Your IMVU project files are not safe!

Your IMVU project files are not safe!

I hate to be the bringer of bad news. IMVU tries to protect your project and asset files through “security by obscurity”. Your Cal3D files (XMF, XSF, XAF, etc.) are encrypted in the local cache (C:\Users\{your login}\AppData\Roaming\IMVU\HttpCache folder), while PNG and JPG files are merely renamed. When you upload a project, the Cal3D XML files are converted to binary format, which is not human-readable.

That may sound okay to you, but with the release of IMVU Next, they created a way to be able to download project files, including all of the contained assets. And you don’t even have to be logged into the IMVU website to download them! It turns out that IMVU hosts all our creations using Akamai’s servers.

It’s actually quite simple how it works. Let’s take one of my products as an example of how easy it is to clone an existing project to your hard drive. Let’s use my “Kneel” product, which has about 10 or so triggers as XAF animations. The URL is https://www.imvu.com/shop/product.php?products_id=38219580, so obviously the product ID is 38219580. You can get the manifest of this product from the following Akamai URL:

https://userimages-akm.imvu.com/productdata/38219580/1/_contents.json

This JSON file contains a listing of all the files that are included in this product. In this case you’ll find a single file, index.xml.

[{"name":"index.xml"}]

It turns out you can take a peek into index.xml as well using the following URL: https://userimages-akm.imvu.com/productdata/38219580/1/index.xml and it will show the following (you might have to “View Source” to see it):


<?xml version="1.0" encoding="UTF-8"?>
<Template>
<__DATAIMPORT>product://32678253/index.xml</__DATAIMPORT><ParticleSystems>
</ParticleSystems>
</Template>

What you see here is that product 38219580 derives from product 32678253, which is hidden in the catalog. It’s not hidden to would-be product thieves, though. Let’s take a look at _contents.json for this hidden product: https://userimages-akm.imvu.com/productdata/32678253/1/_contents.json. And you’ll see the following:

[{"url":"1b3275a8c43589825a9d355b186e2038.xaf","name":"SkeletalAnimation.xaf"},{"url":"2046fdaeab5fc9882398a825abe3b5cd.xaf","name":"SkeletalAnimation2.xaf"},{"url":"7079ee19cdc7f1ce50a1b6d0e64fc48c.xaf","name":"SkeletalAnimation3.xaf"},{"url":"a6f6ab7080f168754bf7489ac04d48d8.xaf","name":"SkeletalAnimation4.xaf"},{"url":"2d94f54fcb63de78187601417fc7d22c.xaf","name":"SkeletalAnimation5.xaf"},{"name":"bk0.xaf"},{"name":"bk1.xaf"},{"name":"bk2.xaf"},{"name":"bk3.xaf"},{"name":"bk4.xaf"},{"name":"bk5.xaf"},{"name":"index.xml"}]

Here you can plainly see the files that are tucked away on the open server. Each file has a “url” property and “name” property. In some cases there is only a “name” property, which means the url and name are the same. So if you were to download the first file, https://userimages-akm.imvu.com/productdata/32678253/1/1b3275a8c43589825a9d355b186e2038.xaf, the browser would ask you to download the file, and you could rename it to SkeletalAnimation.xaf, and you’d have my animation file on your computer. The same holds true for PNG, JPG, and other Cal3D files. In fact, if you were to download and rename all of them, and compress them to ZIP format and rename the file extension to .chkn, you could open it up in IMVU Create Mode and submit it as if it were your own work. Horrifyingly, it only took me about 15-30 minutes to write a simple JavaScript to automate this process on a web page.

Product ID:

This should be terrifying news to IMVU creators. I’m even terrified by it! But I just had to show how easy it is to crack IMVU products. There’s nothing anyone can do about it, because you have to be able to freely download these files into the IMVU Next SPA (single page app) when you’re trying on products.