Omegle is a web app that allows users to talk to randomly selected strangers. It has a video chat feature.

Some people make internet videos about "hacking" into Omegle calls. In these videos, two people are having a video chat on Omegle when the call is "hacked", and a new person appears in the video. This "hacker" scares people by telling them that they've been hacked, and the hacker knows their address. As "proof", the hacker names their city.

(There are probably lots of people who do this type of video, and their exact scare tactics may vary.)

Purpose of this Post

The purpose of this post is to explain how this "hack" can be done.

Why:

• It's interesting.
• By demystifying the process, I hope to make it less scary. In particular, I want people to understand that their computer and their full street address haven't actually been compromised just because someone does something like this.

I'm not making this post to encourage people to do similar things.

I absolutely do not condone publishing videos of this kind of activity without the consent of all involved. Respect people's privacy. Be nice.

This post is not a VPN ad.

Part 1: Hacking the Video

There are two parts to this "hack". The first is the part where the attacker "hacks" the Omegle session to replace one of the parties with themself.

In fact, the attacker was always part of the conversation. You don't need to exploit a flaw in Omegle itself; you just need to launch a person-in-the-middle attack.

For this attack, suppose Eve wants to listen to a conversation between two strangers and possibly insert herself into it.

Setting up the session

Eve sets up two Omegle sessions. We'll call them chat A and chat B. Rather than use her own webcam, she uses software on her computer that allows her to present any video stream as "her own" webcam.

Omegle randomly pairs Eve with Alice in chat A, and with Bob in chat B.

Eve's software takes Bob's video from chat B and uses it as Eve's own video in chat A. Rather than seeing Eve, Alice sees Bob and believes that Omegle has paired her with Bob.

Vice versa in chat B.

Alice and Bob talk to each other, both believing they have actually been paired with each other. Instead, each has been paired with Eve, and Eve is simply relaying their video to each other, while watching the whole time.

This is key because it means Eve didn't hack their connection after it was established. She didn't exploit a technical flaw in Omegle. She was authentically paired with both Alice and Bob and has just been misrepresenting her true identity.

Here's a video demonstrating this PITM setup. (The video does not actually show a chat happening, due to the creator's poor Internet connection.)

Inserting herself

Suppose Eve isn't satisfied with just eavesdropping on a conversation between strangers; she wants to talk to them and scare them.

Eve is already part of the conversation; she's just using a different video stream instead of her own webcam. She always has the option to switch the stream that Alice sees to her actual webcam (or any other video source) instead of Bob's stream.

Part 2: "We know your address"

Omegle (like many web-based video chat services) uses a free protocol called Web Real-time Communication (WebRTC). WebRTC connects users directly to each other, enabling them to see each other's IP address. This is how other Omegle users can find your IP address. Here's a demo.

An IP address gives you some information about someone. It tells you, for instance, their city and which company gives them internet service.

It does not tell you precisely where they are.

Conclusion

If a stranger on a video chat service shows up mid-chat and claims to have hacked you, they probably don't have control over anything other than the chat itself. Most likely, the service paired them with you from the beginning, and they just pretended to be someone else at first.

If you're using web-based video chat, your partner can probably figure out the city where you currently are, but not a precise location.