A public apology for calling MMO-champion out on security issues

[Deleted]

https://twitter.com/realnzall/status/471006142349725696

After reading a whole lot of Troy Hunt's posts on website security, I ended up checking the mmo-champion cookies to figure out how security is handled here.

What I found was sobering. As you can see right now in your address bar, MMO-Champion does not support SSL, which means that all your cookies are sent over with every thread you visit. In addition, one of your cookies is... your password, triple hashed with MD5, a hashing algorithm with known flaws which is viewed as outdated for a few years now.

In case this doesn't mean anything to you, I'd like to introduce you to the Wifi Pineapple:



This bad boy acts as an access point spoofer, which literally listens to your device sending out requests for any open wifi it's ever been connected to (like the Apple Genius Store wifi any Apple device has been on) and spoofs that network. I could literally spend 5 minutes with this thing at blizzcon and get the cookies for all of you at blizzcon using this site on your mobile device.

So I thought I'd mention this to Troy Hunt since he loves to RT such things, and CC Chaud. I did this right before I went to bed, and when I checked my twitter feed the next day at work (about 12 hours later), I found a flurry of communications between Troy Hunt, Chaud and Zachery, a support guy from vBulletin (the software mmo-champion runs on). Honestly, I thought this would just be a retweet, maybe a few more RTs and favs, and done. well, that sort of happened. The above discussion also happened. and Troy Hunt wrote a blog post about it (http://www.troyhunt.com/2014/05/why-...tin-forum.html). all in all, a lot more happened than I anticipated. I'm not regretting the whole thing, but I was kinda surprised by what happened.

as an aside, WoWhead and even the official Blizzard site also have no SSL and could in theory be victim to an impersonation attack (although the shop for Blizzard IS using SSL, so your money is sorta safe).

[Blueobelisk]

Omg did he mention that stupid tell my mom I'm dating a 30 year old thread. LOL. Stay classy guys.

Edit: Ya uhm. That was...I don't really see the point of his blog beside slightly making fun of MMO-C. I feel bad for chaud more than anyone.

[Deleted]

So someone can read my private messages? Go ahead, tame stuff though.

[Forgettable]

Oh noes, maybe if someone else posted as me I would be less Forgettable.

[Xanjori]

Aww sheet, now someone has read all the secret messages that Scrapbot sends to me.

[Deleted]

the problem isn't as much that you can post as someone else. If I can figure out how to get into Chauds account, I can insert my own code into the forum software and install a keylogger that can read your info on this and other websites.

[Deleted]

the problem isn't as much that you can post as someone else. If I can figure out how to get into Chauds account, I can insert my own code into the forum software and install a keylogger that can read your info on this and other websites.

That's why I'm not allowing scripts to be run unless I enable them.

[Gumboy]

Didn't you just make the issue much more public by making a post about it, thus negating your apology completely?

[Deleted]

Shit.

All my filthy PM's to various forum members could of been read?

[Lora]

now everyones gonna read my spider pony graphic sex erp going on :c

[Deleted]

Shit.

All my filthy PM's to various forum members could of been read?

Our love will never be made public, don't worry.

[Theinquisition]

Shit.

All my filthy PM's to various forum members could of been read?

Shit we're screwed dude......

Sorry mooneye, our secret relationship is public knowledge now.

[Xanjori]

Shit.

All my filthy PM's to various forum members could of been read?

I told you doing it on Steam was a smart idea!

[Theinquisition]

I told you doing it on Steam was a smart idea!

Our love is like a ocean, it overwhelms all!

[Orange Joe]

Didn't you just make the issue much more public by making a post about it, thus negating your apology completely?

I didn't even see an apology. Just more on the same issue.

[Spectral]

Can someone do an ELI5 version for why I should care? I guess I could dream weird scenarios up, but is there some good reason to be bothered?

[Aeluron Lightsong]

Shit we're screwed dude......

Sorry mooneye, our secret relationship is public knowledge now.

She's into Military men? Damn no chance for me!

[Deleted]

It's all coming out now.

Plead your sins and i shall judge thee innocent.

[Rixis]

the problem isn't as much that you can post as someone else. If I can figure out how to get into Chauds account, I can insert my own code into the forum software and install a keylogger that can read your info on this and other websites.

Doesn't the conversation basically say you can't do that? The pages to do that kind of shit need you to re-enter his password and don't do all the cookie shite?

Also, sharing passwords between anything remotely important and a regular forum is dumb.

Don't see a great deal of issue with it myself /shrug

[Xanjori]

Our love is like a ocean, it overwhelms all!

My love is like a stream, it runs down your legs.