Security issue regarding sid and normal login

06/20/2017 10:59 skeith_sk8#1
Hi guys,
After a while waiting for BP to fix this i have decided to share this in order to avoid that you guys have troubles while sharing accounts. I hope that after this thread it also gets fixed.

As we all know, when someone enter on our account using password, we get a 99 error in the backpage as the SID changes and if someone enters on our account and goes to the spacemap we get a connection lost error. However, even if the SID is different if you press reconnect you will be able to recover the connection.

In other words, imagine that you share your account using password or sid, it does not matter, with a friend. If your friend does not close the spacemap window he will keep access to the spacemap forever even if the SID changes or you change password or whatever. This can cause a huge variety of issues, such as billions of dishonor == bye bye account, all ammo gone, kill people that shouldn't be killed, say on global chat "i am a bot user", pushing, etc etc.

So be careful guys with who get access to your account, and don't be that confident with SID, as even if it changes the other player can keep connection.

Regards
skeith
PS: You guys can test it just by openning 2 browser. Just connect with browser 1 to the spacemap. Then go browser 2 and enter on spacemap. You will have connection lost on browser 1. Press reconnect and you will recover the connection even if the SID is gone. Sometimes you can get a infinite trying to connect. The other user can just create 5-6 tabs with the spacemap and if 1 get stuck just close and press reconnect in the other one.
06/20/2017 11:14 linksus#2
Thanks for info
06/20/2017 20:33 ~Demetrio~#3
Quote:
Originally Posted by skeith_sk8 View Post
Hi guys,
After a while waiting for BP to fix this i have decided to share this in order to avoid that you guys have troubles while sharing accounts. I hope that after this thread it also gets fixed.

As we....
This is a know bug ! sometimes it doesn't connect to spacemap sometimes it does after a user login into the account!

But anyway, BP don't care the players! Even if there are hacked users BP will be happy to earn money from them! [no bot users].
06/20/2017 20:53 skeith_sk8#4
Quote:
Originally Posted by ~Demetrio~ View Post
This is a know bug ! sometimes it doesn't connect to spacemap sometimes it does after a user login into the account!

But anyway, BP don't care the players! Even if there are hacked users BP will be happy to earn money from them! [no bot users].
It always connect actually (unless the screen gets bugged)
06/20/2017 21:52 shiroe98#5
thx
06/20/2017 22:04 Sydno#6
First of all say thanks because they remove sid from game page url :))
06/21/2017 15:34 somalia_#7
I thought that was a feature rather than a bug.. That's too bad. :/
06/21/2017 23:52 :thonking:#8
This was an actual method how I saved my account about 4 years ago when the account hacking was easy(?). I could keep the account online at spacemap and it was always a mark that if my ship was moving, I knew someone was on my account. So fast login to backpage and changing the password and all was good.

However nowadays it's:

1. Impossible(?) to get into your account without knowing the username and password or sid (point: unable(?) to crack).
2. Even if it happens, the infinite connection bug might fuck up your chances to save your account.

Just don't know should I laugh or cry, maybe just be neutral as the game sucks and idc if someone steals my acc. xD
04/17/2018 12:01 skeith_sk8#9
As a little update on this thread i can say that they finally patched this issue (partially). Since some days/weeks you can only keep the connection till the next server restart. After that, the client windows will not longer provide you the access to the account.
04/18/2018 15:10 grimreaper13#10
so there is possibility to connect to an account with only SID?
04/18/2018 23:19 PNTX#11
Quote:
Originally Posted by grimreaper13 View Post
so there is possibility to connect to an account with only SID?
there is. and always was.
04/19/2018 00:32 grimreaper13#12
Quote:
Originally Posted by PNTX View Post
there is. and always was.
how is that even possible? :O
04/19/2018 07:35 skeith_sk8#13
Quote:
Originally Posted by grimreaper13 View Post
how is that even possible? :O
[Only registered and activated users can see links. Click Here To Register...]
04/19/2018 17:45 manulaiko3.0#14
Quote:
Originally Posted by grimreaper13 View Post
how is that even possible? :O
The Session ID is a unique 32char hex identifier that is randomly generated with each login. It's not any kind of security vulnerability, in fact is used everywhere you can login, it's just how the internet works.