.

A few years back, because of the constant criticism of being a haven for pedophiles that pick up kids online, the service added an "Adult" section on its site and added a huge warning on its frontpage that reads "Video is monitored. Keep it clean!"

Omegle keeps chat logs in insecure conditions

"I focused Omegle because it is the most popular anonymous chat service available on the internet and is quiet popular too," the researchers told Softpedia.

"The service randomly pairs you in one-on-one chat window where you can chat anonymously over text or webcam. Millions of people visit the site daily.

"In this site, there is no login form or any authentication due to which people often think they are 100% secure. I wanted to see if they are really secured or not," the researcher said.

"These days every other site maintain logs, even most of the VPN sites too maintain logs. [...] I was quite sure that they [Omegle] maintain a log too," Bhuyan said.

Spam bots helped Bhuyan discovered the chat storage problem

Softpedia asked what drew Bhuyan to the site. "The site is flooded with bots which will message you when you start a conversation and will give you links to malicious sites/advertisements," the researcher tells us.

During this research, Bhuyan said he noticed that the Omegle servers gave him a link for the text chats he just ended. The researcher noticed these links were not self-destructive, meaning they were kept permanently on the server.

These links contained the token ID of each chat. Bhuyan created a simple Python script that cycles through token IDs, discovers the active ones, and then downloads the chats in  PNG format from Omegle's servers.

Bhuyan's script in action
Bhuyan's script in action

"I have made a simple python script which generates tokens of its own, whenever a token matches with that of Omegle’s token, the server thinks it to be genuine and gives the chat log which the script downloads to a folder," the researcher told Softpedia.

Both Omegle and the users are at fault

While Omegle never asks for the names of people participating in these chats, the conversations often contain personal contact details give out by the users themselves. Someone sharing this information on a service that provides anonymity is never a good idea, and this may be more of a user mistake than a service fault.

The service is designed by default to provide access to conversations to anyone with a valid text chat token ID, but in the bigger picture, Omegle could have done more to protect servers against the mass harvesting of their data.

Bhuyan tells Softpedia that Omegle doesn't list a method of contact on their site, meaning the company has not yet been notified of this issue.

"I always inform first then make public disclosure," the researcher told Softpedia. "But this time the case was different. If you visit Omegle’s site you can see that there is no contact details, due to which I could not inform them. I hope this news reaches them so that they can fix it ASAP."

Bhuyan has open-sourced his script called Omegle-Chat-Hack on GitHub. In order to run it, you'll need Python 3 installed on your workstation.

Screenshots downloaded from Omegle's servers
Screenshots downloaded from Omegle's servers

Proof of concept screenshots (7 Images)

Omegle leaks your private chats
Bhuyan's script in actionScreenshots downloaded from Omegle's servers
+4more