Another malicious app identified: Room Analytics

smoker919 · 2025-04-14T23:45:25-0700

ironthrone0 is the author of Room Analytics, one of the most widely used apps on CB. This evening the dev portal listed a new app called Enchanalytics by him. He did not hide the source code and it is simply a white-labelled version of Room Analytics. I looked through the code and found that it contains a routine that automatically adds his main account and/or several of his alt accounts to ticket and hidden shows if they are in the room.

Dev version of Enchanalytics

Production version of Enchanalytics

The malicious routine and list of accounts are highlighted in these screenshots:

Screenshot 2025-04-14 at 11.11.42 PM.png

Screenshot 2025-04-14 at 11.11.54 PM.png

NaomiNSFW · 2025-04-15T05:08:35-0700

Just spotted the app does this as well.

JavaScript:

if($room.owner == 'enchant_baby')
{
  var admins = _admins.push($room.owner);
}

enchant_baby seems like a fallback account for the developer as this is added in a separate area so if Chaturbate asks them to remove the main admin list this will still exist.

They also have a ban list of certain broadcasters which shouldn't be allowed in any app.

JavaScript:

var _banList = ['olivia...']

This ban list is circumvented entirely though for the specific user enchant_baby and for all admins (including the app developer and all their aliases

NaomiNSFW · 2025-04-15T06:30:14-0700

Ok I got this wrong

. I got one part of the code wrong specifically this bit

JavaScript:

if ($room.owner == 'enchant_baby')
{
  DisplayBroadcasterStats($room.owner);
}

where the app checks if the room owner is enchant_baby not the current user. A small mistake but it makes what I said irrelavant. I wish I could delete the post now but hopefully amber can jump in to delete it.

AudriTwo · 2025-04-15T06:40:34-0700

what a fucking chud. i hope this has been reported to CB.

NaomiNSFW · 2025-04-15T06:54:44-0700

AudriTwo said:
what a fucking chud. i hope this has been reported to CB.

Just sent a report. Assuming Smoker will as well.
Chaturbate need to do a better job of checking for malicious apps especially when it comes to limitcam functionality.

This app has been out at least for 2+ years and it seems to be the largest analytics app out there so it doesn't give you much faith in the app directory as a whole.

Also happy birthday Audri !

SCRIPTA · 2025-04-15T10:30:06-0700

Thank you @smoker919 for bringing this to public attention and with your detailed explanation and screenshots of how it is done.

smoker919 · 2025-04-15T12:07:15-0700

AudriTwo said:
what a fucking chud. i hope this has been reported to CB.

Yes, I'm writing a report and also trying to make a case to the CB development team that a mechanism to trigger app reviews is needed when cause can be shown that an app is more than likely doing something in violation of the App Submission Guidelines.

@NaomiNSFW The app that was released yesterday seems to be a white-labelled version for enchant_baby so that part doesn't worry me. The app doesn't give enchant_baby any special privileges outside their room and it's pretty normal to limit functionality to the room owner for personal, custom, or white-labelled apps.

Iluvablow69 · 2025-04-15T12:59:54-0700

Respect to you Smoker.
That's crazy!

Sometimes I question how much Chaturbate truly cares, however this is giving someone access to a paid service for free.
Hopefully they'll do something about it.

droopla · 2025-04-15T14:10:53-0700

@smoker919 , correct me if I'm wrong
The app itself does not have limitcam features , you can try to add yourself to the limitcam of an other app but that does not work.
That is so in V1 apps and that should be so in V2 apps too. You can not go outside the scope of your own app.
So his code does nothing (with limitcam)

smoker919 · 2025-04-15T16:15:31-0700

droopla said:
@smoker919 , correct me if I'm wrong
The app itself does not have limitcam features , you can try to add yourself to the limitcam of an other app but that does not work.
That is so in V1 apps and that should be so in V2 apps too. You can not go outside the scope of your own app.
So his code does nothing (with limitcam)

You're incorrect, I'm afraid. The $limitcam object is a shared resource belonging to the room, not to any app. So any app can access it and, for example, add users to it. I tested this scenario recently when I was asked to investigate another app so it's fresh for me.

Ideally -- and other developers have advocated for this, too -- a permission would be added to grant access to the $limitcam object to only one app at a time in the same way as only one app at a time can use the broadcast panel.

pbonACF · 2025-04-15T16:34:22-0700

droopla said:
@smoker919 , correct me if I'm wrong
The app itself does not have limitcam features , you can try to add yourself to the limitcam of an other app but that does not work.
That is so in V1 apps and that should be so in V2 apps too. You can not go outside the scope of your own app.
So his code does nothing (with limitcam)

limitcam conflicts exist in V1. Nothing has been indicated in V2 docs that this was changed.

Search

Search

Another malicious app identified: Room Analytics

smoker919

NaomiNSFW

NaomiNSFW

AudriTwo

NaomiNSFW

SCRIPTA

smoker919

Iluvablow69

droopla

smoker919

pbonACF

Similar threads