Official Everybody Edits Forums

Do you think I could just leave this part blank and it'd be okay? We're just going to replace the whole thing with a header image anyway, right?

You are not logged in.

Donate!

pls donate


#26 2019-07-22 09:33:06

AllenCaspe9510
Member
From: Philippines
Joined: 2018-03-24
Posts: 246
Website

Re: Data Security Breach 2 - Please Update Your Passwords

My Email is fake, do i still need to change my password?

Offline

#27 2019-07-22 09:34:50

Nebula
Formerly Whirl
From: Minderia Forum
Joined: 2018-04-25
Posts: 4,800
Website

Re: Data Security Breach 2 - Please Update Your Passwords

AllenCaspe9510 wrote:

My Email is fake, do i still need to change my password?

Then you need to contact EE Staff to change your email to an actual one


Youtube Twitter
nebulapersonal.gif
Kudos to Raphe9000, Zoey2070, Filip2005, Nikko99 & HG

rudik5000.gif

Offline

#28 2019-07-22 09:52:28

capasha
Member
Joined: 2015-02-21
Posts: 3,809

Re: Data Security Breach 2 - Please Update Your Passwords

Not only accounts got leaked. There is a new reporting document too. 114846 of lines from the report document.
I hate when these get leaked because you can't be anonymous when reporting other people.

Offline

#29 2019-07-22 10:26:22

peace
Member
From: admin land
Joined: 2015-08-10
Posts: 6,032

Re: Data Security Breach 2 - Please Update Your Passwords

ok so i com eback to a down game gg check if my acc was affecte dnope bu ri p phina


OeaNm9Q.png              MYaIIs9.png
ty anatoly and nikko99 for a golden sig and blueclued for avatar and daneeko for pixelating my sign //forums.everybodyedits.com/img/smilies/cool3bluekeys.pngKFPwcx.jpg

Offline

#30 2019-07-22 11:19:05

Growler
Formerly Snowester
Joined: 2017-05-31
Posts: 365

Re: Data Security Breach 2 - Please Update Your Passwords

minam wrote:

How are the passwords stored on EE?
Is it just on a plain text file?

Just curious.

FYI, passwords are stored by PlayerIO and they're hashed so nobody can read them. However few people were speculating that it was something to do with the main site.


1565540400.png

Offline

Wooted by:

#31 2019-07-22 11:29:38

Andymakeer
Member
From: Nine-tails Vale
Joined: 2016-05-29
Posts: 297

Re: Data Security Breach 2 - Please Update Your Passwords

aw **** here we go again...


F

Offline

#32 2019-07-22 11:38:29

Blackmask
Member
From: France
Joined: 2016-06-27
Posts: 170

Re: Data Security Breach 2 - Please Update Your Passwords

cool

Offline

#33 2019-07-22 12:23:19, last edited by Filip2005 is a fiend (2019-07-22 12:49:01)

Filip2005 is a fiend
Member
From: Braxis
Joined: 2017-07-17
Posts: 306
Website

Re: Data Security Breach 2 - Please Update Your Passwords

Good point not to play EE:U, thank you Xenonetix.

Ironic edit: Xenonetix owes us money.


Galatians 4:16
Am I therefore become your enemy, because I tell you the truth?
X9ByJBP.png
In courtesy of Nebula.
Discord : Filipwoj#7107

Offline

#34 2019-07-22 12:26:40

AllenCaspe9510
Member
From: Philippines
Joined: 2018-03-24
Posts: 246
Website

Re: Data Security Breach 2 - Please Update Your Passwords

If my gems are gone again, I'm gonna riot

Offline

Wooted by:

#35 2019-07-22 12:39:54

Filip2005 is a fiend
Member
From: Braxis
Joined: 2017-07-17
Posts: 306
Website

Re: Data Security Breach 2 - Please Update Your Passwords

AllenCaspe9510 wrote:

If my gems are gone again, I'm gonna riot

You don't need gems at this moment of time, futile.


Galatians 4:16
Am I therefore become your enemy, because I tell you the truth?
X9ByJBP.png
In courtesy of Nebula.
Discord : Filipwoj#7107

Offline

#36 2019-07-22 13:24:47

peace
Member
From: admin land
Joined: 2015-08-10
Posts: 6,032

Re: Data Security Breach 2 - Please Update Your Passwords

updatin pass once again but how? if i can tlogout of ee lol


OeaNm9Q.png              MYaIIs9.png
ty anatoly and nikko99 for a golden sig and blueclued for avatar and daneeko for pixelating my sign //forums.everybodyedits.com/img/smilies/cool3bluekeys.pngKFPwcx.jpg

Offline

#37 2019-07-22 16:20:48, last edited by Anatoly (2019-07-22 16:23:00)

Anatoly
Member
From: Germany, Bavaria, Munich
Joined: 2015-07-31
Posts: 6,414

Re: Data Security Breach 2 - Please Update Your Passwords

minam wrote:

How are the passwords stored on EE?
Is it just on a plain text file?

Just curious.

If we look at the forums case', Diff thought me that passwords are not stored, they are hashed. You can only ...



Edit: Oh ****, my internet broke up and contents of this post were lost, basically here is what I explained shorten:
- Passwords are and should be hashed: You can get the hash from the password, but not the password from the hash.
- Passwords are stored in another table (read about sql e.g. to understand what I mean with table) isolated from all other data.


Best regards,
y51lcgx.png
Graphics | Signatures
Anatoly.

Offline

#38 2019-07-22 16:42:45

capasha
Member
Joined: 2015-02-21
Posts: 3,809

Re: Data Security Breach 2 - Please Update Your Passwords

Anatoly wrote:

If we look at the forums case', Diff thought me that passwords are not stored, they are hashed. You can only ...



Edit: Oh ****, my internet broke up and contents of this post were lost, basically here is what I explained shorten:
- Passwords are and should be hashed: You can get the hash from the password, but not the password from the hash.
- Passwords are stored in another table (read about sql e.g. to understand what I mean with table) isolated from all other data.

Looks like you know everything about hashing a password. You can still get the password from a hash if you use dictionary list with rules or such.
Or just bruteforcing it with rules. How else do you think the password database at HIBP have been leaked with normal passwords? Yes cracking.

Even if the password is strong, it still could be cracked. In the old days did I and other use CPU power to crack hashes. Then a bit later did it come GPU cracking.
If you have many GPU's it will increase the speed of cracking hashes really fast. The best thing is salted hashes, but most time does even the salt leak and we are back to crack the passwords really fast.

Offline

Wooted by:

#39 2019-07-22 18:48:17

peace
Member
From: admin land
Joined: 2015-08-10
Posts: 6,032

Re: Data Security Breach 2 - Please Update Your Passwords

passwords should not be able to be leake din anyway not wiht a dictonary not wiht anythign at all simple this is not for EE only tho


OeaNm9Q.png              MYaIIs9.png
ty anatoly and nikko99 for a golden sig and blueclued for avatar and daneeko for pixelating my sign //forums.everybodyedits.com/img/smilies/cool3bluekeys.pngKFPwcx.jpg

Offline

#40 2019-07-22 19:44:18

TapPineapple
New Member
Joined: 2019-07-08
Posts: 3

Re: Data Security Breach 2 - Please Update Your Passwords

that moment when your account got hacked... //forums.everybodyedits.com/img/smilies/sad


Still don't know how to code //forums.everybodyedits.com/img/smilies/tongue

Offline

Wooted by:

#41 2019-07-22 19:47:08

Anatoly
Member
From: Germany, Bavaria, Munich
Joined: 2015-07-31
Posts: 6,414

Re: Data Security Breach 2 - Please Update Your Passwords

Staff, any comments?

Maybe instead if claiming to have fixed the holes, its time for you to reveal all cards.
Maybe im wrong and it would be wrong to make ee open source, but honestly, EEs security just cannot be made worser.

Add atilla, remod gosha, take over the security of the forums.
What i see - false hopes. Poor Patrons who actually lost their money for nothing.

You are in a situation where you cannot claim it’s not your fault. its not playerio, currently, its YOUR fault.
Wheres EEU progress? Soem videos where someone says what he did? Better than nothing, but actually nothing.

Now you, xenonetix, “dont tell me what i should have done, tell me what i can do”
I told you earlier to do something, cant remember when, but im sure you responded: Where? I told you, you ignored, now im in fact telling you what you should uabe done if you dont listen the what you should do part. remod phinarose (or who was the girl who was demodded?

Im hopeless about this game. the death timer has started, its not changeable.

had fun with you, ee is dead)


Best regards,
y51lcgx.png
Graphics | Signatures
Anatoly.

Offline

Wooted by:

#42 2019-07-22 19:51:56

Anatoly
Member
From: Germany, Bavaria, Munich
Joined: 2015-07-31
Posts: 6,414

Re: Data Security Breach 2 - Please Update Your Passwords

capasha wrote:
Anatoly wrote:

If we look at the forums case', Diff thought me that passwords are not stored, they are hashed. You can only ...



Edit: Oh ****, my internet broke up and contents of this post were lost, basically here is what I explained shorten:
- Passwords are and should be hashed: You can get the hash from the password, but not the password from the hash.
- Passwords are stored in another table (read about sql e.g. to understand what I mean with table) isolated from all other data.

Looks like you know everything about hashing a password. You can still get the password from a hash if you use dictionary list with rules or such.
Or just bruteforcing it with rules. How else do you think the password database at HIBP have been leaked with normal passwords? Yes cracking.

Even if the password is strong, it still could be cracked. In the old days did I and other use CPU power to crack hashes. Then a bit later did it come GPU cracking.
If you have many GPU's it will increase the speed of cracking hashes really fast. The best thing is salted hashes, but most time does even the salt leak and we are back to crack the passwords really fast.

Good point. I also agree that there is no perfect security, but we need to mention that EE’s one is special.

I mean, you can crack one account with that, not hundreds.
Also interesting to see, ee leaks passwords only in a period of time, how that?


Best regards,
y51lcgx.png
Graphics | Signatures
Anatoly.

Offline

#43 2019-07-22 19:58:54, last edited by Tomahawk (2019-07-22 22:44:20)

Tomahawk
Forum Mod
From: BiH
Joined: 2015-02-18
Posts: 2,140

Re: Data Security Breach 2 - Please Update Your Passwords

Merged the post above this one with the main thread.


One bot to rule them all, one bot to find them. One bot to bring them all... and with this cliché blind them.

Offline

#44 2019-07-22 21:37:53

Different55
Forum Admin
Joined: 2015-02-07
Posts: 15,957

Re: Data Security Breach 2 - Please Update Your Passwords

Anatoly wrote:

take over the security of the forums.

Sorry, what?


"Sometimes failing a leap of faith is better than inching forward"
- ShinsukeIto

Offline

#45 2019-07-22 21:52:09

mrjawapa
Member
From: Ohio, USA
Joined: 2015-02-15
Posts: 5,076
Website

Re: Data Security Breach 2 - Please Update Your Passwords

Different55 wrote:
Anatoly wrote:

take over the security of the forums.

Sorry, what?

Lmao yeah let's give xeno authority over the forums. I'd like to have my forum info leaked too.


jmz85ffh.png

Offline

Wooted by: (2)

#46 2019-07-22 22:44:42

den3107
Member
From: Netherlands
Joined: 2015-04-24
Posts: 999

Re: Data Security Breach 2 - Please Update Your Passwords

mrjawapa wrote:
Different55 wrote:
Anatoly wrote:

take over the security of the forums.

Sorry, what?

Lmao yeah let's give xeno authority over the forums. I'd like to have my forum info leaked too.

Think he means copying the security the forums uses. Having said that, security generally doesn't work in a copy-pasta manner since well... You have frameworks that either did it for you, or you have to work around to get it fixed.

Anatoly wrote:
capasha wrote:

The best thing is salted hashes, but most time does even the salt leak and we are back to crack the passwords really fast.

I mean, you can crack one account with that, not hundreds.

He talks about that whenever hashed passwords are lost, that the salts are generally leaked too, essentially giving them the same crack duration as an unsalted one.
Having said that, it's not that hard to crack unsalted SHA256 hashes (one of the most common used method, although methods like bcrypt are rising).
With that, an attacker can generally crack a hash in under 10 seconds. Well, within a day he'll probably have all EE accounts cracked (unless I'm gravely underestimating the amount of accounts EE has).
+ I'm fairly certain EE doesn't salt their stuff... There're honestly way to many companies that don't salt their hashes, even bigger companies (think Yahoo didn't up until 2016).

Anatoly wrote:

Also interesting to see, ee leaks passwords only in a period of time, how that?

This is likely a part where either packets are intercepted, or something like log files have been retrieved.
Likely they have no access to the actual database, but somehow somewhere they're able to get the information of everybody that logs in during their attack. I believe that's much like how the previous attack functioned too (although likely using a different exploit).

Offline

#47 2019-07-23 02:08:57, last edited by Processor (2019-07-23 02:41:49)

Processor
Member
Joined: 2015-02-15
Posts: 2,022

Re: Data Security Breach 2 - Please Update Your Passwords

Hacker got access to a staff' playerio account.
PlayerIO hashes the passwords, however, they are stored in plaintext in your browser (as long as you tick "stay logged in").
With access to the account, hackers could export the Reports table.
Its not so easy with account passwords...

Three possibilities:
1. Hackers replaced the site contents (paths: changed DNS records / changed site contents / changed SWF file (<- most likely scenario))
2. Hackers found an XSS exploit in the flash (very unlikely)
3. The staff log your password in a database themselves (maybe to migrate users to EEU), the hacker just had to export this database

LukeM claimed that the only person having access to the game swf is Xenonetix. However, the leak specifically thanks LukeM for making the hack possible.
Both 1. and 3. leave traces, so we can rule out Scenario #2 by checking the source code. Can someone do that please?

Possible fixes:
- Never store passwords in plaintext
- Never get hacked as staff by using secure passwords

I got a peek at the used passwords by Xenonetix and bytearray and both were terrible passwords that could have been easily guessed.
While these passwords were likely not the same ones used on PlayerIO, they show you the general approach staff takes with security.

Luke told me it is too much work to replace the system with a session token based one, as the flash game is getting replaced anyway.


embed.png?style=banner3

Offline

#48 2019-07-23 04:39:04

KingN24
Member
Joined: 2017-08-24
Posts: 105

Re: Data Security Breach 2 - Please Update Your Passwords

woohoo im compromised. im screwed.


Heya.

banner.png

Offline

#49 2019-07-23 05:14:58, last edited by XxAtillaxX (2019-07-23 05:15:55)

XxAtillaxX
Member
From: Canada
Joined: 2015-11-28
Posts: 3,975

Re: Data Security Breach 2 - Please Update Your Passwords

Processor wrote:

Three possibilities:
1. Hackers replaced the site contents (paths: changed DNS records / changed site contents / changed SWF file (<- most likely scenario))
2. Hackers found an XSS exploit in the flash (very unlikely)
3. The staff log your password in a database themselves (maybe to migrate users to EEU), the hacker just had to export this database

LukeM claimed that the only person having access to the game swf is Xenonetix. However, the leak specifically thanks LukeM for making the hack possible.

I know a bit more about Player.IO security after having audited it for Yahoo, and there's a little more worth noting.

Player.IO does infact hash passwords, and it does convert to lowercase prior to hashing, which rules out any ridiculous compromise of Player.IO (especially there were 800 out of the 1,000,000+ accounts shared, majority of which were active within the last few days) and Henrik is a very security focused person, unlike the majority of the staff in Everybody Edits.
Player.IO does not always store timestamps for changed files in GameFS as far as I'm aware; see the FTP upload option. I believe this remains true, although it could have changed since. I haven't looked into it.
Player.IO does store CSRF tokens in the URL of admin dashboard, so if someone were to be using TeamViewer or any remote screen sharing software with someone else who had been compromised and revealed that URL to them, it is possible that they could have had been tricked into visiting a page with XSS and that token to execute an attack. Yahoo refused to add cross domain headers to prevent doing this when I reported it, since apparently it's a fringe case but it's likely still possible in very targeted scenarios.

Nonetheless, my personal security-minded opinion is that it's overwhelmingly likely the case that one of the staff members have been compromised in some way shape or form and these attacks are being intentionally obscure and random as to disguise the fact that they've discovered a way to backdoor one or several of the developers. I would strongly advise the staff members to audit their personal security, which is the most reliable and weakest link, rather than diddling their thumbs and simply waiting for the drama to die down.


signature.png

Offline

#50 2019-07-23 05:27:22

Anatoly
Member
From: Germany, Bavaria, Munich
Joined: 2015-07-31
Posts: 6,414

Re: Data Security Breach 2 - Please Update Your Passwords

Different55 wrote:
Anatoly wrote:

take over the security of the forums.

Sorry, what?

i mean the way forums handle passwords is safer thenthe games way


Best regards,
y51lcgx.png
Graphics | Signatures
Anatoly.

Offline

Thomas333 / MarioManTj1565838533759054

Board footer

Powered by FluxBB

[ Started around 1569222506.1165 - Generated in 0.081 seconds, 13 queries executed - Memory usage: 1.69 MiB (Peak: 1.97 MiB) ]