MMORPG

darq787 · October 7th, 2004, 09:11 PM

Our forum names are our account logins why? That's an easy way for a hacker to bypass the biggest part of hacking an account, without our login they can not try and guess the password. Now all they have to do is browse the forum, pick an account and start guessing.

I didn't even want to post here because of it, I've seen it happen with other game's that did this, people on the forums being hacked all the time so they would have to change the system, but I had a tech problem so took a chance.

Just change it ASAP, set up an alias system like what Anarchy Online has for their forums, very easy to do. It's not too big of an issue as you actually required people to come up with good passwords that wont easily be guessed, but better safe then sorry. Hopefully you also have a system in place that stops IPs from accessing the game if they enter too many wrong passwords in a short ammount of time.

larsa · October 7th, 2004, 09:49 PM

I've complained about this a few times already, these boards really are a very amateuristic setup and I too am thinking about no longer to visit these boards for that very reason.

Why use secure https for the game registration when one a few minutes later needs to enter the same username and password into a completely insecure forum. Username and password get transferred to the forum software unencrypted and thus could get picked up at every Internet hop, easily reveiling real name and address via the user profile.

This forum setup is an invitation to hackers to screw up a number of accounts.

zumwalt · October 7th, 2004, 11:47 PM

Login information on a non HTTPS (no ssl certificate here on forums) does pass your information across in plain text, also, this is a PHP module.

Although I doubt you will see a change in how they do the forums, maybe they will use a verisign certificate and atleast secure the login itself, which is possible, and not have to SSL the entire forum site.

BUT it would take a hacker to put s niffer against the ryzom.com IP and then make sense of the packets.

Its easily fixed, if they decide to spend the $200 for the ssl certificate.

tetsius · October 11th, 2004, 07:36 PM

They don't need SSL sertificates - gremlins are protecting the user information 24/7...

October 7th, 2004, 09:11 PM	#1
darq787 Join Date: Oct 2004 Posts: 48	Huge security risk... Our forum names are our account logins why? That's an easy way for a hacker to bypass the biggest part of hacking an account, without our login they can not try and guess the password. Now all they have to do is browse the forum, pick an account and start guessing. I didn't even want to post here because of it, I've seen it happen with other game's that did this, people on the forums being hacked all the time so they would have to change the system, but I had a tech problem so took a chance. Just change it ASAP, set up an alias system like what Anarchy Online has for their forums, very easy to do. It's not too big of an issue as you actually required people to come up with good passwords that wont easily be guessed, but better safe then sorry. Hopefully you also have a system in place that stops IPs from accessing the game if they enter too many wrong passwords in a short ammount of time.

October 7th, 2004, 09:49 PM	#2
larsa Join Date: Oct 2004 Posts: 81	Re: Huge security risk... I've complained about this a few times already, these boards really are a very amateuristic setup and I too am thinking about no longer to visit these boards for that very reason. Why use secure https for the game registration when one a few minutes later needs to enter the same username and password into a completely insecure forum. Username and password get transferred to the forum software unencrypted and thus could get picked up at every Internet hop, easily reveiling real name and address via the user profile. This forum setup is an invitation to hackers to screw up a number of accounts.

October 7th, 2004, 11:47 PM	#3
zumwalt Join Date: Sep 2004 Posts: 739	Re: Huge security risk... Login information on a non HTTPS (no ssl certificate here on forums) does pass your information across in plain text, also, this is a PHP module. Although I doubt you will see a change in how they do the forums, maybe they will use a verisign certificate and atleast secure the login itself, which is possible, and not have to SSL the entire forum site. BUT it would take a hacker to put s niffer against the ryzom.com IP and then make sense of the packets. Its easily fixed, if they decide to spend the $200 for the ssl certificate.

October 11th, 2004, 07:36 PM	#4
tetsius Join Date: Sep 2004 Posts: 37	Re: Huge security risk... They don't need SSL sertificates - gremlins are protecting the user information 24/7...

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search
Display Modes
Switch to Linear Mode Hybrid Mode Switch to Threaded Mode