|
The bitter Truth
First i want to apologize for bruteforcing TEVA, APOLINE, BIJOU and EPITH also for abusing the login server, for several minutes.
I also want to apologize to the players who i force disconnect during that time. I hope u aren't mad at me x.x What i did was attacking the Fiesta servers, for about 2minutes. And i want to present my results now. These is the list of Accounts i could hijack. It includes the server i hijacked them on and the characters i gained control of. hijacked on APOLINE Avia Rutice Rati Minala hijacked on BIJOU Trapt Nourishing BiatchQueen Nourish hijacked on TEVA MrEds Tejei Megui_br hijacked on EPITH the_one hijacked on EPITH veronamine cindylowho hijacked on BIJOU RincewindChurm hijacked on TEVA Alterio hijacked on APOLINE jnsf hijacked on APOLINE Keelie TickTock Surgeon _Keelie_ hijacked on TEVA MrEds Tejei Megui_br hijacked on EPITH Saints Potion_maker hijacked on TEVA blood1 blood2 xX_blood_Xx xX_inuasha_Xx hijacked on APOLINE Raiha Regrant Lekius Retier hijacked on EPITH BumbleBee Black_Arachnia hijacked on TEVA Trophyhunter357 CIRCLEK faith06 trophyhunter_357 hijacked on EPITH hijacked on TEVA SedaLia Ecstasma ShoveIt Glycerine hijacked on TEVA kenny89 ken89 Icemage1 Item_maker hijacked on APOLINE Dragonfeather Sashacat Kellycat Magiciancat hijacked on TEVA NekoHikaru Kyoto_Asakura KyotoAsakura Neko_Hikaru hijacked on TEVA DuckeyBR PegasusBR _Legolas_BR hijacked on TEVA kenny89 ken89 Icemage1 Item_maker hijacked on BIJOU Inconnu Ammytay lnconu1 Inconu For everyone who thinks he lost something: That is not the case, right after i succesfully hijacked someone i immediately disconnected, causing no harm to the unluckly people who were hijacked. I hope that these is enough to convince people that the login weakness IS NO LAUGHING MATTER. My Reason: Once again Outspark released a patch, that did not fix the weakness. I can not wait any longer. Outspark i hope u see the warning. Im not the only one who can find the weakness, and someone else might want to exploit it. MaxOff |
Got bored?
The only name I recognized from that list was "SedaLia," but even still that name is relatively insignificant. |
i dont know any of them.
And how can they be insignificant? |
Woah, that's scary... Ô___Ô
Can you PM that to an Outspark GM? |
i gave them a full description some time ago. The answer was that the acc, i send the reported from, was immediately banned.
I got the hint, and i will contact the gms never again. Dont wont to have another acc banned. |
Quote:
|
Quote:
@MaxOff: But in any case, what you did was still wrong, and how the GMs saw it, even if it was for good intentions. |
I tried the nice way, and got rejected. So i waited to see if they would fix it non the less. They did not. So im showing the public what was ignored.
My only aim is to see that something like that will not be possible anymore. |
SedaLia.. i recognise that name.. I was reading and hoping my name didn't pop up D:
|
Quote:
|
I still think you should not disconnect players who might be afk vending or trying to get titles which require them to remain online for long periods of time...
|
the timeframe was 2minutes, and the ticker was that the person logged into a server. So the chance being on that list is really low.
|
There was a security researcher, Antonio or someone whose name started with "A". He posts up all security related flawes on the internet. He emails the affected companies with the site, and tells them they need to correct it.
Otherwise the method is completely public. Perhaps a similar stance may help you? Although many people here would yell at me for proposing such a thing, this security researcher proved it works. Companies are a little more complaint when the method is out in the open, and your telling them to fix it. |
Well if u're really considering to post it out in public.. ithink u should 1st wait and see if Outspark is planning to do anything about it..
have u worked out a way to stop this weakness?? have u told outspark wat they could possibly do? if u dont hv a solution for the problem u should wait longer i personally dont recommend u (obviously) to post it in public coz that'll just ruin the whole thing for everyone... as it will be more than likely land in MANY bad hands... a problem could probably be fixed without making it worst for everyone... it'll be very much appreciated if u dont take the dangerous approach. just because one method "works" doesnt mean its the best way to deal with the problem. |
Quote:
Unfortunately, Hessah, thats not how companies think. If they believe its a localized problem, then from a corporate stand point its best just to brainwash your clientel, and give the appearance of no problems. In most cases you ignore the problem. It's a business. Companies respond to action. If everyone knows how to do it, they will be more pressed to fix it. This security researcher Luigi Auriemma proved the concept works: http://aluigi.altervista.org/ Furthermore, its not the job of a security researcher to fix the problem. Only point out the problem. None of us have the fiesta game code, the thing you need to be able to fix the problem. |
SedaLia is in Goids_of_Guilds, and she just got married to HELLGUNDAM.
Best not be messing with her ^^ |
...
|
Wow... I was looking down thinking "hope my name isn't there" also...
But to be honest, although what you did was wrong, the fact remains that it CAN be done, and that is a disquieting thought. The reaction of Outspark to your PM was pretty much expected though :P. Maybe what would make them sit up and pay attention would be if you hacked a GM account ;). *Maybe* they would listen :P. Of course *DISCLAIMER* I don't condone any sort of hacking, that stuff is bad, very bad! Either way, expect more expensive additions to the Cash Shop before they deal with this issue ^^. ~Aerythia |
If its posted in public, it may fall into the hands of the botters who will probably hijack accounts to advertise or hack their gold...
Could you hijack a GMs account and use that account to tell them the security loopholes? |
Quote:
|
Quote:
|
Quote:
|
-nod- i'm sure there are other ways to get the GM's attention rather than a method that might land this in bad hands...
|
Quote:
|
done spamming?
|
Quote:
But actions speak louder than words. If you've taken a bit of history, people knew what was going to happen in world war II era. It wasn't until the actions did the world pay any sort of attention to the discrimination against Jewish people. I'm not saying action is always right to take. I'm simply stating that it speaks. Perhaps, so, that SKiNG finally decided to register with these forums this morning. |
Wow... 2 minute non stop bruteforce? No wonder I lagged like crap.
|
hacking a gm account would not solve the problem. Not only is the code is use way to aggressive, making it nearly impossible to log in for everyone(including gms i guess).
It also uses a different interpretation of the net code, that is not compatible with the original client. So if i wanted to transfer a session, i hijacked, to the client it would be a lot of work. But there is a 2nd weakness in the map servers(nearly identical as the 1st one), that might be better for the purpose of hijacking a specific character. But i dont want to fight the gms. So its out of question! Still its the sad, that i had to go public. I really gave them a chance to fix it quietly. |
Max, how long to you "give" them to fix it? and what gives you the right to put Outspark in that position?
|
I gave them about a month. Considering the response, i think that more then enough time.
|
Quote:
|
Zodiac, you may have something there.
I just dont think hacking the login server and blindsiding Outspark by publicy exposing a potential flaw is the right way to go about doing it. |
I agree. I personally think Max shouldn't have posted all of the accounts he highjacked. I mean, maybe PM it to a GM, but here.. =/
|
idk i have mixed feeings onthis... it was somethig that had to be shown so they could fix it...but still that was probably nt the best way to do it...
i just hope they fix this and it never happens again... |
He is merely making the public aware of the security vulnerabilities, as obviously Outspark is completely ignoring them. However, even if they fix the problems that will never make the game hack proof. Any security system can be tricked and in some cases completely bypassed. However, which I find funny about this is that most security system are intelligent enough to detect brute force techniques or prevent them all together. But considering this is not a login server for a bank... security is not a top priority.
|
i dont find any of this funny...we all have to take this every seriously because next time it could be any ofour accounts being taken.
|
I think Maxoff is doing the right thing, just as long as he know he was gotten the message to a good portion of the staff rather than just one guy who was ass and banned his account.
|
The going public was done to force them to do something and respond as the fact that he had messaged a gm and they did absolutely nothing, therfore forcing action by a public posting was a move that is logic and justified.
|
Quote:
|
changing your pw wont do anything.
U can have the most secured name/pw combination ever existed, and u could still be hijacked. Its like when u drive a car, and someone forces u out of the car . A better/different car key would not help at all. The only difference is that i dont have a gun in my hands when i hijack your session. Instead i send forged requests to the world servers, pretending that im someone else. |
| All times are GMT. The time now is 08:58 AM. |
Powered by vBulletin® Version 3.8.6
Copyright ©2000 - 2025, Jelsoft Enterprises Ltd.