Thursday, July 01, 2010

TinyChats Privacy Policies and IP Exposure

TinyChat is a service that provides users with a web based chat room and the ability to stream multiple live webcams in their rooms.  Their service is very simplistic and uses an IRC like interface, similar to, which the exception of the ability to have more than one cam streams going at a single time.  Like most cam sites, they have terms of services and privacy policies that disallow certain behaviors, such as vulgarity or nudity on cam.  But, TinyChat goes a step further with their polices when they feel that users have misbehaved and punishes them by not only closing the room, but publishing a list of all the users who were present when the room was running along with their full IP addresses.

Tinychat may terminate any user's access to the network, Web site and service and remove any content posted, for any reason. Tinychat reserves the right to modify or discontinue and portion or component of the service at any time and with or without notice. Tinychat shall not be liable to any user or any third-party for any termination or modification of service. By using the tinychat service you agree, that should any room be closed for any reason that all users data who may be in the room may be disclosed publicly.
 TinyChat Privacy Policy and Terms of Service

This is an abhorrent practice on TinyChat's part to expose any members IP address publicly without any way for the user to request it be removed.  This information can give away a users location and allow individuals with malicious intent to potentially attack the IP address using denial of service attacks or port scans to look for vulnerabilities or holes in the users system.

The Misc Incident

Last night on's Misc section a user started a thread that linked to a Tinychat room with him and a female companion.  According to the user, franchise16, no nudity was recorded on cam during the chat session, but in the end, the Tinychat staff felt it necessary to close down the room and then proceeded to display the IP addresses of all the users who were currently in that room at the time.

As of the time of this posting, Tinychat still has left this information up.  As a further example of the abuse potential this opens up, a number of users took the entire list of IP addresses and claimed to post them on 4chan, to allow the members their to potentially exploit the list for nefarious purposes.  I cannot verify this claim however.

I spoke to the user who started the Tinychat room, franchise16, and asked him for an overview of the events. Here is a summary of what he said happened:

Made thread bout POF [Plenty of Fish] girl comin over
[She] Came over, had webcam open and screen off on macbook, told them mac was for music
Carried it around with me
Brought on to porch where we fooled around, was too dark to see
Had about 500 users viewing it in the room
Brought it inside and into the room
We made out for a big on bed
Took titties out, no nudity was recorded I dont believe
[The feed] Was cut about 2 min after mac was brought into room
Rest happened off cam
All IPs were posted in tinychat room but for some reason not me or any other canadian brahs
I asked him if there was any nudity shown on cam and he responded that there was not.  He also confirmed that the girl was of legal age (18) and was therefore not any sort of situation of child pornography.  franchise16 said that no Tinychat staff warned him in advance that he was violating in terms of that he should stop the cam feed before the room was closed and all the users IPs were posted.  Regardless if there even was nudity displayed on cam in the Tinychat room, Tinychat should not endanger it's users security by publicly "outting" them by posting their IP addresses when a room is terminated.

Because of this incident, I would recommend that no one use Tinychat.  The risk of having your IP posted without any warning or notification is not one that you should be willing to risk.  When using IRC servers that do not obfuscate IP addresses, users are aware that their IPs are being displayed publicly, but Tinychat doesn't do this openly or have any sort of whois command so that users IPs can be displayed to other users, outside of Tinychat staff.

I will contact Tinychat's support and report back with their response.

UPDATE: Tinychat has responded to my inquiry.  See the post TinyChat Responds to Inquiry Regarding Public IP Disclosure  for the follow up.


59kg_weakling said...

good job pogue man. It's good to have a Mod who is aware of IT security. I want to rep you but I can't because Lunatic banned me. I'm not sure why, exactly. wtfman.jpg


Anonymous said...

Well written. Tinychat deserves to be exposed.

flexbrah said...

good post pogue. my ip address was one of the 300+ ip's posted from the main tinychat room. i'm definitely all for boycotting tinychat because publicly posting everyone's ip's (w/o consent) is pretty ridiculous if you ask me...

Anonymous said...

Good post. I have had many different incidents with tinychat and I heard about this from a friend who poss on the Misc and this is just ridiculous.

Anonymous said...

a miscer alerted me about this and now im never using tinychat!!!!

Anonymous said...

I was one of the unlucky ones...hopefully the fbi wont show up at my door lol

Anonymous said...

I am never using Tinychat again. I can't believe they do that.

liftthat said...

Good job pouge....what they did was really stupid IMO, Im with you 100%

Anonymous said...

Good job Pogue man. I was viewing when it got closed and I saw the page but didn't look to see if mine was posted :( I hope it wasn't but I think it is

Boycotting Tinychat is the way to go!

JOHN said...


JOHN said...


Related Posts with Thumbnails