Hacked Accounts
" Oracle was adamant that Java 7 had no sec problems either, and now people are getting compromised all over the place because of drive-by rooting. Software sucks, and it happens. The most frustrating part of this all for me is that two very valid and relatively trivial changes have been proposed and GGG hasn't seemingly bothered to investigate or comment on either. 1) Don't store password hash in game memory during session 2) Don't store password hash in the clear in a text file (or anywhere) if that's all you need to log in to an account (which is currently the case). A patch could be written for the above two within an hour or two and would at least break any exploits that rely on either of the two above mechanisms (more likely the first). It wouldn't necessarily patch whatever vulnerability, if any, is being used for information gathering, but it could reduce the value of that as an attack vector and band-aid any potential exploit issue. ign: SeriouslySRSLY
|
|
" The latter is also easy to exploit. I wouldn't be surprised if some accounts are compromised that way. Example given - the file is in a location that is shared by default on some Windows desktop versions, and many POE players might be running P2P gaming VPN solutions such as Tunngle or Hamachi, inadvertently exposing the file to outside of their LAN. Not to mention many browser components can access and read files in the directory. |
|
" Yes, I agree it's not secure. I suppose my point is that I think the more likely attack vector is the client itself rather than the user OS. It's very possible that there is an exploit for this out there, though. ign: SeriouslySRSLY
|
|
"People absolutely did SOMETHING for this to happen. They're just too stupid to know what it was, most likely because they were tricked into it. There's basically two types of people that got hacked, people that invited it and did something stupid like downloading a (fake) map hack program and people that didn't even realize they gave away their account information (aka, got phished or reused their email/password that they used somewhere else that got compromised). If you don't think you are one of these groups, you're absolutely in the 2nd group and you're ignorant of your mistake. EDIT: I'll add that a lack of computer security lands you in the 2nd group, as well. How Fusings Work: http://www.pathofexile.com/forum/view-thread/38585/page/3#p1451934 IGN: TheHammer Last edited by TehHammer#0539 on Feb 21, 2013, 5:45:33 PM
|
|
" This is indeed possible. All I'm saying is that the OTHER option is also POSSIBLE; that the hackers aren't able, or choose not, to target specific high-level players. Invited to Beta 2012-03-18 / Supporter since 2012-04-08
|
|
" Yes, I suppose you're right. The only reason I made that other comment is because there are some here who seem to be adamantly denying that anything other than user stupidity could be to blame, and there have been a couple very good ideas as to other ways the information could be getting leaked, which have nothing to do with user issues (or passwords at all, for that matter). Invited to Beta 2012-03-18 / Supporter since 2012-04-08
|
|
" TehHammer, you are mistaken here. While it is true that most username/password tuples are gleaned in this fashion, there are often software exploits that involve vulnerabilities in the software itself. Nobody gets a rootkit installed on their machine because they got their WoW password phished, for example. It's naive to think that these two methods are the only ways to compromise an account, and saying so is damaging in this context, because doing so attempts to discredit other valid points that GGG really needs to look into. Edit: If there is a vulnerability, you may need only to log in to be exposed. I suppose you can argue that is "SOMETHING". ign: SeriouslySRSLY Last edited by Thrombo#7609 on Feb 21, 2013, 5:47:12 PM
|
|
-image removed-
hahahahahahahaha all these -edit- dling obv hacks and playing it off by saying someone hijacked their account Last edited by peachii#3920 on Feb 21, 2013, 5:55:35 PM
|
|
" I am currently trying to pry my palm away from my face. I have to commend you though. At least you're up front about your stupidity. Last edited by peachii#3920 on Feb 21, 2013, 5:55:51 PM
|
|
" I am arguing that you are completely wrong in your assessment of how people are getting hacked. There is no way people are simply "logging in" to get hacked. If that was the case, the high end players with tons of currency would be the first to get hacked as that's where the profit lies. The sample of who is getting hacked is absolute proof that they aren't hand picking those who "log in" and stealing their info. People are getting hacked because they are doing something stupid, in many cases, they don't KNOW they're doing something stupid. That's called ignorance. Of course they claim they did nothing wrong, they don't KNOW that they did something wrong. How Fusings Work: http://www.pathofexile.com/forum/view-thread/38585/page/3#p1451934
IGN: TheHammer |
|