Voodoo magic

In this post we will be looking at the voodoo chat system, or more to the point the client for voodoo. Dont know what voodoo is? This is from their website: Voodoo Chat is a free graphical chat community! Using web pages as a backdrop, Voodoo Chat lets you chat with old and new friends in a well-blended environment that lets you feel like you're 'in the room' without taking the emphasis away from chatting. So in other words its much like The Palace or Virtual Places only a lot more secure and user driven. Now while they have done a lot to secure this environment there is still much to be done as we will discover here. So lets get right to it.

The first thing we will look at is the massive potential for phishing in this kind of environment. As the description says the chat uses a web page as a backdrop, you can chose what page is displayed or visited and the address is never shown to the user. You do this by making a private chat with out a password, inviting your targets to your session and here is what it would look like:

http://farm3.static.flickr.com/2518/3925219265_4df8087060.jpg

Now here is my phishing site:

http://farm3.static.flickr.com/2431/3925219267_1ff21c1876.jpg

You cant tell at all! In fact the only way to know is to right click on the page and look in Properties. It just goes down hill from here. Not only do you have no idea what site your really looking at but you also have no idea what protocol your using. You could be using https or http you have no way to tell, there is no lock icon or anything. Which brings me to the next topic of interest. Other then http and https you also have access to a verity of other protocols. Like ftp, res, chrome, file, and javascript! Really no end to what you can cook up at this point.

READ THE REST HERE