[RELEASE] Blackmail - Will you fall for my tricks?

[HighFreeman]

Yeah just some additional thoughts:

This one in particular brought a different tone to my assessment and that is the number of lurkers on this forum - mostly it seems to be around 4000 roughly which means if each user stays for half an hour on average about 4000 * 2 * 24 * 2 (days stayed up) *25$ 5% of users who will have gone all the way and been tricked and paid the initial $25 = $480,000

Then you have to consider that typical for blackmail a small amount is demanded first to show that they have a 'live' one and when paid increasing amounts are demanded.

So yes this is definitely illegal and real blackmail by most countries law (including most european countries which is where the author is likely from since the author only accepts Air B'nB vouchers for some European countries).

And yes when I clicked on the button to say I accept to pay $25 if you can trick me I am doing that in what is essentially a game site. I do not expect it to be real and I am not really giving consent for that. I am consenting to it within the 'game' within 'milovana' not anyway else and certainly not consenting for my information to be posted outside of milovana (I didn't think this was possible as you stated at the beginning)

Mainly I'm just worried about the implications for milovana. My country and also the USA (although I am not there) are really just about the intelligence agencies having access to all private communications (and mostly already do). This is the kind of thing that gives them an excuse to shut down or require their access (and since Milovana is quite small they would probably just shut it down). I can't say how good it is to have a site where you can more or less write what you want as long as it respects other users.

I also worry about how often this happens but less visibly.

There are three things I see to take from this:

1. Fix whatever technical problem is allowing information to be taken outside of milovana. Variables should be local to the user. I have not written a tease and don't even know what language is used but this needs fixed and a warning put up until then not to enter any personal information in any tease. I'm just happy I don't think I've ever entered anything that I would regret in any tease ever and probably everyone else should also be thinking about this now. But I did that just to be extra safe ... lucky.
2. Online safety. However horny you are don't put personal information on the internet. There is not any easy solution for this I feel, I have sent nude pictures to people online that I haven't known offline before but that is a personal call for me and only when I feel I'm pretty sure they are genuine (mostly only after a video call) and only because I'm not in a position where I can be blackmailed (for example it wouldn't be the end of the world for me if everyone knew my kinky stuff but I wouldn't be happy about it and might go to the police or take other actions). A warning should be displayed on the website regarding this.
3. The author should offer to repay or refund all monies collected (and should not redeem the vouchers etc. in the first place). IANAL but I think this would go a long way to stopping any legal or police problems from this for you.

I did really like this tease though. I mean it is really real! As I said previously I'm impressed, less so if it's real blackmail since you can just pay someone to do it then and also for moral reasons.

[mistressamber]

Just to clear a few things up, since I don't want misinformation to be spread here:

This one in particular brought a different tone to my assessment and that is the number of lurkers on this forum - mostly it seems to be around 4000 roughly which means if each user stays for half an hour on average about 4000 * 2 * 24 * 2 (days stayed up) *25$ 5% of users who will have gone all the way and been tricked and paid the initial $25 = $480,000

Please don't just throw out numbers like this without thinking it through. By your math, you assume that 384.000 users have played my tease, even though regular teases get around 10-20k views.
And since there are plenty of warnings that this is real, and even recently more added for if the tease were to be put back online, almost nobody is entering real data. Only those who really want to experience this fantasy go through with it.
(And anyone can PM me if they feel uncomfortable, since this is just meant as an introduction to the blackmail fantasy.)

Fix whatever technical problem is allowing information to be taken outside of milovana. Variables should be local to the user.

Milovana does not allow for any data to be taken outside, it is one of the most safe platforms I have ever seen. I was curious myself, as to how it sandboxes the scripting behind teases, so I took a look behind the screens. It's got me amazed on what precautions have been taken and how there is *no* way for data to be sent outside. You can be rest assured that teases on Milovana are safe to enter information into.
Now more into detail of my trick, which is a spoiler for the tease:

Spoiler: show

The trick I use is something you need to be cautious of everywhere on the internet, not just Milovana. That being, not going to random external websites that people tell you to go to.
One thing Milovana could do to protect its users against this, is recognizing urls in tease texts, making it an actual clickable link and when clicked, displaying a message "Warning: Links to external websites could be dangerous."
There's another good solution to fix this, but I'd rather talk to mods in PM about that.

[shy_1998d]

Yes but you knew exactly what you did. The first Two links were clickable cuz they were real links, the third, well was your Trick.
I think you have to narrate what exactly happens on the website your gattering the Informations given in the Tease.

What Informations do you get?
Just from Milovana?
It is multiplatforming, the script is visible on mobile or whatever anything in the Network.

[mistressamber]

Please put spoilers in [ spoiler][/spoiler] blocks, for those who still want to experience this tease if it ever comes up again

I think you have to narrate what exactly happens on the website your gattering the Informations given in the Tease.
What Informations do you get?
Just from Milovana?
It is multiplatforming, the script is visible on mobile or whatever anything in the Network.

As for your questions, my tease says all of these things. The only data I'm getting is the data you enter in the tease, nothing more (since that is not possible).

[rumpelstilzchen]

So I'm not usually active on this forum, but I figured this might be a good time to chime in with my two cents. Some spoilers ahead, in case the tease will actually return.

I'll admit first, that I was indeed tricked and like most people so far I feel a little conflicted on what to think about it. I have to say, that I found it extremely thrilling in the moment, but afterwards I was also a worried about being pushed into real extortion and about the security risks involved.

To start with: The Issue of consented Blackmail is a complicated one in itself I think and people who participate in it are always in a sort of legal grey area to my understanding. Although I'm by no means a legal scholar. However, I'd consider this one to be less on the consent-side, because it was sort of under false pretences and usually consent implies informed consent.

On the other side, I really want to appreciate the work of Mistress Amber and the ingenuity of this Idea. I did not expect this and am seriously impressed. I should also add, that one reason I did not expect this was, that I did not expect such a security flaw from Milovana itself. At this point in time I think it is probably a good thing this flaw was revealed, so it can be fixed in the future.
In a way I also feel sorry for everyone who is a fan of blackmail and really missed out on this one, because it was a good one for sure, but I totally agree, that it was the right decision to take it down for now.

What I am most concerned about now is less the trustworthiness of Mistress Amber, but more the security risks involved. This is some very sensitive information to some and I am not convinced, that it is properly secured.

From where we are, here is what I would suggest doing (these are just some pointers, make up your own judgement. Some have already been suggested):


1. The vulnerability on the side of Milovana should be fixed and marked as a risk up to then (as has already been suggested)
2. Mistress Amber should offer a refund to all people who have been tricked. I say offer, because I think some people are probably fine with it, considering the work put in and that findom is a real fetish for some. I would also refund as a default, if possible, so that people can opt-in to leaving the money with Mistress Amber if they choose to. For those who are into it, it could even be a nice opportunity to find new victims if Mistress Amber wants to. This time maybe with clearer consent.
3. I would not follow any legal action in any way in relation to Mistress Amber at this point. She revealed a serious security risk in Milovana itself and it was kind of impressive. And from what I can tell so far there is no actual maliciousness involved from her side. Also tbh I did enjoy it. Maybe even a little to much

Edit:
I've had a chat with Mistress Amber and it seems she is genuinely concerned about security and put measures in place to prevent abuse. I'm unsure at this point though whether this is sufficient or not. I'm still a little concerned about the server, but that is for people to look in to who have a better understanding of web security than I have. I have removed the point about shutting down the server for now

[shy_1998d]

How is it not possible to gather any other data than those to be filled within the tease?
Your script is hosted on azurewebsites, no?
So you say you cannot gain any ip or any other informations on the website your link leads to?

Your tease will not come back it is not the first one of that kind.
And everytime its someone with a name "Mistress xixj" , leading to a 3rd website or a skypeadress that leads into another random url

[kerkersklave]

I should also add, that one reason I did not expect this was, that I did not expect such a security flaw from Milovana itself.

What is that flaw, that you are hinting at?
From what I understand following the discussion, there was at some point a link you should copy and follow. What is of course possible is that this link contains information you've entered into the tease.
I suspect that this is what has been done. But I have not seen the tease. If this is, what has been used, than this is nit a security flaw and it is almost impossible to avoid. You want users to be able to enter information into a tease and you want the tease to generate custom output based on that information. You yourself have transported this information outside by copying information outside and there is no way to avoid this completely.
One could add clickable links to webteases that cannot contain any generated information. One could try to filter messages for links and block them. But many teases rely on taking people outside, to watch some video, go to some gaming site (like play a puzzle) etc. and teases will direct people to go to other sides. Even if it is not via a link but by instructions: go to following site, enter a certain search phrase, you can encode information into the search phrase and decode it on the other end. If you enter information into the tease and then transfer information from the tease you will never know which information you have transfered in the end.

[Illyen]

EDIT: I had a description of what the tease did here, which I deleted after reading the preceding messages again. It's more of a browser exploit than a security flaw of milovana itself I would say, but I think there's a way to protect at least this site from using it in the future.

(I copied the sourcecode from the tease, which is how I figured out how this tease worked)

[shy_1998d]

It's kinda clever, it encodes your information into invisible characters that you can still copy and paste which their website can then decode to get the actual information out again.

The link in the tease, which looked something like this (not the actual url) https://thisdoesnothing.itsnotreal/puzzle?id=vnMLJ
had these invisible characters between the vn and the MLJ

Still, too much like a phishing technique / browser exploit for my taste.

It literally is. its the same Technique.
You sure know those sites like "youve been hacked call this number xx-xx" , its practically the same method give *azurewebsites a look and youll understand how those sites function.
Also unsure if its just a "browser exploit" since it is actually Cloud based.
If you open the link on another device across your network, could be your phone, even your xbox etc. all informations you typed into the milovana-script will appear.
If you redo the script and give different information it will be ignored, it only stores information from the first time done.
Which is weird, if you test the link in a packet tracer like cisco, the characters will change upon redoing the script, but the information remain the same-

[Illyen]

I edited that out, not sure if that should be readily available information already. Makes it too easy to copy and exploit maybe.

[kerkersklave]

It's kinda clever, it encodes your information into invisible characters that you can still copy and paste which their website can then decode to get the actual information out again.

It literally is. its the same Technique.

Ok, using invisible characters is a bit of an evil idea. One could argue that it is a design flaw in URLs, that these characters are even allowed. But it does not really make that much of a difference. Links to common video sites contain a long unreadable video key, for pornhub something like this. 6590a2269fbf2 If you make it a little bit longer, it is enough to encode a name, address and some further information without it being suspicious. Unvisible characters is something, that could easily be filtered by EOS from the output of webteases. But then clicking a indecipherable link still has the same risk.

If you redo the script and give different information it will be ignored, it only stores information from the first time done.
Which is weird, if you test the link in a packet tracer like cisco, the characters will change upon redoing the script, but the information remain the same-

They probably store the information using a cookie, or use some other way to recognize you like browser fingerprinting (i.e. storing all the information the browser gives you, like version of various extensions, available fonts etc. which becomes pretty unique if you combine enough factors).

[shy_1998d]

They probably store the information using a cookie, or use some other way to recognize you like browser fingerprinting (i.e. storing all the information the browser gives you, like version of various extensions, available fonts etc. which becomes pretty unique if you combine enough factors).

No, there are no cookies on the website. the only thing you have to give access to was your webcam, for an Picture, also the Informations were stored before that option so thats not the triggerpoint.
The website is cloudbased, its upon your network. Which is the dangerous part.

Its 2024 this is not the first "tease" taking an exploit via link, external websites. Liz did it in 2015.
I really have no Idea, why they cannot simply manually public the Teases that include links.
It cannot be that much of a work, its hardly 3 - 5 eos teases a week.
Just check them before allowing them to be released.

[mistressamber]

Talked with the mods, the tease now has extra warning messages making it very clear to everyone that this is not just a fantasy tease, but steps into the real (but still low risk) blackmail fantasy.
Everyone who wants to, can enjoy the tease again

For those who have been asking how it works behind the scenes, here's the technical explanation (spoiler)

Spoiler: show

As some have already figured out, one of the urls you copy in the tease is not what it seems, it includes your data encoded in a way you can not see. Although, if you paste that url into a new tab without pressing enter and take a better look, you can see something fishy is going on there. Let this be your warning about blindly copying links, always take a better look

(I won't be sharing the encoding & decoding logic, since that would make it too easy to abuse for others.)

After that it saves your data in LocalStorage (in your browser, comparable to cookies), so that you can resume the tease and you don't accidentally lose it. It of course also sends the data to my server (in a secure way), so that you can continue the tease on another device.

Part 2 of the tease, the website, is a React application. The backend server is created on Azure, with a Static Web App and using Azure Functions, with a MongoDb as database and a Blob Storage for the images.

Everything is made with security in mind, since we're dealing with sensitive data. If someone has more questions about the security aspect, feel free to ask!

Teasing kisses,
Mistress Amber

[DuctTapeTwist]

Really glad to hear that it's back up. Can't wait to experience it entirely.

Thank you for the tease.

[peachtits]

I literally just joined to make some webteases as I only tend to do some of the older style ones that no one ever makes anymore. So I haven't done this particular tease.

I would imagine, unless there is a big warning and a link to how you hold and process the data, that you would be breaching EU GDPR laws at the least. Milovana, as would be considered the data collectors, would also be liable for how that data is processed and used by a third party.

You too could see yourself with a hefty fine and potentially criminal charges based on what you have done. People cannot consent to being vicitms of crime, at least in most EU countries.

I hate to be a killjoy but if I was someone who owned or worked for Milovana I would taking the tease down and telling you to destroy all the data you've already collected. If you then removed the data collection from your own server and kept the data local I imagine it would be fine.

In the very least, if they're happy with any new warnings, I would be deleting and publicly confirming that any data already collected has been destroyed.

With that said, I may now give this a go to see what the fuss is about.