A public apology for calling MMO-champion out on security issues

[Raleina]

I didn't even see an apology. Just more on the same issue.

Looks more like a post where he wants a pat on the back for figuring this all out. Not to mention how awesome he is he triggered a discussion through twitter and blog posts !

Thank you for pointing out how easily mmo-c security can be broken, thank you for telling EVERYONE that has bad intentions aswell.

[lockedout]

I would be more concerned with MMOC's database of email/passwords being compromised and then not being told about it. Not because who ever runs the site might not want the info released but because until recently they might not have known what harm could have been done and just fixed the security issue on their end seen nothing was touched and call it a day. Problem here is the hackers then use your email and password to log in and steal your WoW account. Basic combo hacking.

[Aeluron Lightsong]

Looks more like a post where he wants a pat on the back for figuring this all out. Not to mention how awesome he is he triggered a discussion through twitter and blog posts !

Thank you for pointing out how easily mmo-c security can be broken, thank you for telling EVERYONE that has bad intentions aswell.

Pride heralds the end of our world =/

[Biske]

Shit.

All my filthy PM's to various forum members could of been read?

Your transgression has not gone unnoticed.

OT: So... now everyone knows accounts are vulnerable. Cool apology.

[Al Gorefiend]

Oh noes, maybe if someone else posted as me I would be less Forgettable.

Luckily for me, nobody is crazy enough to impersonate me.

[Hooked]

Sweet, at least someone is reading my private messages.

[Deleted]

But seriously: who doesn't store all their financial details in their profile?

[RoryTee]

I once watched an interview with one of the people who first outsourced virtual ingame services such as power leveling and gold selling , He said point blank that the main reason why people get hacked is that there are certain people who will hack the database's of fan sites and go through all the accounts seeing if anyone uses the same WoW/MMO password.

Said that phishing and keylogging were a very small percent of all hacking and that the highest risk was the fan sites that you do use security , Obviously this can all be prevented by using different passwords but it did make me think. Does that sound right , or is he talking crap?

[Deleted]

c[_] <-- Care cup is empty if MMOC use SSL, or not.
My bank details are secured via a system which is similar to an authenticator.

Oh and there is not much in there anyway

[Deleted]

I once watched an interview with one of the people who first outsourced virtual ingame services such as power leveling and gold selling , He said point blank that the main reason why people get hacked is that there are certain people who will hack the database's of fan sites and go through all the accounts seeing if anyone uses the same WoW/MMO password.

Said that phishing and keylogging were a very small percent of all hacking and that the highest risk was the fan sites that you do use security , Obviously this can all be prevented by using different passwords but it did make me think. Does that sound right , or is he talking crap?

It's crap.

Your password is stored on their DB and is properly encrypted. Your cookies have to accessed by a man in the middle attack. But you'd have to intercept each sessions for each user, can't trawl them all at once.

Hacking a database doesn't really happen, people exploit weaknesses in its infrastructure. Like using default passwords etc., for their DB profiles.

[Kerath]

Shit.

All my filthy PM's to various forum members could of been read?

Well now I feel really left out.

[haxartus]

The password seems to be saved in a cookie. However, I'd imagine that there is some kind of salting going on, preventing an easy attack with a rainbow table.
A cookie could be stolen in a various ways, like an XSS, even if the website uses SSL. They might not be able to decrypt the password, but they might log in as the user.

[AeneasBK]

ヽ༼ຈل͜ຈ༽ﾉ SSL or RIOT! ヽ༼ຈل͜ຈ༽ﾉ

I wish that hadn't made me lol

[haxartus]

the problem isn't as much that you can post as someone else. If I can figure out how to get into Chauds account, I can insert my own code into the forum software and install a keylogger that can read your info on this and other websites.

It seems like you read somewhere something about security, and decided to show the world how "smart" you are.
First of all, forum admin accounts aren't connected to the website code.
Second, how exactly would you install a keylogger ? Do you think that a modern browser will just auto run an unsigned java applet by default ?
And good luck breaking Chrome to do a buffer overflow attack... With a separate privilege layer for each plugin and each tab running on it's own process in a sandbox... If you can do that, you don't need to hack this forum, just contact Google and they will hire you and give you hundreds of thousands of dollars.

[Waaldo]

Why would mmo-champion take my cookies? I like my cookies......

[glo]

The issue is more so that it's irresponsible for a site that has as much traffic as this does. vBulletin is old, clunky and pretty horrendous for security. SSL certificates cost something like $70 a year. A much more secure and nimble forum software such as IPBoard costs another $160.

For a site that generates as much revenue via (sometimes malicious) ads as MMO-Champ does, it's a drop in the bucket. So the question is, is your security not worth 0.05% of MMO-Champ's revenue?

[Orange Joe]

The issue is more so that it's irresponsible for a site that has as much traffic as this does. vBulletin is old, clunky and pretty horrendous for security. SSL certificates cost something like $70 a year. A much more secure and nimble forum software such as IPBoard costs another $160.

For a site that generates as much revenue via (sometimes malicious) ads as MMO-Champ does, it's a drop in the bucket. So the question is, is your security not worth 0.05% of MMO-Champ's revenue?

The worst that will happen to me is I lose my account to MMO champ.


Oh dam... I'll have to make a new one.



As far as I am concerned MMO champ is fine the way it is.

[Deleted]

Well now I feel really left out.

Don't worry, prepare your inbox.

[XDurionX]

Oh yeah, i remember last time when i hacked MMO-C and started a nuclear w...oh, no, i´ve seen that in a movie.

[glo]

The worst that will happen to me is I lose my account to MMO champ.


Oh dam... I'll have to make a new one.



As far as I am concerned MMO champ is fine the way it is.

This is a pretty stupid stance. "Who cares about security when I deem things unimportant."

1. Your email is attached to your account
2. Your birthday is attached to your account
3. Your password is attached to your account

Take a moment and realize what can be done with said information. If you share this password with ANY other service online, sucks to be you. If your email shares the same password, REALLY sucks to be you. Not to mention that your birthday can easily be used to reset passwords.

Not everyone employs safe password logic.