Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[Tahin]

Huh. If you asked first and got a yes... Why did he ban you?
I'm going to wait for Lumin's reply before passing judgement, but it seems to me like someone isn't telling the whole truth.

*Makes some popcorn, then sits back and waits for the drama to unfold.*

Also, the house analogy doesn't exactly seem terribly accurate. More than anything it scares me that the passwords aren't stored as hashes.

[Neonivek]

Huh. If you asked first and got a yes... Why did he ban you?
I'm going to wait for Lumin's reply before passing judgement, but it seems to me like someone isn't telling the whole truth.

*Makes some popcorn, then sits back and waits for the drama to unfold.*

Also, the house analogy doesn't exactly seem terribly accurate. More than anything it scares me that the passwords aren't stored as hashes.

Ehhhhh... the house analogy was supposed to explain why Lumin would be mad at someone who was just there to help.

It wasn't supposed to perfectly match the event... it is still accurate unless he actually did harm something.

But I guess it could be as if someone came over to your house and held a large sledge hammer and said "You probably should reinforce your door" whilst standing outside it.

[Tahin]

I get what you're saying. It's just that they wouldn't, at least for me, elicit the same response.

[Neonivek]

I get what you're saying. It's just that they wouldn't, at least for me, elicit the same response.

Same here, though Id be pretty freaked out

[Natso]

Ugh.  News update today, confirmed I was correct in my predictions.  Once FTO gets back online, it will only be a matter of time before someone less than friendly has their way with the game's glitches.  I no longer have interest in aiding FTO.

As for the rest of the story (be warned, I'm going to be blunt, and I'll probably look like an asshole)
Lumin is overconfident in his skills.*  When I pointed out simple problems, he fixed them, not too important tho.

Then I pointed out larger problems, but I said it rather... umm... generically?  He's like, "yeah, cool, good thing you found the before someone else did.  How can I fix this?"


And then I go into detail about the problems (there were four major ones), which are/were quite dangerous, including everything from trusting javascript on the client-side to XSS problems so bad it could catch unwary users and delete their accounts, or overwrite their passwords.

He believes that I had hacked the site in order to find all this info.  My sources?  Right-click -> View Source.  "window.location="index.php";" isn't going to be keeping anyone from viewing the page.
And then the public include directory... isn't too hard to find, when errors give direct links to them.  All of the php files, including the chron.php which runs hourly(? I think).  Entirely unsecure.  He totally saw this in the wrong way, I'm a terrible hacker, because, you see, his site is very secure, so for me to actually come up with so many huge problems I MUST have tampered with game data, and so not only was I banned, but other users are now recommended to change their account passwords once the game resume play.

</end of rant>

In other news, I'm rather pissed off myself.  My character was 5th in line to be born, but no doubt my account has been deleted by this point, and I've also been gyped out of fun for a few months.  See, I like to find fledgling/insecure sites, fix them up, and take it as a challenge.  Any attempt on the site I'm "protecting" is a direct assault on my own security.  Maybe most people don't, but I find this a source of fun/amusement.  Combined with the fact the site was bound to be hacked by someone less nice than I, we kill two birds with one stone, the site becomes secure, and I get my kicks making sure it stays that way.

Peace out,
 - Natso

edit:  There was a request for some proof of authenticity.  As my account was banned, and Lumin refused to let me contact him any way except PM, I cannot provide screenshots.  However, I can supply screenshots of the PM alerts of messages I received from him.
http://natso.darknovagames.com/files/sc1.png
http://natso.darknovagames.com/files/sc2.png

[Little]

Lumin, I demand you take passwords out of plain text. 

[Morlark]

Yeah, I'd noticed some of that Javascript stuff, but I got distracted, and then forgot about it before I got around to reporting it. Fairly rookie mistake to make, honestly. Sucks that you got banned, and that Lumin has totally handled this completely the wrong way. I think I'd already mostly decided that this game wasn't my thing though, so I doubt I'll be missing much if I just delete my account and forget about it, although it's a bit of a shame, since I do like to try out new games like this.

[Rilder]

This gives me an idea for an awesome new Discovery Channel show! "It takes a hacker!" 

Seriously though, how clear were your PMs to ask him?  Were they just like "hey can I check a few things with your sites security?"  Maybe they should of been a bit more detailed.

[Natso]

This gives me an idea for an awesome new Discovery Channel show! "It takes a hacker!" 

Seriously though, how clear were your PMs to ask him?  Were they just like "hey can I check a few things with your sites security?"  Maybe they should of been a bit more detailed.

I'm not a vague sort of person when I ask questions.  Lumin... not quite so much.

 - Natso

[Karlito]

This is from Lumin on the FTO forums

Out of respect to the person involved, I wasn't going to post any details.  However, since I believe I was in the right in the actions I have taken, here is my side of the story.  You can judge for yourself.

When this player saw that some of my source code was insecure by viewing my page source (without asking for permission), I told him that I didn't mind if he reported problems.  I did not give him permission to hack the code using form spoofing and then pose as a character in the game to post chat messages.

These are quotes from his PMs:

Quote
First of all, I feel a little guilty - I know a good bit about you (google is a scary place) and you don't know anything about me, so feel free to ask anything.
Second, do you use blank@gmail.com, myname@yahoo.com, or blank@gmail.com?
(italics to hide my personal info)

Quote
This was me, talking as user id #0 (default, because it is undefined)

10th of Urnu, 25, sunrise:
stares soullessly into the distance
 
10th of Urnu, 25, sunrise:
waaaah! goo waaaah! gaa

Then he proceeds to tell me how he knows that my form data is insecure because I'm not checking where my data is coming from (a problem which has been remedied).  That means he had to spoof my forms to do that.  Posing as another character in game is defined as hacking.

Even if he was only trying to be helpful, there is no way I could have known that for sure.  I took it as a personal threat when he stated that he had my personal email addresses, name and quote, I know a good bit about you.

Also, since I have banned him, he has been back to the site with a new IP address.

That is why I reacted the way I did.  Anyway, I wish him well.  I hope he learns to be more respectful in the future.

I realize this is Beta and there are bugs.  I don't mind people reporting bugs, and I am planning to ask someone I trust to look for further security issues.

I hope we can get this all behind us, and concentrate on making FTO a safe and fun place.

Also, he says that passwords were always encrypted in the database.

I don't really care to form an opinion either way, since that will only bring more drama.

[Torak]

That is why I reacted the way I did.  Anyway, I wish him well.  I hope he learns to be more respectful in the future.

Another tidbit I find amusing.

[umiman]

This is like watching an episode of the OC. It's so exciting!

Seriously though, I'm quite worried that the user data has been leaked so easily.

[Sowelu]

Oh, God.  Wow.  That really is terrible security.  I wish the world wasn't like this, but you really need better security than that to run a web-based game.  From the sounds of things, it was...REALLY bad, and people would have tripped over it at random just saying "hey, this page name showed up in an error message, what happens if I go to that URL".  It sounds like if he didn't get hacked in an obvious way, that game would have sucked to play pretty hard, because within a couple months someone would have compromised it and cheated instead of just having fun!

Someone on their forum claimed that, when you go to change your user settings in the game, it populates the form with your old password--still in a 'password' field so it shows up as *******, but it's still contained in the page source, meaning it's transmitted by plaintext, and more importantly, even if it's not stored in the database in plaintext, the password IS retrievable.  That is kind of...unforgivable from a security standpoint.  I really don't know if it's true--it might not be, someone might not understand what they're seeing--but if it IS true, then that is a total misunderstanding of basic security principles.  If passwords aren't even hashed, I wouldn't feel safe on the site.

If a cracker can break into the server and make themselves level 99, shame on the cracker.

If a cracker can break in and get someone's password, SHAME ON THE SITE ADMIN.

[beorn080]

Two things I find extremely disturbing.

One, Lumin hasn't said word one here about it. Considering he advertised this site here being run on a fast, professional server, you would think he would comment here. That he hasn't doesn't speak well for him. Natso has been decent enough to discuss what happened, and getting Lumin's side would be helpful.

Two, Lumin seems to have no idea of general internet usability. Given a name and an IP address, you can find out most everything about a person. Indeed, its even easier if the person is running a professional website, since one can do an IP lookup of said website to learn who owns it, the billing address, phone and fax numbers, and a few other fun tidbits of information.

I must say that I am extremely leery of signing up for FTO's forum's if his security is as bad as it seems to be.

[Sowelu]

The forum software is different from the game software, user accounts are not the same as forum accounts...so I think the forums are more secure than the game at this point.  Publicly available forum software has generally long since had the holes drilled out of it.