2010-02-15, 04:45 PM
Intriguing......there was at least one hit on Hidden-Street. Anyone wanna send this thread to Maple News?
| Poll: Will my account get hacked? You do not have permission to vote in this poll. |
|||
| Yes | 61 | 42.96% | |
| No | 81 | 57.04% | |
| Total | 142 vote(s) | 100% | |
| * You voted for this item. | [Show Results] |
|
Please, hack my account
|
|
2010-02-15, 04:45 PM
Intriguing......there was at least one hit on Hidden-Street. Anyone wanna send this thread to Maple News?
2010-02-15, 04:50 PM
holyforest Wrote:Intriguing......there was at least one hit on Hidden-Street. Anyone wanna send this thread to Maple News? The guy that posted my b-day on Hidden-Street is incorrect. That is not ChicaFlaca's birthday (Jan 3, 1989)
2010-02-15, 04:52 PM
Oh yeah, and after the 14 days are up, I'd be happy to share with you guys how I created this PIC. Doing so will definitely increase the security of your accounts.
2010-02-15, 04:54 PM
The PIC is "special"? O_o I thought this was just some old run of the mill test?
2010-02-15, 04:55 PM
Fiel Wrote:The guy that posted my b-day on Hidden-Street is incorrect. That is not ChicaFlaca's birthday (Jan 3, 1989) Your birthday isn't secure though. God has/will have it and Bacon claims to have it though he hasn't said anything. Bacon makes a lot of joke posts but based on his overall response to this topic on all forums I would say he was serious. Perhaps you should request he post/PM you it to see if it's right. Of course, without any expected response. Your argument works for character safety as far as 'guessed' attacks go, but our account and personal safety are still completely worthless. This thread has done a very good job of proving that.
2010-02-15, 04:57 PM
Fiel Wrote:Oh yeah, and after the 14 days are up, I'd be happy to share with you guys how I created this PIC. Doing so will definitely increase the security of your accounts. Is it just that thing where you use an algorithm to generate the password based on the game name?
2010-02-15, 05:02 PM
BombsAway Wrote:Your birthday isn't secure though. God has/will have it and Bacon claims to have it though he hasn't said anything. Bacon makes a lot of joke posts but based on his overall response to this topic on all forums I would say he was serious. Perhaps you should request he post/PM you it to see if it's right. Of course, without any expected response. Nope, I don't have it. I haven't been updating myself with Maplestory, and didn't realize that Birthday Crackers no longer work.
2010-02-15, 05:07 PM
Bacon Wrote:Nope, I don't have it. I haven't been updating myself with Maplestory, and didn't realize that Birthday Crackers no longer work. Oh you
2010-02-15, 05:12 PM
BombsAway Wrote:Your argument works for character safety as far as 'guessed' attacks go, but our account and personal safety are still completely worthless. This thread has done a very good job of proving that. And your argument only works if someone is stupid enough to give out their username and password. Would it be the same if someone just knew the username but the account password was sufficiently strong?
2010-02-15, 05:15 PM
Kawasari Mimoto Wrote:I foresee Adura registering an account on SP just to check what we're up to. Point him to my signature if he comes, plz.
2010-02-15, 05:15 PM
Fiel Wrote:And your argument only works if someone is stupid enough to give out their username and password. Would it be the same if someone just knew the username but the account password was sufficiently strong? An unknown number of accounts are still vulnerable because of the leaked information that no one gave out. This may not apply to visitors of this site but it sure as heck applies to a large number of people out there who are unaware of the situation.
2010-02-15, 06:24 PM
how many PIN/PIC reset requests do you have now? and at what point do you think nexon should temp ban the account they have to find it a bit sus that more then 33 people with differant IP's have been requesting a pic change
2010-02-15, 07:16 PM
Fiel Wrote:And your argument only works if someone is stupid enough to give out their username and password. Would it be the same if someone just knew the username but the account password was sufficiently strong? This is a key point I think. Most of the account hacks in the past few months did not involve email hacks or changed passwords or PINs, so the assumption is that hackers can (or could) obtain IDs, hashed passwords and PINs from the database, and hacked those accounts that had passwords simple enough to be cracked from the hash. For accounts with strong passwords, it may not matter much whether the PIC is better than PIN or not. What does matter is whether or not hackers can obtain email and birthday and can they access the email. So the questions I would really like to see definitive answers for from the 'white hats' are these: 1-Can you obtain the registered email just from account ID (or even In-game-name)? (ie, without password) 2-Can you get the date-of birth? (again, without password, and assuming fake birthday not obtainable via google research) 3-Are hotmail accounts and other free email domains really as easy to hack into as many say? (assuming decent password, and not used for any other purpose but for registering the MS account)
2010-02-15, 10:35 PM
MissingLink Wrote:I would really like to see definitive answers for from the 'white hats' are these:1. No, you need to know and breach an email, there are no indications. 2. No, we are responsible for our code. 3. If their security sucks, maybe, but more popular free ones may make it easier to find it.
Spoiler
2010-02-15, 11:19 PM
There is one way (I think) to avoid the PIC crap.
As I've said a few times before, I'm not sure if Nexon has fixed this exploit, but you can easily write your own client that somehow avoids HackShield's checks and Themida's checks, all it does is trades the mesos away or something. After you accomplish that, grab the charID of bisubuild. Note it down and log in to your own account, and log in into your own character. Then instead of providing the charID of that character, provide the charID of bisubuild. You have full access, since the client disconnects from login and then connects to channelserver after character is selected. This is quite hard to successfully patch. One way to patch this would be to only allow certain IPs to connect to certain charIDs (only the IP that selected the character at login can login(channel) into that charID.)
2010-02-15, 11:24 PM
AngelSL Wrote:There is one way (I think) to avoid the PIC crap. You still have to provide the correct PIC to progress from double-clicking on your character to going in game. That's when the PIC check occurs. I can see where you're coming from, but I cannot see how this would be a valid way to get into bisubuild.
2010-02-15, 11:29 PM
I think he's saying modify the packets(?)/data to enter your PIC for your character, but log into a different character. It checks for a correct PIC of character A, but then you force it to connect to character B?
2010-02-16, 02:47 AM
AngelSL Wrote:Themida's checks Just to clear a random misconception; Themida is a PE (portable executable, not packet editor) packager, not an anti-hacking tool. It's the executible equivalent of a zipping the binary so it's harder to reverse engineer, it's passive and doesn't "check" anything, simply obfuscates, or tries to. UnThemida and various other tools can dump the raw executable as readily as from a zip file too and leave the application wide open for exploratory reversal. Hazzy Wrote:I think he's saying modify the packets(?)/data to enter your PIC for your character, but log into a different character. It checks for a correct PIC of character A, but then you force it to connect to character B? Actually it was proven in the past you could just NOOP past the pin check and have the pseudo-client just skip straight to the world select. The PIC is different in that it occurs further down the chain and prevent access to individual characters, instead of the account itself, so it's uncertain whether a modified client could successfully bypass it, or would fail authentication where the PIN did not. Eosian Wrote:Just to clear a random misconception; Themida is a PE (portable executable, not packet editor) packager, not an anti-hacking tool. It's the executible equivalent of a zipping the binary so it's harder to reverse engineer, it's passive and doesn't "check" anything, simply obfuscates, or tries to. UnThemida and various other tools can dump the raw executable as readily as from a zip file too and leave the application wide open for exploratory reversal. I vaguely remember stripping something from the client (possibly Themida?) would cause you to fail to pass character selection. But thinking it over, no I don't think it's Themida. Anyway, the only way that you can't send a different character ID and login into bisubuild would be if PIC was sent to the Channelserver, which is (really reaaally) unlikely. If anyone does code a pseudo-client (all it does would be login, open a trade to some character, wait for trade accept, then put in meso and lock trade, wait for trade finish and exit), they would need to emulate HackShield's heartbeat.
2010-02-16, 09:44 AM
Fiel Wrote:Well, we can at least make a few observations based upon what has happened so far. I haven't read every single page but..... some of the info has already been found out? and... Nexon's database HAS been breached? |
|
« Next Oldest | Next Newest »
|