Poll: Will my account get hacked?
You do not have permission to vote in this poll.
Yes
42.96%
61 42.96%
No
57.04%
81 57.04%
Total 142 vote(s) 100%
* You voted for this item. [Show Results]

Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Please, hack my account
Intriguing......there was at least one hit on Hidden-Street. Anyone wanna send this thread to Maple News?
Reply
holyforest Wrote:Intriguing......there was at least one hit on Hidden-Street. Anyone wanna send this thread to Maple News?

The guy that posted my b-day on Hidden-Street is incorrect. That is not ChicaFlaca's birthday (Jan 3, 1989)
Reply
Oh yeah, and after the 14 days are up, I'd be happy to share with you guys how I created this PIC. Doing so will definitely increase the security of your accounts. Smile
Reply
The PIC is "special"? O_o I thought this was just some old run of the mill test?
Reply
Fiel Wrote:The guy that posted my b-day on Hidden-Street is incorrect. That is not ChicaFlaca's birthday (Jan 3, 1989)

Your birthday isn't secure though. God has/will have it and Bacon claims to have it though he hasn't said anything. Bacon makes a lot of joke posts but based on his overall response to this topic on all forums I would say he was serious. Perhaps you should request he post/PM you it to see if it's right. Of course, without any expected response.

Your argument works for character safety as far as 'guessed' attacks go, but our account and personal safety are still completely worthless. This thread has done a very good job of proving that.
Reply
Fiel Wrote:Oh yeah, and after the 14 days are up, I'd be happy to share with you guys how I created this PIC. Doing so will definitely increase the security of your accounts. Smile

Is it just that thing where you use an algorithm to generate the password based on the game name?
Reply
BombsAway Wrote:Your birthday isn't secure though. God has/will have it and Bacon claims to have it though he hasn't said anything. Bacon makes a lot of joke posts but based on his overall response to this topic on all forums I would say he was serious. Perhaps you should request he post/PM you it to see if it's right. Of course, without any expected response.

Your argument works for character safety as far as 'guessed' attacks go, but our account and personal safety are still completely worthless. This thread has done a very good job of proving that.

Nope, I don't have it. I haven't been updating myself with Maplestory, and didn't realize that Birthday Crackers no longer work.
Reply
Bacon Wrote:Nope, I don't have it. I haven't been updating myself with Maplestory, and didn't realize that Birthday Crackers no longer work.

Oh you
Reply
BombsAway Wrote:Your argument works for character safety as far as 'guessed' attacks go, but our account and personal safety are still completely worthless. This thread has done a very good job of proving that.

And your argument only works if someone is stupid enough to give out their username and password. Would it be the same if someone just knew the username but the account password was sufficiently strong?
Reply
Kawasari Mimoto Wrote:I foresee Adura registering an account on SP just to check what we're up to.

Point him to my signature if he comes, plz.
Reply
Fiel Wrote:And your argument only works if someone is stupid enough to give out their username and password. Would it be the same if someone just knew the username but the account password was sufficiently strong?

An unknown number of accounts are still vulnerable because of the leaked information that no one gave out. This may not apply to visitors of this site but it sure as heck applies to a large number of people out there who are unaware of the situation.
Reply
how many PIN/PIC reset requests do you have now? and at what point do you think nexon should temp ban the account they have to find it a bit sus that more then 33 people with differant IP's have been requesting a pic change
Reply
Fiel Wrote:And your argument only works if someone is stupid enough to give out their username and password. Would it be the same if someone just knew the username but the account password was sufficiently strong?

This is a key point I think. Most of the account hacks in the past few months did not involve email hacks or changed passwords or PINs, so the assumption is that hackers can (or could) obtain IDs, hashed passwords and PINs from the database, and hacked those accounts that had passwords simple enough to be cracked from the hash. For accounts with strong passwords, it may not matter much whether the PIC is better than PIN or not. What does matter is whether or not hackers can obtain email and birthday and can they access the email.
So the questions I would really like to see definitive answers for from the 'white hats' are these:
1-Can you obtain the registered email just from account ID (or even In-game-name)? (ie, without password)
2-Can you get the date-of birth? (again, without password, and assuming fake birthday not obtainable via google research)
3-Are hotmail accounts and other free email domains really as easy to hack into as many say? (assuming decent password, and not used for any other purpose but for registering the MS account)
Reply
MissingLink Wrote:I would really like to see definitive answers for from the 'white hats' are these:
1-Can you obtain the registered email just from account ID (or even In-game-name)? (ie, without password)
2-Can you get the date-of birth? (again, without password, and assuming fake birthday not obtainable via google research)
3-Are hotmail accounts and other free email domains really as easy to hack into as many say? (assuming decent password, and not used for any other purpose but for registering the MS account)
1. No, you need to know and breach an email, there are no indications.

2. No, we are responsible for our code.

3. If their security sucks, maybe, but more popular free ones may make it easier to find it.

 Spoiler
Reply
There is one way (I think) to avoid the PIC crap.

As I've said a few times before, I'm not sure if Nexon has fixed this exploit, but you can easily write your own client that somehow avoids HackShield's checks and Themida's checks, all it does is trades the mesos away or something. After you accomplish that, grab the charID of bisubuild. Note it down and log in to your own account, and log in into your own character. Then instead of providing the charID of that character, provide the charID of bisubuild. You have full access, since the client disconnects from login and then connects to channelserver after character is selected. This is quite hard to successfully patch.

One way to patch this would be to only allow certain IPs to connect to certain charIDs (only the IP that selected the character at login can login(channel) into that charID.)
Reply
AngelSL Wrote:There is one way (I think) to avoid the PIC crap.

As I've said a few times before, I'm not sure if Nexon has fixed this exploit, but you can easily write your own client that somehow avoids HackShield's checks and Themida's checks, all it does is trades the mesos away or something. After you accomplish that, grab the charID of bisubuild. Note it down and log in to your own account, and log in into your own character. Then instead of providing the charID of that character, provide the charID of bisubuild. You have full access, since the client disconnects from login and then connects to channelserver after character is selected. This is quite hard to successfully patch.

One way to patch this would be to only allow certain IPs to connect to certain charIDs (only the IP that selected the character at login can login(channel) into that charID.)

You still have to provide the correct PIC to progress from double-clicking on your character to going in game. That's when the PIC check occurs. I can see where you're coming from, but I cannot see how this would be a valid way to get into bisubuild.
Reply
I think he's saying modify the packets(?)/data to enter your PIC for your character, but log into a different character. It checks for a correct PIC of character A, but then you force it to connect to character B?
Reply
AngelSL Wrote:Themida's checks

Just to clear a random misconception; Themida is a PE (portable executable, not packet editor) packager, not an anti-hacking tool. It's the executible equivalent of a zipping the binary so it's harder to reverse engineer, it's passive and doesn't "check" anything, simply obfuscates, or tries to. UnThemida and various other tools can dump the raw executable as readily as from a zip file too and leave the application wide open for exploratory reversal.

Hazzy Wrote:I think he's saying modify the packets(?)/data to enter your PIC for your character, but log into a different character. It checks for a correct PIC of character A, but then you force it to connect to character B?



Actually it was proven in the past you could just NOOP past the pin check and have the pseudo-client just skip straight to the world select. The PIC is different in that it occurs further down the chain and prevent access to individual characters, instead of the account itself, so it's uncertain whether a modified client could successfully bypass it, or would fail authentication where the PIN did not.
Reply
Eosian Wrote:Just to clear a random misconception; Themida is a PE (portable executable, not packet editor) packager, not an anti-hacking tool. It's the executible equivalent of a zipping the binary so it's harder to reverse engineer, it's passive and doesn't "check" anything, simply obfuscates, or tries to. UnThemida and various other tools can dump the raw executable as readily as from a zip file too and leave the application wide open for exploratory reversal.





Actually it was proven in the past you could just NOOP past the pin check and have the pseudo-client just skip straight to the world select. The PIC is different in that it occurs further down the chain and prevent access to individual characters, instead of the account itself, so it's uncertain whether a modified client could successfully bypass it, or would fail authentication where the PIN did not.

I vaguely remember stripping something from the client (possibly Themida?) would cause you to fail to pass character selection. But thinking it over, no I don't think it's Themida.

Anyway, the only way that you can't send a different character ID and login into bisubuild would be if PIC was sent to the Channelserver, which is (really reaaally) unlikely.

If anyone does code a pseudo-client (all it does would be login, open a trade to some character, wait for trade accept, then put in meso and lock trade, wait for trade finish and exit), they would need to emulate HackShield's heartbeat.
Reply
Fiel Wrote:Well, we can at least make a few observations based upon what has happened so far.

Argument 1:
Premise 1: The account First Name, Last Name, Secret Question (but not the answer), and e-mail are all known within 24 hours
Premise 2: The PIC/PIN number is not yet known and the birthday is not yet known
Therefore: The PIC/PIN and Birthday are harder to hack than the First Name, Last Name, Secret Question, and e-mail

Argument 2:
Premise 1: If a hacker wanted to gain access to bisubuild235, the easiest way would be through an account PIC reset which occurs through the e-mail account.
Premise 2: No PIC reset has occurred
Therefore: My e-mail account has not been compromised.

Argument 3:
Premise 1: Because Argument 1 is true, then hackers do not have access to the PIC/PIN.
Premise 2: Because Argument 2 is true, then hackers do not have direct access to my e-mail
Premise 3: There is no other way to gain access to PIC/PIN except by compromising the e-mail or a database breach
Therefore: Nexon's database was breached.

Argument 4:
Premise 1: Because Argument 1 is true, then accounts are more safe since the PIC is harder to crack.
Premise 2: Maplestory accounts use PIC universally
Premise 3: E-mail accounts are outside of Nexon's locus of control
Therefore: Nexon's new system is safer because it uses a PIC.


I haven't read every single page but..... some of the info has already been found out? and... Nexon's database HAS been breached?
Reply


Forum Jump:


Users browsing this thread: 2 Guest(s)