[UI] Multi Platform Security Vulnerability

Discussion in 'General Archive' started by Josh0238, Jan 9, 2021.

Dear forum reader,

if you’d like to actively participate on the forum by joining discussions or starting your own threads or topics, please log into the game first. If you do not have a game account, you will need to register for one. We look forward to your next visit! CLICK HERE
  1. Josh0238

    Josh0238 User

    (My English is not the best thing on planet earth, sorry)

    Here is a warning for those of you that like to click every link you see

    Recently someone made a little tool to grab people's info, session id's, passwords, and a few other things.
    hopefully, people already know what I'm talking about since a lot of people from the Darkorbit community had their accounts hijacked
    Five / six years ago, I suggested adding 2fa to the game and removing the backward password reset system. I am not trying to knock the devs or the support staff, please be nice to those guys and gals, but many bad decisions were made.

    Why is this coming up now?

    Well, the simple explanation is that I want you to stay safe and stop clicking links on discord and downloading "Tools" to help you get better at the game or falling for the free this and that scam, seeing as the only free thing is the account you are giving away.

    What can Darkorbit do to protect players against these exploits?

    Darkorbit can implement 2FA not on the client login as it would be useless with the session-id logins that are happening. Instead, I suggest 2FA when passwords or email changes are requested, as you have to verify those externally.

    But josh, why is 2FA useless against session-id logins?

    Well, if I already have the session id, that means I'm already logged in.
    The session id is generated upon login from that point forward when the session id is used; the system is told that you already logged in, bypassing the login step.

    If this were any different, you'd get logged out every time you switched tab in-game :D and we already dislike back page loading times, so imagine having to login every time.
    I do not know if Darkorbit is willing to recover your items if any of these bad actors gain access to your account.

    My story
    As a player, I am not allowed information about my "account" like when I logged in last, how long, and from where I logged in?

    An example of this can be seen when I lost access to my account and contacted them from the email the account was made on and got told to get lost because the account was with its rightful owner...

    it would have taken 3 sec to see that that account had been on my email for 8+ years.
    if you don't remember your account history or Gmail deleted your emails from do you are out of luck that's all there is to it, and its a highly inefficient way to handle account security issues

    Conclusion
    Stay safe do not click any random links off discord
    if your friends seem different when they message you try messaging them on another platform

    I am by no means a cybersecurity expert, and I simplified my explanation as much as possible I don't want to keep you here all-day.

    Hopefully, someone from the team reads this and sends it up the chain as this is one of the last times ill be suggesting changes. I've got a bunch of work to do and too little time to complain.
    PS unban me on discord. I don't see the point in banning someone for asking a question about the TOS when they're confused about the language used.

    Discord Id: Josh_Hero#0003
    unban this other clown as well
    Discord Id: J6#9668

    Thanks For Reading​
     
    KilerStreak likes this.
  2. EvilHotDog

    EvilHotDog User

    Moving to appropriate section.
    Also, we can not help you regarding Discord related issues.


    EHD
     
    Last edited: Jan 16, 2021
  3. H
    His post isn't about Discord related issues, it's about protecting accounts from hackers, he used people posting links in discord to hack DarkOrbit accounts as an example. DO has very very poor security, and if you haven't noticed, support care more about the craps they take than the protection of its players.
     
  4. AVIT

    AVIT User

    the poster said he suggested 2fa 6 yrs ago lol .. most banks didnt have that six yrs ago ,get real !! he is posting for the sake of it . anyone with an once of sense would not click on a link from discord ,if he did he is a fiool to hiself

    accounts was always hacked by sharing them ,since do introduced the verify email . i doubt many have been hacked .for yrs now . onbly a serious hacker is ever gonna try hack a do account ,.it just not worth it to them
     
  5. Josh0238

    Josh0238 User

    what do you mean most banks didnt have 2fa 6 years ago
    six years ago was 2015 where were you xD

    this is not a discord issue as much as it is an issue with the way the account security is setup
    im just making sure to notify you guys through official channels, its not my problem and id probably have to get really drunk to lose my account in this way but i was hoping that you guys would take this information and help your community
     
    Last edited by moderator: Feb 2, 2021
    KilerStreak likes this.