AmberCutie's Forum
An adult community for cam models and members to discuss all the things!

How to deal with malicious CB apps?

  • ** WARNING - ACF CONTAINS ADULT CONTENT **
    Only persons aged 18 or over may read or post to the forums, without regard to whether an adult actually owns the registration or parental/guardian permission. AmberCutie's Forum (ACF) is for use by adults only and contains adult content. By continuing to use this site you are confirming that you are at least 18 years of age.
Sep 2, 2024
30
5
6
This is a question I hope that @punker barbie can help with, please.

I have clear proof that there is malicious functionality contained in one or more CB apps. I know the username of an alt account used by the developer to execute said functionality and a list of the apps running in a room where this functionality was executed. Using the list of apps I can narrow down who the developer actually is.

My question is: even with clear proof of malicious behaviour by apps, how can one get CB to take it seriously enough to take action, i.e., to remove the apps and ban the developer?

Thank you!
 
I hope not. My all-in-one-app, Synergy, can not function in the v2 API. After 5 years of almost constant updates, I'd be rather upset to see them cut the v1 apps "just because."

Cheers,
Cexmental
 
  • Helpful!
Reactions: Rytar
Upvote 0
I hope not. My all-in-one-app, Synergy, can not function in the v2 API. After 5 years of almost constant updates, I'd be rather upset to see them cut the v1 apps "just because."

Cheers,
Cexmental
I've suspected for a while that they might choose to sunset V1 apps, though that will likely create a lot of chaos. The V2 app submission guidelines send the message that they know that V1 apps are not safe and have been used in multiple malicious ways that they have actively suppressed in the V2 framework.
 
Upvote 0
I've suspected for a while that they might choose to sunset V1 apps, though that will likely create a lot of chaos. The V2 app submission guidelines send the message that they know that V1 apps are not safe and have been used in multiple malicious ways that they have actively suppressed in the V2 framework.

Another difference in v2 is that many v1 apps' code are obfuscated, functional but unreadable. This is in violation of v2 App Guidelines:

"code should not be obfuscated. If your app's code is obfuscated, it may be delisted. You can find the App guidelines on the Introduction page in the Developer Portal documentation."

So v2 apps, developed in the new IDE, are readable to CB staff, making it more difficult to hide malicious features.

Some decades ago I thought COBOL would take me to retirement. Not so :) We always have to upgrade our skillset and not become too attached to our tools.
 
Upvote 0
Screen Shot 2024-09-17 at 6.31.40 PM.png

This is a conversation from just a few minutes ago with i0_ol, the author of The Menu, admitting to his app having backdoor commands. Feel free to pass this on to anyone you want. I will be submitting a ticket to CB Support now.
 
  • Like
Reactions: vivo
Upvote 0
I was in a room once who used a secret shovv app - I guess they meant secret show.
They started a hidden / ticket show, and it immediately added me to the show for free, along with about 50 other people haha
Not good for the model I know, but I love that app now haha (It's a joke, no hate)

However, being able to secretly silence Users is crazy.
I have seen that app in so many rooms, I have never personally experienced it though.
Who knows, maybe I just assumed the model doesn't read her chat and moved on. Pretty bad if it's true though.
 
Upvote 0
well, then it might explaining some people saying that i ignore them, or that im busy with something when clearly as no nude, im just sitting there and chatting with them, mostly... wait, so we shall not use the menu... are we talking about v1 or v2 apps?
 
Upvote 0
well, then it might explaining some people saying that i ignore them, or that im busy with something when clearly as no nude, im just sitting there and chatting with them, mostly... wait, so we shall not use the menu... are we talking about v1 or v2 apps?
I encountered this behaviour with the V1 app, but I assign it to the developer so I won't trust any of this apps, V1 or V2.
 
Upvote 0
As both a model and a viewer, I have seen a TON of the issues described here in my room, rooms I visit and rooms I moderate. I am now on all V2 apps and I am ruthless about banning suspect viewers. One of the rooms I mod, it took the Model and I almost a week to sweep out and clean up. Once we did, her room pops from maybe 100-200 to over 700 viewers and her tips are flowing.

Speaking as a model, we have to do a lot better job of choosing and working with our moderators so they know what to look for and help us keep things going.

I also work in IT, Enterprise Architect and *nix greybeard. While many models are tech savvy, I see a lot of cognitive bias that they think they understand technology better than they really do. Not sure how we can educate better cybersecurity awareness for models?
 
Upvote 0
You have the wrong understanding of what a blacklist is in this context. Say he puts your big tippers on his blacklist, and when they find themselves being ineffective in your room because no one is responding to their chat (because no one but themselves can see their chat messages) then they would feel disrespected and leave and you would lose their patronage. That's the real harm: not individual users losing their ability to chat, but models not having control of their rooms.
Almost all tippers use tip notes, PMs, pvts, and off site, inappropriately blocked messages would quickly be exposed. But I'd agree that the models should be able to see the code. ChatGPT can probably tell them if there is anything unusual if they ask the right questions.
 
Upvote 0
Almost all tippers use tip notes, PMs, pvts, and off site, inappropriately blocked messages would quickly be exposed. But I'd agree that the models should be able to see the code. ChatGPT can probably tell them if there is anything unusual if they ask the right questions.
I've had my stream knocked offline. I've had my stream while running appear to be offline. The number of
I encountered this behaviour with the V1 app, but I assign it to the developer so I won't trust any of this apps, V1 or V2.
Have you had any luck with your CB support tickets?
 
Upvote 0
I sent details to @punker barbie in a PM over 3 weeks ago.
Support has confirmed that they have received your email and is currently being looked into. We appreciate your patience. Support will get back to you as soon as possible.
 
Upvote 0
so i had a incident 10/19/2024 with a model i moderate for with one of the apps, i was a new moderator for her and i was going to tell her that she should consider changing her apps made by kentosf2511 and i0_ol because of how malicious those apps are. so on that date i went to go moderate the model and she was getting the message “ Tip Goal Bot Unloaded due to trevthevaper being moderator remove trevthevaper as moderator and restart the bot or use another”, so she removed me and contacted me via Telegram and told me about the situation and was wondering how she could get rid of this problem. so i told her to remove any app she had that was made by kentosf2511 and i0_ol, then start using apps developed by smoker919 and the issue was resolved and she reinstated me as her moderator, i also attached a photo of what the malicious bot was saying.
 

Attachments

  • IMG_1532.jpeg
    IMG_1532.jpeg
    60.8 KB · Views: 33
Upvote 0
so i had a incident 10/19/2024 with a model i moderate for with one of the apps, i was a new moderator for her and i was going to tell her that she should consider changing her apps made by kentosf2511 and i0_ol because of how malicious those apps are. so on that date i went to go moderate the model and she was getting the message “ Tip Goal Bot Unloaded due to trevthevaper being moderator remove trevthevaper as moderator and restart the bot or use another”, so she removed me and contacted me via Telegram and told me about the situation and was wondering how she could get rid of this problem. so i told her to remove any app she had that was made by kentosf2511 and i0_ol, then start using apps developed by smoker919 and the issue was resolved and she reinstated me as her moderator, i also attached a photo of what the malicious bot was saying.

@punker barbie

DJ Lovense Tip Goal and Horny Tip Goal, both maintained by kentosf2511 (though the latter is published under a different username), contain multiple blacklists. When the app detects that someone on a particular blacklist is made moderator, those spam messages are triggered and then the app errors itself to death, effectively denying the broadcaster the opportunity to be in control of the decision who to make moderator, but also often interfering with the broadcast itself because goals are lost.

This is very easy to reproduce and it's another example of malicious app behaviour that CB needs to investigate and act on in order to protect broadcasters.
 
Upvote 0
@punker barbie Despite the very weak response from CB Support, i0_ol/beaver_squeezer has continued a pattern of harassment that I have documented and submitted in a separate ticket. Given that CB Support said that he has been issued "a first and final warning", I hope some real action will be taken this time.
 
Upvote 0
I use Baby Tip menu by mmmnnn32 and also Lovense Dream by noiett. These seem to be widely used. I’d rather not have to make my menu again, so are these apps safe even though they’re v1?
 
Upvote 0
I use Baby Tip menu by mmmnnn32 and also Lovense Dream by noiett. These seem to be widely used. I’d rather not have to make my menu again, so are these apps safe even though they’re v1?
The Baby Tip menu by mmmnnn32 is a V2 app, so you should be safe. However, Lovense Dream is V1 and noiett hides the source code. I would never trust a V1 with hidden/obfuscated code.

<rant>I love how CB claims V2 apps are "Open Source", but still gives authors the ability to hide the code. I don't think CB understands what "Open Source" means.</rant> However, I believe, but may be wrong, that CB staff check for malicious code in V2 apps.
 
Upvote 0
The Baby Tip menu by mmmnnn32 is a V2 app, so you should be safe. However, Lovense Dream is V1 and noiett hides the source code. I would never trust a V1 with hidden/obfuscated code.

<rant>I love how CB claims V2 apps are "Open Source", but still gives authors the ability to hide the code. I don't think CB understands what "Open Source" means.</rant> However, I believe, but may be wrong, that CB staff check for malicious code in V2 apps.

Saying you do not trust all projects because that code is hidden is unfair and very judgemental. I would wager you have many apps installed on your mobile device or computer that you have never seen the code for. You're assuming 'hiding code' is a method used to exploit you. I would wager in most cases that author is just trying to protect months (or years) of work and unwilling to give that project away for free. Have you read both of the CB APIs and are you familiar with JavaScript? Everything "negative" you could accomplish in the v1 API is 100% possible to accomplish in the v2 API. Additionally in the v2 API, a *malicious* developer could now serve a public overlay (saying/showing/doxing anything), store data indefinably, and access new stats like tokens earned from spying.

A *malicious* developer doesn't care what API they are coding for. They only care to know which you'll trust more, so they can get you to run their code.

Hiding code is the only way to protect it from a community that *borrows* while ignoring opensource licenses. Copyright issues come into play as well.

Cheers,
Cexmental
 
  • Like
Reactions: Rytar
Upvote 0
Saying you do not trust all projects because that code is hidden is unfair and very judgemental.
I only say this about V1 apps, in which case I am unfair and judgmental AF. However, it is my understanding that starting with V2 apps undergo code review, so hiding the code isn't as much of an issue with V2 apps. There have been enough malicious V1 apps released that it is better safe than sorry. For every V1 app with hidden/obfuscated code there are dozens that do the same thing with open source code. Why expose yourself to potential risks?

I would wager you have many apps installed on your mobile device or computer that you have never seen the code for.
I may not have seen the code, but I use iDevices and Apple has reviewed the code for me.

Have you read both of the CB APIs and are you familiar with JavaScript?
Yes to both, although I have not played around with the V2 API. It may still be possible to write malicious apps, but hopefully CB is rejecting those now.

Cheers
 
Upvote 0
To what level have you read and understand implementing the CB API to fear code that you can not see? These apps & bots are very low level and basic JavaScript that's extremely limited by design of the APIs. The only real malicious acts are nuisances are best, easily avoided by swapping to one of another 1,000 identical bots.

@cexmental maybe you can make a list of things bots and apps can do that could be used negatively. There are a ton of people spreading ridiculous rumors right now and they actually believe the bots and apps they use are to blame for their low traffic.

OK!

The V1 API has two benefits. Dynamically populated interfaces and much more accurate timers.
The V2 API has two benefits (currently). Persistent storage and overlays.

Which Syntax you like is your choice. Both get the job done and in almost identically the same way. Which design method you prefer is also your choice, although I can easily argue for the more powerful dynamic population of the V1 API.

How it all works... The CB API is a walled garden that allows you to trigger certain code when a CB website event occurs. CB triggered events include things like 'when a user enters your chat room', 'when a user tips', etc. While other CB events occur automatically like room info (EG: the current cost for private). When one of these CB events happens, you get access to certain things related to that event.

Here are examples...
A user tips >> triggers the tip event >> the app/bot code will gain access to information related to that tip. This includes things like the username, the amount that user tipped, etc.
A user types >> triggers the message event >> the app/bot code will gain access to information related to chat. This includes the username, the user type, what was typed, the color of their font, etc.

Each event can provide different information, event specific information, or similar information. With that information you set-up your app or bot to respond in some way. The code could shoot out a thank you message, or provide the king a crown icon, or execute a complex series of code to move a game along, etc.

If you want to know exactly what events can occur and what info each event provides:
V1 API: https://chaturbate.com/apps/docs/index.html#programming-documentation
V2 API: https://devportal.cb.dev/wiki/introduction

The following by no means represents a full list and I'm more intimately familiar with the legacy API. I'll try to give some examples for both use case scenarios.

Chat can be muted, changed, or redacted. Chat fg/bg color can get changed. A users can get assigned an emoticon, emoji, or title. Users can be sent private notices (NOT a PM). Tips can be ignored from the app/bot (not other apps/bots). Hidden cam access (not other apps/bots). An app/bot could alter color settings of another bot. Persistant storage exploits*. Overlay exploits*. 3 line panel exploits.

* V2 API ONLY

Apps/bots can not control your traffic, who is in your room, stop you from receiving tips, access your PMs, stalk your users, shadow ban (or whatever), hide your media, hide you from the front page, change the CB ranking, access your personal computer, change your CB bio or settings, know who you take private, know the amount of tokens a user has, etc. They are truly slimplified and limited by design.

Usage Examples Bad:
I could block your mods, or known top tippers, or a user I'm jealous of, etc. I could block users by color or beacause of things they say that I do not agree with. I could alter a user's words and make them say what I want. I could assign an unrewarding emoticon/icon/title to a user. I could make chat black-on-black or white-on-white. I could ignore the tips of a user from affecting the app/bot games, goals, status lists, stats, etc. I could change goals, end games, or pick winners. I could send private on-enter messages that doxes you, to all users but mods, fanclub, and your known supporters/tippers. I could hide your cam. I could give any user access to your hidden cam show. I could remove users from access or take away their ability to buy a ticket. With the V2 API, I could save stats about all of your users, including tips, dates, times, tip-notes, privates, etc, for years! Maybe I alter that info, change stats, or delete your datebase because I feel like it. The V2 API could also be used to present anything as an overlay. I could post personal photos, dox you, or make fun of your users on your live cam feed. I could put an inappropriate message or photo on your panel, and show it only to specific users.

(I can't really think of much else that could be done that won't be a remix of what I already typed).

Usage Examples Good:
I could block only spammers using an extensive black-list of 10,000 items. I could highlight special users who treat you the best with friendly messages. I could give your users a font they like, in a style they want, with colors they personally enjoy using. I could assign a rewarding emoticon/icon/title to your best tippers. I could allow tips to flow naturally and not alter them in anyway, instead collecting stastistics, outputting helpful messages, and displaying advertising the helps you earn more money. I could send friendly messages to all non-fanclub members asking them to support you by joining up. I could help you to hide your cam when you want, as a hidden cam show, and provide tickets to users who you deem appropriate while selling time by the minute to everyone else. I could organize stasticial information and present it in a way that helps you identify patterns to better earn more money. I could use the overlay system to present a game or a very friendly thank you to your latest tipper! I could display a gif image of your favorite nudes on the panel for 1 minute to users who tip a specific amount.

If anyone has any questions, please let me know.

Bottom line, do not use CB apps/bots that run on a site other than CB, ask you to install a browser add-on, or require you to install anything on your computer. The CB API bots can not harm you, only cause a nuisance. You have thousands of choices, if you're not sure, try a different app/bot. Please do not fear V1 apps/bots and assume they are any more malicious than V2 apps/bots. There are many amazing V1 apps/bots worth checking out!

Cheers,
Cexmental
 
Upvote 0