Other > General Game Discussion
ACCOUNT HACKED
_Youkai_:
maybe someone have keylogger installed and doesn't know... :-\
BubbaBrown:
--- Quote from: Sgt Hartman on February 19, 2010, 10:25:33 am ---Hashing the pass before transmission wouldn't be better, the dude sniffing the network could login aswell, even if it would be a bit harder.
--- End quote ---
That's why you salt and rehash them before transmission. A function would need to be put into place in the client and server to generate a combined hash using either a set of shared keys or one generated based on a some independent, changing but synchronized factor (time), the password, and some salt. This way a resulting hash couldn't be used twice. And even if the attacker knew the salt and time... they still don't know the password to generate the next required hash for authentication.
BubbaBrown:
--- Quote from: IronHalik on February 19, 2010, 07:14:45 pm ---I was thinking a lot about SQL injection here. The traffic sent by the game does not yet look exploitable to me, thought any malicious code injection could be a problem here?
--- End quote ---
The only attack point would probably be on Fonline client authentication in either the username or password. The client filters out special characters, but a forged packet could probably carry the SQL injection. A simple python script can do that after using wireshark to capture enough packet information. This is especially true if the authentication function used the given username and password strings directly in a code side SQL query to the server.
--- Quote from: Kinkin on February 19, 2010, 07:55:07 pm ---The problem for them is the forum fonline2238.net, they have same password ingame and on this forum.... Who have access to sql server ? Or is SMF secure enough ?
--- End quote ---
The FOnline service, updater, SMTP server, and forums is hosted on the same box. Less the hosting company provides SQL server access, the SQL server is on there but not configured to accept external connections. After that, it all depends on if a dedicated forums account was created, limited, and restricted to just the forums database properly. And SMF uses sha1 to store it's passwords, so there's very little chance of grabbing them from the forum database and use in the plaintext authentication of FOnline.
blahblah:
One additional way of "hacking" in is if you shared your logs with anyone and typed ~myinfo before. It displays the password in plain text.
The 94.23.237.127.2238.cache file stores your password in plain text as well, you just need to open it in notepad.
Navigation
[0] Message Index
[*] Previous page
Go to full version