This looks like fun (RoM password security)

rawrgodzilla · 06/15/2010, 00:00

Seems like a bunch of people are raging now on both EU and US forums after this video was made about unencrypted passwords. Looks like fun to me lol

EU thread:

Video:

I so do love how secure Runes of Magic is.

~~anonymous-f4h279~~ · 06/15/2010, 00:12

A way to hack users?

Atheuz · 06/15/2010, 01:30

Quote:

Originally Posted by Drewfire

A way to hack users?

No, it's the issue about the client sending the server the login in plaintext. Basically this means, even if the server calculates a hash serverside before comparing it to the database, a person who has access to this kind of interface could log the incomming authentication packets.

However, it's no indication or evidence that frogster breaks any law of saving private information. It simply means that the Client is running on a non certificated or encrypted stream, which alot of things do. And like many things it could be abused by someone bad working for them that has access to the server.

ivits · 06/15/2010, 13:07

thats not really interesting, because every game uses this way, so if someone hacks your account, he has to hack your pc, or th server.
What you need is a computercode trojan or an, trojaner which is always activate.

edit says: computercode = programmcode

Fir3andIc3 · 06/15/2010, 14:10

Quote:

Originally Posted by ivits

thats not really interesting, because every game uses this way, so if someone hacks your account, he has to hack your pc, or th server.
What you need is a computercode trojan or an, trojaner which is always activate.

/sign

A hacker needs to be in the middle. Something like this:

Server <-----> Trojan Horse (maybe) <-----> Your PC

p.s. Trojan is on your pc ^^

~~anonymous-f4h279~~ · 06/15/2010, 15:18

Quote:

Originally Posted by Fir3andIc3

/sign

A hacker needs to be in the middle. Something like this:

Server <-----> Trojan Horse (maybe) <-----> Your PC

p.s. Trojan is on your pc ^^

It's unnecessary

Digital Shadow · 06/15/2010, 16:35

Quote:

Originally Posted by Drewfire

It's unnecessary

No it's not! Your username and your password from your pc will be send unencrypted straight to the loginserver if you press the login button. Skillful hackerz have to use packet sniffing tools or something like (keylogger) trojans or other security vulnerabilities to steal your account data.

Quote:

thats not really interesting, because every game uses this way

someone posted somewhere that in other mmo games they use an encryption, while sending personal access data.

~~anonymous-f4h279~~ · 06/15/2010, 16:58

It's unnecesarry to use it, if a hack came on your pc.

Deset · 06/15/2010, 17:05

yeah but you can hack the pw if its unencrypted without having a keylogger on your pc

and its easier to make a keylogger for unencrypted data

~~anonymous-f4h279~~ · 06/15/2010, 17:28

Then it's useless to use it, if no virus came on your pc.

ivits · 06/15/2010, 22:24

Quote:

Originally Posted by Fir3andIc3

/sign

A hacker needs to be in the middle. Something like this:

Server <-----> Trojan Horse (maybe) <-----> Your PC

p.s. Trojan is on your pc ^^

the hardest part will be to place the trojan on the pc.

LCG · 06/16/2010, 01:50

You just have to sniff his complete network traffic. Just search for his accountname & pw, and you should get it.

Atheuz · 06/16/2010, 12:34

Quote:

Originally Posted by LCG

You just have to sniff his complete network traffic. Just search for his accountname & pw, and you should get it.

Sometimes I believe people think sniffing a computer outside their own network is "easy" or even doable without installing third party programs on the victims PC.

run32.dll · 06/16/2010, 15:11

Yes - having the username and password in plain text in the packets is bad. But its not THAT bad - there are much bigger threads to the account security. How is the the attacker suppose to find out the clients ip address? That's right - he can't. Unless he knows his "friend" uses an unprotected or cheap WEP 128bit encrypted wireless connection and plays Runes of Magic.

If somebody wants to steal accounts he could just upload a video on YouTube. Name the Video "Runes of Magic Godmode" ... or "...Onehitkill". Place a link in the description to a program that reads the usename and password from the memory and send the stuff to an emailaddress. There are so many retards in this world that would download and start the "cheattool". Even on this forum some "bad guy" already tried to upload his fake "cheattool". But the funny part was I found out his scamemail-address and pass because there were in plain text in his "cheattool". So I logged into his account, deleted all emails, changed to password, made a few screenshots and reported the scammer to the admin. A few hours later the post about his "cheattool" was deleted and the raged scammer pm'ed me lol.

If you ask me the biggest thread to account security is ALWAYS the accountuser. The "raged guys" in the official forum are probably the 13yr old "I-got-scammed-by-a-youtubevideo"-stereotype. But they don't wont to admit it was their fault or they don't even know they got scammed. They probably think "hey I have a firewall and AV that detects EVERY virus/trojan/scam/etc, I'm save!" ... lol.

ps: f***ing maintance on EU servers ****** me off -.-

elle56 · 06/16/2010, 19:58

XD I´m yust 14, too. But i Programm little keyloggers into little Games. So i can spy out my friend´s ^^ That´s better than find out what uncrypted packages send my Runes of magic^^