Register for your free account! | Forgot your password?

Go Back   elitepvpers > New Arrivals > Early Access Games
You last visited: Today at 08:05

  • Please register to post and access all features, it's quick, easy and FREE!

 

[PSA] MULegend Account Security Risk

Reply
 
Old   #1
 
elite*gold: 0
Join Date: Mar 2006
Posts: 1,196
Received Thanks: 221
Exclamation [PSA] MULegend Account Security Risk

Ok, not really but it is still risky.
Anyone who can get the right Authentication Key after you login can LOGIN any account without knowing the Exact Username & Password of that account.

How is that possible?
Simple because the Launcher from you are logging in store your Data in a encrypted string and pass it to the Client as the Parameter.

Example:
Mulegend.exe <YOUR ENCRYPTED DATA>

With that, MULegend.exe will validate it if the account is correct or not. But since there is already a validation from the Launcher. The Data being passed to the MULegend.exe is 100% Correct and it will just logged in that account.

How is this a risk to you?
A malicious programmer can create an application that gathers MULegend's Encrypted Data and save it or perhaps mail it back to him.

Once he has the data, he can login to any account according to the data he has gathered.

Since the Client (MULegend.exe) has no 2nd security authentication in game ANYONE CAN LOGIN ANY ACCOUNT AS LONG AS THE DATA IS CORRECT.

Ive included as simple app in this post to gather your AuthKey.
Instructions are in #README#.txt

I've included an example account (encrypted data) in Start Game.bat. For you to test.

Just a note, I have not tested this outside my network.



Edit:
Upon further observation, it appears there's also a SessionKey included. This sessionkey expires within certain amount of time. It may not be much but still risky if the malicious user gets your AuthKey and login as soon as possible.
Attached Files
File Type: zip AuthKey Grab.zip (11.4 KB, 3 views)



killzone is offline  
Thanks
1 User
Reply



« Previous Thread | Next Thread »

Similar Threads
[WTS] WTS Game Private server [ Vps - Security Proxy - Security ddos] Files
Want To Sell My Vps Ram 8 Giga have time with security have time have all files you need you only setup
2 Replies - Web Host / Server Trading
[Ad]MULegend - Full Season 8 Ep 2 - Return of the King
Server Location: USA http://warbeast.boards.net/ Website: Under Construction Ingame Registration - Please do not make accounts you don't want to...
2 Replies - Private Server - Discussions / Questions
FOR PEOPLE THAT DON'T LIKE TO RISK THEIR PRECIOUS ACCOUNT
I PLAY CABAL NA (THIS WILL BE ALSO SUITABLE FOR other Cabal that are in EPISODE 9) Many people have been complaining of getting banned and blaming...
0 Replies - Cabal Guides & Templates
Diablo 3 Account For 10 Euro lVl 60 DH (this game is Sh.. Buy at own risk)
Hello i wanna Sell Account to this Crap And Boring Game Called Diablo 3 On Account : lvl 60 DH with 400 k Gold and 82 k DPS Price : 10...
2 Replies - Diablo 3 Trading
[Release] processor.php protection for potential security risk
if you are useing the processor.php script, you need to know that is potentially attackable with code ijections. Here is a little solution that...
6 Replies - Shaiya PServer Guides & Releases



All times are GMT +1. The time now is 08:05.


Powered by vBulletin®
Copyright ©2000 - 2017, Jelsoft Enterprises Ltd.
SEO by vBSEO ©2011, Crawlability, Inc.

Support | Contact Us | FAQ | Advertising | Privacy Policy
Copyright ©2017 elitepvpers All Rights Reserved.