Account Hackings - The Source

Well I think it's about time. We now have the cold hard evidence, now the question...is...what do we all do about it? Can we all make NC soft aware of our concerns...can we boycott something? What can WE do now? Because something needs to be done. And NC isn't going to fix it until their players start doing something that makes them lose money, money talks.

Beg, borrow or steal an unlinked account and put your valuables on it.

That is the only option available to you.

No because your accounts are listed on the menu on the right.
Anyone that get to your account in NCSoft can see all your entered personal and account information and can change every password by just entering a new one and clicking submit.

So if you have any personal stuff written there, I suggest you remove it.
And for the GW account.. We can't do anything else than wish NCSoft will get it's head out of it's behind and start being the "biggest gaming company" they pretend to be.

Wow just wow, i cant believe they know about this and haven't done a thing to prevent it, i guess the adding a char name on login was just a way to make people think they where on top of it.

I dont think ill bother going to get GW2 on release as if this is how they are dealing with a very serious security breach ( cause by them ) then i dont hold out any hope for GW2, and i refuse to pay for a game that can be stolen from me on day 1 because they wont get there act together.

I don't have valuable items... it's my main character that's valuable :-/

It's quite easy. Get GW2...don't link it to anything...never let anyone outside of GW2 know your character names and practice the good habit of strong passwords mixed with never using that email or password anywhere else but GW2...unfortunately us GW 1 players only WISH we hadn't made that mistake. We get a fresh start on GW2.

I seriously can't support a company that has such faulty security. I'll just go to another MMO and not deal with this. Sorry Anet, as long as your under NCSOFT, I won't be buying GW2 when it's released. HAHAHAHAHA

Anyone have a legitimate way of telling the mass of the GW populace besides TRYing to talk through the mass that is All Chat

Just keep pushing this URL to anyone you meet in groups in GW, and for all chat tell them to go look in the top forum posts when in ALL chat. I like the idea of tryin to get the word out into GW.

They should implement a feature that shows us if -and than how many times- someone tried to access our account (since the last time we logged on) either using a wrong password or a wrong chr. name. Something like Battlenet did. That woulld give an indication of how serious this problem is. Now everyone is just guessing.

Floated (stickied) threads on every GW fansite.

Bring it to the media. Kotaku may be interested in this type of thing.

I just looked again and I have nothing on the right side. I went through all the links and cannot find anything other than my personal information I have listed which is bogus anyhow. Does it sound like I'm in the clear?

Very interesting read. I had my account hacked not to long ago and got cleared out and it really made me question my own security, and the fact that gw is dying not that many people play it anymore and the amount of accounts getting hacked is astonishing to me. I have heard many stories, seen many threads of way to many accounts getting hacked for it to be everyones fault and not anet/ncsoft somewhere along the line.

Being an IT security major I really didn't find it to be practical for someone to have keylogged me to steal only my guild wars account, because why not steal my paypal account or credit card information especially if they are from over seas just proxy from some 3rd world country and your safe from justice pretty much. Also what are the chances of one of these RMT successfully distributing a keylogger that is hidden in something that is appealing to gw players and not anyone's anti virus detects it or firewall. I can assure you that I havent download anything that could of resulted in my account being compromised this way.

The only other option would be that same email passwords on some other site that had a security flaw(by anets standards since they know gw is 100% secure..... what ever happen to that custom gw LP where someone reverse engineered the game?)
Seems reasonable vbulletin and other things are known to have many exploits so perhaps maybe some gw fansite or something completely unrelated to gw.

My gw account no one knows or would be able to guess what it is because it was a very old email address, and no my gw password was not the same as all my other passwords.

Very nicely stated you sound just like my teacher.

This exploit with being able to access anyone's account seems very practical. Being a novice programmer I have seen first hand problems in my own code where things worked once and then another time somehow had stale data because of some logical error of some sort.

I also had heard of a problem my friend had with an iphone game he was making for a class where after he closed the game and reopened it it somehow saved his previous score one time.

Maybe Anet should remove the stupid price tag, suck it up and let us all change our in game names for free for a limited time or something. It's a short term fix but I'm sure it'll give some people a piece of mind such as myself. I know it's not Anet's fault but something must be done asap.

This would seem to make a lot of sense. Whether the security measures of the NC Soft Master Account might be reasonably be regarded as adequate or not, there is certainly a perceived issue. ANet/NC Soft through different promotions have incentivized players to link their GW accounts with a NC Soft Master Account. If not for those promotions, most GW players probably would not have ever established a NC Soft Master Account, and this create this potential backdoor to their GW Account. Regardless of how realistic ANet/NC Soft consider the concern to be, I personally want to unlink my GW account from the NCSoft Master Account.

It does seem problematic that ANet/NC Soft does not seem to really acknowledge the issue. See below from Gaile Gray's Account Security Support FAQs. I imagine much of the community doesn't agree and doesn't regard the NC Soft Master Account as adding another level of security to GW's security, given the relative ease in changing the password to the GW account, in that unlikely or even hypothetical situation where the NC Soft Master Account is compromised. The ease of changing the GW account password from the NC Soft Master Account seems to me to be more a security hole than another level of security.

http://wiki.guildwars.com/wiki/User:...count_Security

Disable the ability to change the gw password on the site would be the quickest fix for now.

But, in all fairness, until such a time as to this being fixed/proven/disproven etc, the whole functionality for management of accounts, imo, should be taken down from the NCSoft site so that the community (both GW and Aion) can be a little more reassured.

I would just like to throw the idea out there that telling every single person possible how to potentially hack GW accounts does not seem like the smartest plan ever...

First off all: BLEEP YOU ANET AND NCSOFT
Secondly: Is there a way to just delete my NCSOFT account? I only opened it to get my free storage pane, and it is linked to a GWAMM character.
Thirdly: I don't want that free storage pane. WTT FREE STORAGE PANE FOR A DELETED NCSOFT ACCOUNT.

My best friend in guildwars had his account hacked in the first batch of hackings, prior to Guru removing the ign feature. The 2 of us did everything together, we vanqed every area in the game. He was so frustrated by losing all of his stuff that he no longer plays anymore, and that makes me sad.

I think it's fairly obvious that sending emails, talking to support, posting on forums, posting on the wiki, talking to people in game, posting on other websites, talking amongst ourselves, telling the devs and so forth has been completely ineffective. Wouldn't you?

He's talking about telling everyone HOW to do this is not the smartest thing.

You know the fastest way to get Microsoft, IE, Firefox, or just throw out any random company name here, to fix an exploit?

Publish it.

Otherwise you are talking to a brick wall that will do nothing. Which NCSoft has clearly proven.

Not necessarily. Someone in Kamaden was shouting this link in general chat. That is what brought me here and I'm glad. But there will be dishonest people out there who once they realize they can do this will try it. Someone at NC Soft/ANet needs to step to the plate and fix this ASAFP. It sounds like an easy fix.

The idea is that once something like this hits the public domain, the company is forced to respond immediately with all available resources. To do otherwise is negligence.

Sunlight is the best disinfectant. As they say.

I wasn't arguing with you Moon, just stating. And yes, I agree that placing a bug/hack/exploit into the full domain as such is usually a good thing. But there are always pros and cons to doing anything like this.

It just makes me cringe how much information is actually available to the hacker

Well RED ENGINE GORED ENGINE GORED ENGINE GORED ENGINE GO me sideways!

If this is legit...im thankful my account has crap all of worth on it

I agree but what if in the time it takes them to fix the bug I'm hacked/you're hacked/ loads of other people are hacked? Acceptable losses because the masses got to know what's going on, and how there is nothing they can do about it? (in terms of unlinking accounts etc) I'd much rather less then 1/4 of the people looking at this thread knew about this bug, it's safer for everyone that way. There are always going to be the douches out there who are going to exploit this bug for all they can get before it is fixed. And I would rather not risk 4 years of my life so Anet/NCsoft get some bad press and are forced to reply to an issue faster.

You know what? Hell with helping the community. I just got told by a dozen people to shut up and quit posting the link in general chat in Kamaden. Let them be hacked.

um......am i the only one thinking that this has just told many people how to easily hack people accounts.....

No.

Wonder how many ppl are clicking login/logout in the ncsoft master account site.

Edit: Would being logged in to the ncsoft master account 24/7 prevent for some1 else to do so ?

For the time being, shut the site down maybe!?

Wait a minute... can someone explain this to me? So the new character name thing does absolutely no good if you have ever file a support ticket with Anet because the hacker will have access to all your closed support tickets and therefore will have your character name???????????????

Yeah.. It means you GW account is not linked to NCsoft.

And will most likely force NCSoft to start doing something.

pity that this was released on January 1 which is a holiday for most businesses. Most likely no one working in the office. For the hat fix, it even sounded like Anet had to call in a couple of the programmers to the office to fix it.

Not happy with this news at all. Been reading the thread all day and wondering just how such a blatant security flaw has escaped a fix for so long.

Anyway to my point; what can we do now to limit the chances of a breach? I don't want to take chances any more than the next guy.

Bad sanitization leading to pre-seting session object with some other session data?

Chances of this are astronomical ... you could get way more server crashes or simply all out weird account data. If session object were not sanitized or pointer got weirded out, they would get what would look like random data most of the time, you would likely not be able to log in, ever.

Session theft ... race condition, that sounds plausible, but how is that even possible to write that way? complete lack of (synchronized)? Again, likely to crash or to steal sessions way too often (i.e nearly always) ...

I though they wrote it in .net anyway ... garbage collection and no direct pointer handling would prevent accidental accessing of the "right" object, and session theft, well, surely it has thread locks. Withotu thread locks, this kind of system kind of dies the moment several users access it.

Still can't see how this would happen without cashing or

---

Anyhow:

If you manage to steal session or to recover session by accident, it means that target account was logged to plaync recently.

So, your protection would be *not* to log in to plaync.

Oh, NCSoft, how you never fail to disappoint.

I really would love to see a response, but as mentioned earlier in the thread, it's probably best that they don't for legal reasons.

Thank goodness I'm a lazy SOB. I never log into PlayNC's site.

I like that last part "not logged in recently"
as I have had no reason to visit their shadey site since the dumb free storage (that took almost a MONTH to get).....though had a ticket from when they messed up factions (remember that one?????) but thats what 4 years ago now?

we need to severe our ncsoft link to gw! I have NO NEED of their LACK of secure website (and no PR person will convince me otherwise----since HALF of the accounts that were hacked WERE linked--stats can be read either way....and why oh why are they trying to find ONE source????? /facepalm and /headonbrickwall).

hope they are at least READING this thread.

It's all very well saying we want ANet to close down the website, or to unlink GW from the master account, but it's not in ANet's hands. Can you imagine how much shit the head of ANet would be in if they did that without permission from NCsoft? It's purely down to NCsoft to sort this one out and you can bet your ass they won't do it any time soon - their track record on customer support doesn't exactly inspire confidence.

I will only buy GW2 if ANet either separates itself from NCsoft, or at the very least if it's not a requirement to link the game to an NCsoft account in order to benefit from the GW1 HoM. I'm not going through this worry again over a game.