Account Hackings - The Source

You know the fastest way to get Microsoft, IE, Firefox, or just throw out any random company name here, to fix an exploit?

Publish it.

Otherwise you are talking to a brick wall that will do nothing. Which NCSoft has clearly proven.

Not necessarily. Someone in Kamaden was shouting this link in general chat. That is what brought me here and I'm glad. But there will be dishonest people out there who once they realize they can do this will try it. Someone at NC Soft/ANet needs to step to the plate and fix this ASAFP. It sounds like an easy fix.

The idea is that once something like this hits the public domain, the company is forced to respond immediately with all available resources. To do otherwise is negligence.

Sunlight is the best disinfectant. As they say.

I wasn't arguing with you Moon, just stating. And yes, I agree that placing a bug/hack/exploit into the full domain as such is usually a good thing. But there are always pros and cons to doing anything like this.

It just makes me cringe how much information is actually available to the hacker

Well RED ENGINE GORED ENGINE GORED ENGINE GORED ENGINE GO me sideways!

If this is legit...im thankful my account has crap all of worth on it

I agree but what if in the time it takes them to fix the bug I'm hacked/you're hacked/ loads of other people are hacked? Acceptable losses because the masses got to know what's going on, and how there is nothing they can do about it? (in terms of unlinking accounts etc) I'd much rather less then 1/4 of the people looking at this thread knew about this bug, it's safer for everyone that way. There are always going to be the douches out there who are going to exploit this bug for all they can get before it is fixed. And I would rather not risk 4 years of my life so Anet/NCsoft get some bad press and are forced to reply to an issue faster.

You know what? Hell with helping the community. I just got told by a dozen people to shut up and quit posting the link in general chat in Kamaden. Let them be hacked.

um......am i the only one thinking that this has just told many people how to easily hack people accounts.....

No.

Wonder how many ppl are clicking login/logout in the ncsoft master account site.

Edit: Would being logged in to the ncsoft master account 24/7 prevent for some1 else to do so ?

For the time being, shut the site down maybe!?

Wait a minute... can someone explain this to me? So the new character name thing does absolutely no good if you have ever file a support ticket with Anet because the hacker will have access to all your closed support tickets and therefore will have your character name???????????????

Yeah.. It means you GW account is not linked to NCsoft.

And will most likely force NCSoft to start doing something.

pity that this was released on January 1 which is a holiday for most businesses. Most likely no one working in the office. For the hat fix, it even sounded like Anet had to call in a couple of the programmers to the office to fix it.

Not happy with this news at all. Been reading the thread all day and wondering just how such a blatant security flaw has escaped a fix for so long.

Anyway to my point; what can we do now to limit the chances of a breach? I don't want to take chances any more than the next guy.

Bad sanitization leading to pre-seting session object with some other session data?

Chances of this are astronomical ... you could get way more server crashes or simply all out weird account data. If session object were not sanitized or pointer got weirded out, they would get what would look like random data most of the time, you would likely not be able to log in, ever.

Session theft ... race condition, that sounds plausible, but how is that even possible to write that way? complete lack of (synchronized)? Again, likely to crash or to steal sessions way too often (i.e nearly always) ...

I though they wrote it in .net anyway ... garbage collection and no direct pointer handling would prevent accidental accessing of the "right" object, and session theft, well, surely it has thread locks. Withotu thread locks, this kind of system kind of dies the moment several users access it.

Still can't see how this would happen without cashing or

---

Anyhow:

If you manage to steal session or to recover session by accident, it means that target account was logged to plaync recently.

So, your protection would be *not* to log in to plaync.

Oh, NCSoft, how you never fail to disappoint.

I really would love to see a response, but as mentioned earlier in the thread, it's probably best that they don't for legal reasons.

Thank goodness I'm a lazy SOB. I never log into PlayNC's site.

I like that last part "not logged in recently"
as I have had no reason to visit their shadey site since the dumb free storage (that took almost a MONTH to get).....though had a ticket from when they messed up factions (remember that one?????) but thats what 4 years ago now?

we need to severe our ncsoft link to gw! I have NO NEED of their LACK of secure website (and no PR person will convince me otherwise----since HALF of the accounts that were hacked WERE linked--stats can be read either way....and why oh why are they trying to find ONE source????? /facepalm and /headonbrickwall).

hope they are at least READING this thread.

It's all very well saying we want ANet to close down the website, or to unlink GW from the master account, but it's not in ANet's hands. Can you imagine how much shit the head of ANet would be in if they did that without permission from NCsoft? It's purely down to NCsoft to sort this one out and you can bet your ass they won't do it any time soon - their track record on customer support doesn't exactly inspire confidence.

I will only buy GW2 if ANet either separates itself from NCsoft, or at the very least if it's not a requirement to link the game to an NCsoft account in order to benefit from the GW1 HoM. I'm not going through this worry again over a game.