18 comments

[ 3.3 ms ] story [ 49.5 ms ] thread
uhh. trivial HTML injection, "trust us" security model. lame.
Where is the server source code? I'm not seeing where messages are stored/transmitted to clients?

Also https://github.com/bmmayer/ephchat/issues/2

You criticized about the random code generation function. Could you explain why it is bad? Though I code, I am no expert and would really like to know.
This is the offending code: https://github.com/bmmayer/ephchat/blob/ec375c7974ea825f887f...

This is the proper way to do it (h/t @tptacek): http://sockpuppet.org/blog/2014/02/25/safely-generate-random...

mt_srand() + rand() is just hilarious. The md5(uniquid()) thing is a common randomness anti-pattern in PHP projects that needs to die in a fire.

In PHP, a very brief example of the code to achieve the proper way of generating randomness looks like the snippet I posted in the issue.

This is not secure at all. I expected some kind of XMPP-OTR stuff...
The text I type to the room is cached locally.
Is firebase even open source? How is this anonymous? Does anyone know what data firebase collects from its users?
This is misleading - it uses Firebase for the server! How can the OP claim that the server is not storing messages if the OP doesn't control the server?

I have no reason to trust that Firebase isn't storing the messages. Why should I?

Judging by the other comments, this is a good example of all the ways not to build such a system.
1. Open ephchat.

2. Click change name.

3. Paste the following contents and hit enter.

  <img src="#" onerror="javascript:void(function(setVal,sendClick,text){setVal.value=text;sendClick.click();}(document.querySelector('#chatText'),document.querySelector('#chatButton'),'hello'))"/>hi
And this is why you absolutely never trust user input.