This dating website charges more than £50 per month to be able to see photos and to message people.That surely is because they are providing such smart service.There does not seem to be any identifier to the person I am chatting with except in the message websocket frame. Your membership could easily be replaced by a Chrome extension that replaces URLs for photos, replaces HTML of the inbox to match what you get in the requests, and send out messages using your websocket.It seems that the chat address that looks like an e-mail address is the identifier of the person I am sending to. After a long look at all these IDs and chat addresses, it turns out it is the resource ID: I tried to modify the query parameters, but I always got an empty image. 💡💡💡💡💡💡💡💡💡Well just check my own profile picture, what does the URL consist of? Following Facebook’s scandal, I would recommend every company to hire some ethical hackers to understand where your service is insecure.Reader Interceptor Executor$Un Closeable Input [email protected]; line: 1, column: 2] (through reference chain: api.message. Let’s have a look at the list of pre-defined messages.Client Message Wrapper["message"])Hmm, interesting. I opened the list to send more messages and I inspected the HTML and it turns out that that message has the ID 62. The reverse engineering I just did is 99% done on Chrome without the need of any other tools.Oh Damn, the chat is happening over websockets (I should’ve expected that). Moving over to websocket filtering in Chrome Network tab, gladly there was only one websocket to monitor.
Seems that they did a good job here in knowing that I am not using the proper SSL certificates and that I am performing a man in the middle attack. POST Post your unique profile and photos completely free. BROWSE Browse the profiles of thousands of singles for free.