Security in EE (i.e sending password in plaintext)

Hexagon · 2015-07-07 23:14:59

Recently there has been a phising attack against several members of the EE community, conducted by Zoey2070 as a social experiment. Many users have been giving out their passwords to Zoey, as many comply to the false authority. Passwords are easy to bribe from users.

However, when I log into EE using the official login box, it's sent over http (plaintext.) This allows anyone intercepting their internet connection to get their username, email and password extremely easily.

My question is: why are we not taking appropriate measures to secure the credentials that get sent over the wire? ~95% of users use everybodyedits.com to login, and are susceptible to MITM attacks.

Onjit · 2015-07-08 03:05:40

If someone is specifically targeting me just to get my account, they've got issues. It's a flash game, not my banking.

Br0k3n

mrjawapa · 2015-07-08 03:41:57

Onjit wrote:

If someone is specifically targeting me just to get my account, they've got issues. It's a flash game, not my banking.

This.

If they're hacking a particular person's internet... they have a lot of issues.

Onjit

ZeldaXD · 2015-07-08 03:50:10

JaWapa wrote:

Onjit wrote:
If someone is specifically targeting me just to get my account, they've got issues. It's a flash game, not my banking.
This.
If they're hacking a particular person's internet... they have a lot of issues.

What if they were attacking an Administrator?

Mylo · 2015-07-08 09:28:44

What if someone actually uses the same password over and over in multiple sites? You know, these passwords can actually unlock the PayPal account of some people.

Please don't take it that easy.
/mobile

ewoke, kubapolish, goeyfun, Jesse, BuzzerBee, Bobithan, ZeldaXD

RavaTroll · 2015-07-08 09:50:42

JaWapa wrote:

Onjit wrote:
If someone is specifically targeting me just to get my account, they've got issues. It's a flash game, not my banking.
This.
If they're hacking a particular person's internet... they have a lot of issues.

The issue is still there though, it should be fixed in the next major update.

Mylo, BuzzerBee

Processor · 2015-07-08 14:17:14

PlayerIO's Sitebox (which is the technology we are using for hosting the website) does not properly support HTTPS. We could make the transmission of passwords secure, but the flash game itself can be replaced at any time. (because it is transmitted over HTTP)

I'll look up the sources in a bit.

Also: forums.everybodyedits.com is available over https. How many of those who complained in this topic were smart enough to use it?

EDIT:
This for example: https://gamesnet.yahoo.net/forum/viewto … 31ca4c63f3

goeyfun, mrjawapa

Creature · 2015-07-08 16:21:14

Only newbies will give their password, and who would want a poor account?

Mylo · 2015-07-08 18:22:24

OT: Maybe auto redirect to https://forums.everybodyedits.com, if this would be possible?

Hexagon

Different55 · 2015-07-08 21:00:00

Mylo wrote:

OT: Maybe auto redirect to https://forums.everybodyedits.com, if this would be possible?

The thing is that our HTTPS isn't real HTTPS. Your connection to cloudflare's servers may be encrypted, but cloudflare's connection to our server is not.

Processor · 2015-07-09 10:36:04

Mylo wrote:

OT: Maybe auto redirect to https://forums.everybodyedits.com, if this would be possible?

The issue is the incompatibility with many browsers. IE will show you 15567 warnings because images contained in signatures are not using HTTPS. So we prefer to keep the website on http, users concerned with privacy may use plugins like HTTPS Everywhere.

Plus: what Different said, but we could buy a cert should enough people show interest in using https.

Mylo

Joshua708 · 2015-07-09 14:08:46

JaWapa wrote:

Onjit wrote:
If someone is specifically targeting me just to get my account, they've got issues. It's a flash game, not my banking.
This.
If they're hacking a particular person's internet... they have a lot of issues.

Or you could use a proxy and make it harder to get into the internet. There's one I heard that cost 5 dollars a month. Transmitting the data using ssh or https would be much more secure, but sadly, PlayerIO dosent support that. And yes onjit, i agree, It's just a flash game, not a bank account, Now lets get into details about how EE could be more secure in their login system, #1 Transmitting encrypted data, #2 Making 2-factor authentication so that you need to enter a code (if you put that on your account.), Thats about the only things you can do with http, making your own encrypted data and 2 factor authentication. Hope you liked the suggestions

written by:
-~The smart system32~-

Zumza · 2015-07-09 14:45:29

@Hexagon have suggest to encrypt the login system.

Steps:
1. All clients will enter a 'service room' for authentication like http://pastebin.com/QDzmb3qM
2. Send encrypted data, doesn't even need to be complicated, just a Diffie-Hellman Key Exchange

And well be lot of benefits from this. And this adaption wouldn't be hard.

goeyfun · 2015-07-09 15:19:47

3. Also do some back-end work to stop ppl from trading accounts

eeisold · 2015-07-09 18:51:35

Zumza wrote:

@Hexagon have suggest to encrypt the login system.
Steps:
1. All clients will enter a 'service room' for authentication like http://pastebin.com/QDzmb3qM
2. Send encrypted data, doesn't even need to be complicated, just a Diffie-Hellman Key Exchange
And well be lot of benefits from this. And this adaption wouldn't be hard.

I don't know a whole lot about encryption. Certainly. But I AM gullible. So, when I see this explanation regarding javascript encryption, I figure it applies rather closely.
StackOverflow thread
So, with the argument that " it is impossible for a JavaScript client to verify that the server's key is authentic." -- is there a way for Flash to do so? I don't think so. (Again, I'm not an AS3 programmer, either). Is it possible for creative developers to re-write the flash library to allow for https connections? Is that 'voiding the warranty'? Do the developers care enough?

A post on the PlayerIO Forums explains how to use external authentication securely. I'm not for sure if this actually solves the problem of flash using a secure tunnel, but it's here for consideration. (Of course, moving the database would require some transition time for users)

Mylo

Official Everybody Edits Forums

#1 2015-07-07 23:14:59

Security in EE (i.e sending password in plaintext)

#2 2015-07-08 03:05:40

Re: Security in EE (i.e sending password in plaintext)

#3 2015-07-08 03:41:57

Re: Security in EE (i.e sending password in plaintext)

#4 2015-07-08 03:50:10

Re: Security in EE (i.e sending password in plaintext)

#5 2015-07-08 09:28:44, last edited by Mylo (2015-07-08 09:31:57)

Re: Security in EE (i.e sending password in plaintext)

#6 2015-07-08 09:50:42

Re: Security in EE (i.e sending password in plaintext)

#7 2015-07-08 14:17:14

Re: Security in EE (i.e sending password in plaintext)

#8 2015-07-08 16:21:14

Re: Security in EE (i.e sending password in plaintext)

#9 2015-07-08 18:22:24

Re: Security in EE (i.e sending password in plaintext)

#10 2015-07-08 21:00:00

Re: Security in EE (i.e sending password in plaintext)

#11 2015-07-09 10:36:04

Re: Security in EE (i.e sending password in plaintext)

#12 2015-07-09 14:08:46

Re: Security in EE (i.e sending password in plaintext)

#13 2015-07-09 14:45:29, last edited by Zumza (2015-07-09 14:46:52)

Re: Security in EE (i.e sending password in plaintext)

#14 2015-07-09 15:19:47

Re: Security in EE (i.e sending password in plaintext)

#15 2015-07-09 18:51:35

Re: Security in EE (i.e sending password in plaintext)

Board footer