Curse

Miscreant_Moon · Jan 01, 2010, 08:19 PM // 20:19

Quote:

Originally Posted by Coverticus

He's talking about telling everyone HOW to do this is not the smartest thing.

You know the fastest way to get Microsoft, IE, Firefox, or just throw out any random company name here, to fix an exploit?

Publish it.

Otherwise you are talking to a brick wall that will do nothing. Which NCSoft has clearly proven.

Tiramos Caesar · Jan 01, 2010, 08:20 PM // 20:20

Quote:

Originally Posted by Miscreant_Moon

I think it's fairly obvious that sending emails, talking to support, posting on forums, posting on the wiki, talking to people in game, posting on other websites, talking amongst ourselves, telling the devs and so forth has been completely ineffective. Wouldn't you?

Not necessarily. Someone in Kamaden was shouting this link in general chat. That is what brought me here and I'm glad. But there will be dishonest people out there who once they realize they can do this will try it. Someone at NC Soft/ANet needs to step to the plate and fix this ASAFP. It sounds like an easy fix.

Martin Alvito · Jan 01, 2010, 08:20 PM // 20:20

Quote:

Originally Posted by jiggles

I would just like to throw the idea out there that telling every single person possible how to potentially hack GW accounts does not seem like the smartest plan ever...

The idea is that once something like this hits the public domain, the company is forced to respond immediately with all available resources. To do otherwise is negligence.

Emperor Bush · Jan 01, 2010, 08:24 PM // 20:24

Sunlight is the best disinfectant. As they say.

Coverticus · Jan 01, 2010, 08:28 PM // 20:28

Quote:

Originally Posted by Miscreant_Moon

You know the fastest way to get Microsoft, IE, Firefox, or just throw out any random company name here, to fix an exploit?

Publish it.

Otherwise you are talking to a brick wall that will do nothing. Which NCSoft has clearly proven.

I wasn't arguing with you Moon, just stating. And yes, I agree that placing a bug/hack/exploit into the full domain as such is usually a good thing. But there are always pros and cons to doing anything like this.

It just makes me cringe how much information is actually available to the hacker

maxxfury · Jan 01, 2010, 08:29 PM // 20:29

Well RED ENGINE GORED ENGINE GORED ENGINE GORED ENGINE GO me sideways!

If this is legit...im thankful my account has crap all of worth on it

jiggles · Jan 01, 2010, 08:31 PM // 20:31

Quote:

Originally Posted by Martin Alvito

The idea is that once something like this hits the public domain, the company is forced to respond immediately with all available resources. To do otherwise is negligence.

I agree but what if in the time it takes them to fix the bug I'm hacked/you're hacked/ loads of other people are hacked? Acceptable losses because the masses got to know what's going on, and how there is nothing they can do about it? (in terms of unlinking accounts etc) I'd much rather less then 1/4 of the people looking at this thread knew about this bug, it's safer for everyone that way. There are always going to be the douches out there who are going to exploit this bug for all they can get before it is fixed. And I would rather not risk 4 years of my life so Anet/NCsoft get some bad press and are forced to reply to an issue faster.

Tiramos Caesar · Jan 01, 2010, 08:32 PM // 20:32

You know what? Hell with helping the community. I just got told by a dozen people to shut up and quit posting the link in general chat in Kamaden. Let them be hacked.

Chaos Beserker · Jan 01, 2010, 08:34 PM // 20:34

um......am i the only one thinking that this has just told many people how to easily hack people accounts.....

The build master · Jan 01, 2010, 08:38 PM // 20:38

Quote:

Originally Posted by Chaos Beserker

um......am i the only one thinking that this has just told many people how to easily hack people accounts.....

No.

Wonder how many ppl are clicking login/logout in the ncsoft master account site.

Edit: Would being logged in to the ncsoft master account 24/7 prevent for some1 else to do so ?

Gun Pierson · Jan 01, 2010, 08:41 PM // 20:41

For the time being, shut the site down maybe!?

Tramp · Jan 01, 2010, 08:43 PM // 20:43

Wait a minute... can someone explain this to me? So the new character name thing does absolutely no good if you have ever file a support ticket with Anet because the hacker will have access to all your closed support tickets and therefore will have your character name???????????????

Juhanah · Jan 01, 2010, 08:44 PM // 20:44

Quote:

Originally Posted by Tiramos Caesar

I just looked again and I have nothing on the right side. I went through all the links and cannot find anything other than my personal information I have listed which is bogus anyhow. Does it sound like I'm in the clear?

Yeah.. It means you GW account is not linked to NCsoft.

Quote:

um......am i the only one thinking that this has just told many people how to easily hack people accounts.....

And will most likely force NCSoft to start doing something.

Enko · Jan 01, 2010, 08:45 PM // 20:45

Quote:

Originally Posted by Gun Pierson

For the time being, shut the site down maybe!?

pity that this was released on January 1 which is a holiday for most businesses. Most likely no one working in the office. For the hat fix, it even sounded like Anet had to call in a couple of the programmers to the office to fix it.

merciless_mike · Jan 01, 2010, 08:46 PM // 20:46

Not happy with this news at all. Been reading the thread all day and wondering just how such a blatant security flaw has escaped a fix for so long.

Anyway to my point; what can we do now to limit the chances of a breach? I don't want to take chances any more than the next guy.

zwei2stein · Jan 01, 2010, 08:47 PM // 20:47

Bad sanitization leading to pre-seting session object with some other session data?

Chances of this are astronomical ... you could get way more server crashes or simply all out weird account data. If session object were not sanitized or pointer got weirded out, they would get what would look like random data most of the time, you would likely not be able to log in, ever.

Session theft ... race condition, that sounds plausible, but how is that even possible to write that way? complete lack of (synchronized)? Again, likely to crash or to steal sessions way too often (i.e nearly always) ...

I though they wrote it in .net anyway ... garbage collection and no direct pointer handling would prevent accidental accessing of the "right" object, and session theft, well, surely it has thread locks. Withotu thread locks, this kind of system kind of dies the moment several users access it.

Still can't see how this would happen without cashing or

---

Anyhow:

If you manage to steal session or to recover session by accident, it means that target account was logged to plaync recently.

So, your protection would be *not* to log in to plaync.

zelgadissan · Jan 01, 2010, 08:50 PM // 20:50

Oh, NCSoft, how you never fail to disappoint.

I really would love to see a response, but as mentioned earlier in the thread, it's probably best that they don't for legal reasons.

byteme! · Jan 01, 2010, 08:51 PM // 20:51

Quote:

Originally Posted by zwei2stein

So, your protection would be *not* to log in to plaync.

Thank goodness I'm a lazy SOB. I never log into PlayNC's site.

**cosyfiep** · Jan 01, 2010, 08:52 PM // 20:52

I like that last part "not logged in recently"
as I have had no reason to visit their shadey site since the dumb free storage (that took almost a MONTH to get).....though had a ticket from when they messed up factions (remember that one?????) but thats what 4 years ago now?

we need to severe our ncsoft link to gw! I have NO NEED of their LACK of secure website (and no PR person will convince me otherwise----since HALF of the accounts that were hacked WERE linked--stats can be read either way....and why oh why are they trying to find ONE source????? /facepalm and /headonbrickwall).

hope they are at least READING this thread.

Smarty · Jan 01, 2010, 08:53 PM // 20:53

It's all very well saying we want ANet to close down the website, or to unlink GW from the master account, but it's not in ANet's hands. Can you imagine how much shit the head of ANet would be in if they did that without permission from NCsoft? It's purely down to NCsoft to sort this one out and you can bet your ass they won't do it any time soon - their track record on customer support doesn't exactly inspire confidence.

I will only buy GW2 if ANet either separates itself from NCsoft, or at the very least if it's not a requirement to link the game to an NCsoft account in order to benefit from the GW1 HoM. I'm not going through this worry again over a game.