Shapes, Inc. Informative Report

Shapes, Inc. Informative Report

0xF41L5AF3

User Discrepancy Note – Anonymization for Author Safety

This document has been intentionally anonymized using a Large Language Model (LLM) to protect the identity and safety of the original author. Specific names, direct references, and identifiable patterns have been generalized or redacted to reduce the risk of retaliation, harassment, or doxxing.

This process does not alter the substance or intent of the original content but ensures that the author remains shielded from potential personal or professional harm resulting from public disclosure.


Details

Shapes, Inc. is a multi-platform chatbot service operating across Discord, Email, and social media channels. The service became publicly accessible around 2021 (exact date pending verification).


0xF41L5AF3 is a project working in partnership with various groups to safeguard the confidentiality and safety of individuals. This report is publicly shared to raise awareness among both potential and current users regarding inadequate security practices and the creation of content that could quickly breach legal standards. All information provided in this documentation comes from anonymous sources. Any attempts to compromise anonymity will trigger countermeasures to expose and report the attack on our informants.


Known Security Incidents

*Note: All referenced links in the incidents below are defanged for safety.*

1. Incident A – Man-in-the-Middle (MitM) attack resulting in information disclosure

2. Incident B – SQL injection vulnerability involving third-party telemetry tooling

3. Incident C – Improper client-side administrative authentication

4. Incident D – Inadequate filter enforcement and associated technical issues


Unaddressed Incident

In private discussions with executive leadership, multiple chatbot instances were reported to be used for distributing illicit material involving minors. This was disclosed via secure channels but was not acknowledged or responded to despite the severity of the issue. Transcript logs of these discussions are archived under: Internal Message Records, redacted screenshots will be provided where needed.

https://ibb.co/YBkQhLfM


Recruitment Context

During the disclosure process of the incidents listed above, a senior executive extended an ambiguous job offer described only as involving "random hours." Following this, all communications—including those related to unresolved security vulnerabilities—ceased without explanation.


Additional Context

As described in Incident D, the organization lacks effective content moderation controls, potentially allowing prohibited material to propagate. Furthermore, the platform collects personally identifiable information (PII) from underage users via OAuth2 and SSO integrations (Discord, Google, and social platforms), including email addresses, names, and possibly phone numbers.

There appears to be no meaningful age verification in place, potentially violating U.S. child privacy laws such as COPPA and CCPA. This lack of oversight may also conflict with similar international regulations.


To remain compliant with child privacy legislation, organizations are expected to implement robust age-verification systems. Regulations such as COPPA in the U.S. and similar frameworks in the U.K. and California mandate safeguards for processing data belonging to minors.

– Source: IAPP – Kids and Teens Online Privacy and Safety




Incident A

Initial Report:

  1. A man-in-the-middle (MitM) vulnerability was identified in the chatbot training request mechanism. By intercepting and modifying requests to the training endpoint, it was possible to trigger unintended behavior using falsified bot identifiers (e.g., ID 0). Although this did not appear to initiate any actual training, it caused undefined behavior—later confirmed during testing to result in temporary message context corruption. This led to random chatbot instances generating malformed or nonsensical responses.
  2. The application's session cookie (appSession) was found to expose details about the encryption algorithm and mode used. Specifically, the disclosure that AES-256-GCM was in use could assist an attacker in evaluating potential cryptographic weaknesses, particularly around IV (Initialization Vector) handling—an issue discussed in relevant cryptography forums. It was advised that such metadata be excluded from the client-side token, as the backend can infer it internally. Although acknowledged, this recommendation was ultimately disregarded and no changes were implemented.
  1. Incident B
  2. Incident D



Incident B

Initial Report

  1. During a routine inspection of the bot management dashboard for vulnerabilities that could be leveraged by an attacker, an exposed Webpack directory was discovered. Within this directory, a client-side admin authentication mechanism was found—indicating a critical flaw in access control practices.


The presence of client-side authentication suggested that administrative privileges could potentially be spoofed or bypassed without proper server-side validation. This vulnerability was reported to the relevant technical leads and organizational contacts at the time. However, the response was either unacknowledged or dismissive, with claims that the component was "not in use." Despite these assertions, the file in question continued to be actively updated, coinciding with changes in the administrative and moderation team.

https://ibb.co/4ZTPXsdH


Note: Proof-of-concept exploit code was created approximately three months after the initial disclosure but was later deleted and is no longer available. The current status of this vulnerability requires revalidation.



Incident C

Initial Report

A potential SQL injection vulnerability was identified within the error monitoring endpoint (referred to here as the Sentry Tunnel). This issue could allow an attacker to impact system availability or compromise user confidentiality through crafted query manipulation. The vulnerability also introduces the risk of user fingerprinting based on server response behavior.

Proof of Concept

  1. The initial discovery was made using automated security testing tools such as OWASP ZAP, targeting the organization’s primary domain.
  2. The vulnerability can be tested (if still active in production) by submitting a specially crafted HTTP request to the monitoring endpoint:
POST https[://]shapes[.]inc/monitoring?o=1024797&p=case+randomblob%28100000%29+when+not+null+then+1+else+1+end+ HTTP/1.1

3. A successful reproduction will typically result in a delayed server response, indicating the backend is processing the injected payload—suggestive of inadequate input sanitization.



Incident D

Initial Report

While testing the platform's handling of content and payload integrity, several critical issues were identified that pose risks to system stability and user safety:

  1. The platform does not adequately validate input from its management dashboard, enabling potential denial-of-service (DoS) attacks. Malformed or excessively large payloads can cause the service to slow down significantly or become unresponsive.
  2. The system lacks effective filtering of large language model (LLM) prompts—referred to as "backstories" or "personalities"—which allows for the creation of bots that may produce content involving harmful, illegal, or ethically inappropriate material. This includes instances of self-harm encouragement and references to abusive or criminal themes.

Proof of Concept

Prompt Abuse Test

  1. A prompt was crafted to simulate abusive behavior in the model's output. While exact content is redacted for safety, visual artifacts of both the prompt and the resulting response were preserved. Minor alterations may be required to bypass shallow filters.

https://ibb.co/jP7sPMhP

https://ibb.co/8D8RTH2J

Improper Payload Validation

  1. When submitting a malformed payload to the bot creation endpoint, the server initially responds with an HTTP 500 error. Repeated submission of this payload causes the service to degrade or temporarily crash, confirming susceptibility to DoS via poor input validation.
{"name":"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa... (999 KB left)

*Note: Above payload is intentionally not finished


'Lack of Content Filtering on Naming Fields

  1. The system fails to moderate or sanitize user-generated names and identifiers both at creation and post-creation stages. This permits the use of offensive, harmful, or misleading terms in bot metadata.

https://ibb.co/k2gqT98k

https://ibb.co/S7GgDqWq



Text-Formatted Message Logs

Incident A Logs

@[REDACTED] — 11/26/23, 00:06

Hey Anushk! I know this is a bit out of the blue for a DM, but I was poking around your API for Shapes.inc/CircleLabs, and noticed two things:

1. Being You can MITM the requests to training and submit a successful request to a falsely ID'd bot (i.e. ID `0`) and it will "train." Although this doesn't seem to actually "train" the bot (or any bot for that matter) it is undefined behavior which _might_ actually be harmful. This one I'll actually poke around more with alts to confirm any danger

2. In the Session Cookies (specifically `appSession`) you guys drop the Encryption Type and Method for your cookies which allows for an attacker to gauge how to break you security. Whilst using AES256 is good, you're exposing that it's GCM and does have a known exploit to IV (Initialisation Vector) cracking as [explained in this stackexchange](https://crypto.stackexchange.com/a/68525). I'd recommend because you _already_ know the encryption and method, to remove those from the cookie, and just keep the UAT and IAT values (see attached image) [Note: Image removed for security concerns]


@anushk — 11/27/23, 01:03

Hi hi

Thanks for messaging!


@[REDACTED] — 11/27/23, 01:05

Heya! And no probs lol

I was experimenting with point 2 earlier on in the week so I thought to disclose that one since you can bruteforce an IV but also reverse GCM (it’s CTR + GTag) without ever trading keys


[No Response From Here]


Incident B Logs

@[REDACTED] — 2/18/24, 20:03

I found the funny Client-Side Admin Auth lol

[Image can be found in Incident B]

You guys may want to shift that to be API-side since it's doing ownership testing on the browser and you could potentially override the admins object (I'm too lazy to do it, personally) and have the same privs


[No response to the vulnerability]


Incident C Logs

@[REDACTED] — 2/18/24, 21:03

I uhhh, found a possible SQL Injection vuln too, in your site's monitoring-

`POST https://shapes.inc/monitoring?o=1024797&p=case+randomblob%28100000%29+when+not+null+then+1+else+1+end+ HTTP/1.1`


@anushk — 2/19/24, 11:55

thats sentry

i think they should have something in place

btw do u wana join us lol

can use ur help in fixing things and building shapes


@[REDACTED] — 2/19/24, 11:56

Easy, I’ll snoop a bit on that path if you don’t mind, and pass it to them if I find something


@anushk — 2/19/24, 11:57

yeh

https://ibb.co/rGwNBbbC

thats our config


Job Offer Logs

@anushk — 2/19/24, 11:55

btw do u wana join us lol

can use ur help in fixing things and building shapes


@[REDACTED] — 2/19/24, 11:57

Sure if you don’t mind, I am in [REDACTED] so it’s a bit of a time difference lol


@anushk — 2/19/24, 11:58

that's fine

we work random hrs anw


@[REDACTED] — 2/19/24, 11:59

Pog


@anushk — 2/19/24, 11:59

when are u graduating btw?


@[REDACTED] — 2/19/24, 12:01

I finish the bachelor itself in [REDACTED] but I’ve been working in dev stuff so I skipped a few classes


[No Response From Here]

Report content on this page

Report Page

Please submit your DMCA takedown request to dmca@telegram.org