A public apology for calling MMO-champion out on security issues

[Hyve]

My MMO-Champion password is unique to this site only, and so should everyone's. It doesn't bother me if they get my details, and access my Private Messages.

[Rixis]

To use the wet floor analogy. Is your password/email not the yellow floor sign? SSL would be like having a guy stood there to guide you across the floor.

[BananaHandsB]

So someone will discover my love of Big Beautiful Women that I have shared via PM?

Well, shit.

Funny how ~half the posts are variations on almost the exact same joke. U guys are creative.

[Orange Joe]

Why would anyone argue against something that could only change their experience for the better? "Well, I'm not at risk, so this thing I don't have to do any work for that doesn't have any effect on me in the slightest shouldn't be implemented."

I don't get it. I mean, I see that you're not actively arguing against it, but pointing out your technological superiority to others is meaningless.

We aren't so much arguing against as much as it's a pointless upgrade.


In the 7-10 years this site has been open. How many accounts have you heard about being hacked? I know in the 3-4 years I've been here I haven't heard of one. Considering that, I don't think there is really that much of a risk of being hacked.

[glo]

We aren't so much arguing against as much as it's a pointless upgrade.


In the 7-10 years this site has been open. How many accounts have you heard about being hacked? I know in the 3-4 years I've been here I haven't heard of one. Considering that, I don't think there is really that much of a risk of being hacked.

Yeah, best to ignore security issues until something bad happens. I forgot about that rule!

[Orange Joe]

Yeah, best to ignore security issues until something bad happens. I forgot about that rule!

Yes I'm going with the "if it ain't broke don't fix it" route.

[wowaccounttom]

The guy is just trying to get blog and product attention.

Like... really.. who the f... cares about their mmo password that much to concern themselves on whether or not the site uses SSL encryption. An encryption technique that is widely used and yet it is full of flaws (besides heartbleed). Don't know them? go educate yourselves.

ALSO, logging in via any blizzard website to your account will result in a HTTPS/TLS connection.. aka.. SSL, whether if you visit the shop or not. dont pay attention to this troll. reported for posting stupid information...TWICE.

[glo]

Yes I'm going with the "if it ain't broke don't fix it" route.

Good thing your logic isn't used in the professional IT world.

[Deleted]

Good thing your logic isn't used in the professional IT world.

If it won't impact heavily on business processes, after the cost/benefit, then his logic is used.

I've known many companies to simply not bother plugging up holes because if they were breached, it'd mean negligible impact.

MMO Champ clearly don't see the benefit in redoing something that has been fine and stable for years.

[Orange Joe]

Good thing your logic isn't used in the professional IT world.

But it is, or we wouldn't be here having this discussion would we?

[glo]

But it is, or we wouldn't be here having this discussion would we?

Fan sites aren't part of the professional IT world.

If it won't impact heavily on business processes, after the cost/benefit, then his logic is used.

I've known many companies to simply not bother plugging up holes because if they were breached, it'd mean negligible impact.

MMO Champ clearly don't see the benefit in redoing something that has been fine and stable for years.

SSL implementation isn't time consuming. It's also virtually free. Further, user passwords and email breaches aren't negligible.

[Deleted]

Funny how ~half the posts are variations on almost the exact same joke. U guys are creative.

Oh dam u got us. It's probably because most of us don't give a shit if somebody wants to read the sort of inane drivel that makes up 99% of PMs or log in to shit-post using my account. It's not like I'm giving anyone any important information. They get my shit spare email account, and a password I don't use for anything else.

[wowaccounttom]

A mod needs to stop this.

This guy is just a troll.
He just wants traffic to his site.

- Implementing TLS connections for a site that doesn't handle monetary transactions nor does it hold private personal information is pointless.

- He is also 100% wrong about Blizz's security. From any of their pages, the moment you hit "sign in" or "my account" you will be using HTTPS/TLS aka SSL.

Report him.

Edit:... anyways, if anyone is posting their personal information in PMs or if they used their real information, then yes, they deserve to get hacked.

[Orange Joe]

Fan sites aren't part of the professional IT world.

Tech support from VB says pretty much the same thing.


https://twitter.com/vBZachery/status/471161211401555968

[Deleted]

Fan sites aren't part of the professional IT world.



SSL implementation isn't time consuming. It's also virtually free. Further, user passwords and email breaches aren't negligible.

Actually they are from a business standpoint. Revenue is based on ad revenue, they don't care who is viewing the adverts.

SSL isn't complicated to roll into a new system, but can be problematic to incorporate fully into a legacy system without considerable downtime and error checking.

Building high level systems requires risk assessments, and the percentage of failures due to hacking is tiny for industrial grade systems. For fan sites? I'd be amazed if it counted for ~1%.

[Arainie]

IMO OP has blown this out of proportion and like the Vbulletion guy said the worst that could happen is someone logging on your account and making some funny posts.

No, in fact you're describing what could happen to a moderately careful individual who does not re-use passwords, lists false or no personal information and never uses the same e-mail address for other accounts.

Now, in an unlikely worst case scenario, a very skilled attacker obtaining access to your MMOC account could potentially use your entered personal information together with your e-mail address and your password and through the nasty phenomenom called social engineering to find out far more about you than what you've agreed to when you signed up to MMOC.

(Consider for example the common type of e-mail address name.surname.something@~ revealing your name and surname, while you've liked World of Warcraft on your public Facebook profile. Oops, I've possibly also got your location and age (if your birth year isn't already a part of your e-mail address) from MMOC, which really narrows the amount of people named name surname living in location around the age of age. It'd only take a few minutes to find "you", and who knows what "you" list on your public social networking profiles?)

Yeah, it's mildly speaking an exaggeration, but it's not impossible, and it's just the tip of an iceberg of opportunities for the evil people out there. The general internet user or even the general gamer doesn't hide everything from the public and if you're just a bit creative it's possible to find way more information about people than you'd like. That said I'm not personally concerned about MMOC not using SSL, but I definitly do understand why people might question it.

[dess]

https://twitter.com/realnzall/status/471006142349725696

After reading a whole lot of Troy Hunt's posts on website security, I ended up checking the mmo-champion cookies to figure out how security is handled here.

What I found was sobering. As you can see right now in your address bar, MMO-Champion does not support SSL, which means that all your cookies are sent over with every thread you visit. In addition, one of your cookies is... your password, triple hashed with MD5, a hashing algorithm with known flaws which is viewed as outdated for a few years now.

In case this doesn't mean anything to you, I'd like to introduce you to the Wifi Pineapple:



This bad boy acts as an access point spoofer, which literally listens to your device sending out requests for any open wifi it's ever been connected to (like the Apple Genius Store wifi any Apple device has been on) and spoofs that network. I could literally spend 5 minutes with this thing at blizzcon and get the cookies for all of you at blizzcon using this site on your mobile device.

So I thought I'd mention this to Troy Hunt since he loves to RT such things, and CC Chaud. I did this right before I went to bed, and when I checked my twitter feed the next day at work (about 12 hours later), I found a flurry of communications between Troy Hunt, Chaud and Zachery, a support guy from vBulletin (the software mmo-champion runs on). Honestly, I thought this would just be a retweet, maybe a few more RTs and favs, and done. well, that sort of happened. The above discussion also happened. and Troy Hunt wrote a blog post about it (http://www.troyhunt.com/2014/05/why-...tin-forum.html). all in all, a lot more happened than I anticipated. I'm not regretting the whole thing, but I was kinda surprised by what happened.

as an aside, WoWhead and even the official Blizzard site also have no SSL and could in theory be victim to an impersonation attack (although the shop for Blizzard IS using SSL, so your money is sorta safe).

Oh look mr computer science is finally on 200 courses, you get this from COMP201?

[N-7]

No, in fact you're describing what could happen to a moderately careful individual who does not re-use passwords, lists false or no personal information and never uses the same e-mail address for other accounts.

Now, in an unlikely worst case scenario, a very skilled attacker obtaining access to your MMOC account could potentially use your entered personal information together with your e-mail address and your password and through the nasty phenomenom called social engineering to find out far more about you than what you've agreed to when you signed up to MMOC.

(Consider for example the common type of e-mail address name.surname.something@~ revealing your name and surname, while you've liked World of Warcraft on your public Facebook profile. Oops, I've possibly also got your location and age (if your birth year isn't already a part of your e-mail address) from MMOC, which really narrows the amount of people named name surname living in location around the age of age. It'd only take a few minutes to find "you", and who knows what "you" list on your public social networking profiles?)

Yeah, it's mildly speaking an exaggeration, but it's not impossible, and it's just the tip of an iceberg of opportunities for the evil people out there. The general internet user or even the general gamer doesn't hide everything from the public and if you're just a bit creative it's possible to find way more information about people than you'd like. That said I'm not personally concerned about MMOC not using SSL, but I definitly do understand why people might question it.

Who uses their real name in a personal email address? Hell any smart person wouldn't put anything sensitive on their junk email address. My Facebook profile is not public and again any smart person knows how and when to change privacy information.

You just assumed that said person in your example is a dim-wit and went on your hypothetical situation train. I'd wager that most people here are somewhat tech-savvy and aren't complete idiots.

[usiris]

Who uses their real name in a personal email address? Hell any smart person wouldn't put anything sensitive on their junk email address. My Facebook profile is not public and again any smart person knows how and when to change privacy information.

You just assumed that said person in your example is a dim-wit and went on your hypothetical situation train. I'd wager that most people here are somewhat tech-savvy and aren't complete idiots.

Thats an impressive bubble you're in.

[haxartus]

Who uses their real name in a personal email address?

Someone who needs it for work, because a name like cool_dude_85 just seems stupid.
By the way, SSL doesn't solve the session hijacking problem. Cookies can be stolen via XSS, which is a bigger threat than capturing unencrypted packages form the local network, because for the later you have to be in the same network as the target and it's literally impossible to hack hundreds of people or find a priority target like an administrator. XSS can be targeted and can affect more people.
The only way to solve the problem completely is not to put the password in the cookie file. Sorry, you will have to log in each time you visit the site. A session ID with an expiration of like 30 minutes will be required, and it has to be IP locked.