Do not share POESESSID values with other people

"
KuuHaKu_OtgmZ wrote:
"
zfate wrote:
GGG really needs to take a stand against the new PoE tool that just basically automatically will buy you new/better gear.

Who's even playing at that point, shut that shite down!


Funny enough, the same could be said to build guides - the gear is basically sorted for you, all you need to do is follow the precisely crafted path until you reach them.

Oh the hipocrisy.


Except that to make a guide someone actually needs to play the game and check if everything is working. There are many guides out there made by people who didnt even play said build and just PoB thinking it works. Same with updating said guides, people update guides from patch to patch without trying them out, they just tick few things in PoB and job done.
"
Stybbe wrote:
"
zfate wrote:
GGG really needs to take a stand against the new PoE tool that just basically automatically will buy you new/better gear.

Who's even playing at that point, shut that shite down!


They're are the ones that allow weight search on their trade site. None search on weight except scripts


There are people who do it. I've seen Mathil use it, people on friendly discord channel also do it.
"
Glowy wrote:
"
bigtoaster64 wrote:

Im curious, in which case PoB does require a session ID to do something? As far as I know, it only retrieve account infos that are public, nothing private (which wouldn't make sense for what PoB is). And I don't see any case where it would require a private access to an account.
If your account is private, such as mine, and you want to load a character up on PoB, you would need to enter your POESESSID in order to give the program access to view your account.


Thanks for the info, wasn't aware of that feature in PoB.
"
Tenzarin_MyNameWasTaken wrote:
Hang on what's stopping people from just brute forcing possessids, if theres no 2fa????


It takes too much time and compute power to brute force one session ID, so no hackers will ever try to do that. Despite what most people are saying here, 2FA would not protect you, simply because you need to first login (and so complete the 2FA) on GGG's website to then manually give the session ID to a 3rd party app. Meaning, at that point they could do anything they want with it, cause you basically authorized them to do so on behalf of you (bypassing 2FA basically). It's exactly like if you open up your bank account and give it to someone else and cross you finger that they won't simply just spend all of your money. GGG's solution of using OAuth is the way to go here for 3rd party tools, not 2FA, because you can customize the access you grant and revoke them easily, instead of blindly giving up your whole account. 2FA is only a end-user protection, but it doesn't apply to the 3rd party actors.
I read Posiedon... I'm like "THE GOD OF THE SEA!?" :O
"
Vendetta wrote:
"
Amarantha wrote:
"
Gorinnosho wrote:
PUT AN AUCTION HOUSE IN THE GAME ALREADY


No thanks, trade is fine as it is.
You don't realize how bad an auction house would be for this game.


Please explain how others are wrong and you are right and entitled to be the one who enforces the opinion ... Also explain why auction house would be bad while you are at it.


Not to add to much fuel to this dumpster fire, but just a few examples would be easily seen in ESO, and New World.

If you think selling bots here in this game are bad/annoying, just imagine Buying bots in an auction house. Every item you want at a decent price INSTANTLY sniped. Every time you go to buy / sell something the same item is priced under/over your order INSTANTLY for +/- 1 chaos.

The grass is always greener on the other side of the fence, and in this case a lot of people don't think about just how bad it could be. Yes there are benefits to an AH, but there SO many downsides as well.

Again, you can see just these few examples in current AH games.
Last edited by JediWabbit#3091 on Dec 14, 2022, 4:31:51 PM
perhaps GGG should take more responsibility for their game and provide more tools for the community to use?

not using 3rd party apps like PoB, Exilence Next et al renders the game nearly unusable.

Shouldn't be the burden of the community to provide most of the functionality for the game.

Sigh.
"
Glowy wrote:
...If your account is private, such as mine, and you want to load a character up on PoB, you would need to enter your POESESSID in order to give the program access to view your account.

This is a security abuse, to do that are other methods mentioned.
"
nl_atole wrote:
If we shared this in the past is there something we can do to protect our account?

Maybe there is need of implementation of disconnecting from all machines.
"
Restryouis wrote:
Oh no, it's almost like GGG shouldn't let third party tools fix their game.

There is nothing to do with that. There is a problem with authentication abuse of an application in forbidden way.
"
etacarinae93 wrote:
perhaps GGG should take more responsibility for their game and provide more tools for the community to use?....

To do that are official methods, there is no need to use security risk method not allowed, and officially known as wrong.
🌞 Designer of SimpleFilter see My Item Filters 🌞
🌞 I treat PoE as an art 🌞
Last edited by koszmarnica#7777 on Dec 14, 2022, 6:49:12 PM
"
ScopioX wrote:
So... damage dummy in upcoming patch ?

I mean dont wanna rant on the same thing, but no test dummy, no death recap, tooltip not accounted for many things, craft rate is bad...
so many hidden bugs...
and ur telling me to not use pob...

unless this is not pob related xD then sorry


Litteraly no one said that.

I only know 2 tools that uses POESESSID : Chaos recipe enhancer, and 1 functionnality of PoB.
U can play without Chaos recipe enhancer, it's not necessary (If u really want to use it, just get the filter and then reset the POESESSID), and on PoB it's a niche feature I think (I don't use it, I don't know if it's reallt that useful), but you can use PoB without using it, and so without providing the POESESSID
What the hell kind of security review does your sites and services go through to allow such a useful value be easily obtained in a few clicks?? As a software engineer I would never save a key like that on the client. If it HAS to be stored in the client, encode it as a JWT signed with a secret that only you have! This is web dev 101 folks.
Last edited by MastaSp3kta#4927 on Dec 15, 2022, 11:52:00 AM

Report Forum Post

Report Account:

Report Type

Additional Info