Jump to content
LOTROCommunity

Security Issues at Turbine


Recommended Posts

I'm posting this here because threads have been deleted severals times at Turbines site without an acknowledgement of an issue from any dev. Today, and several previous day, When going to Turbine's forums I was logged in under someone else's ID. From deleted post I've seen that many other people are having this problem and it seems random. I was just wondering if this has happened to anyone and has anyone figured out why?

Link to post
Share on other sites

I'm posting this here because threads have been deleted severals times at Turbines site without an acknowledgement of an issue from any dev. Today, and several previous day, When going to Turbine's forums I was logged in under someone else's ID. From deleted post I've seen that many other people are having this problem and it seems random. I was just wondering if this has happened to anyone and has anyone figured out why?

Based on your description I'd say their CDN and/or loadbalancers are 'fubar', matching wrong session credentials to some connections, effectively meaning you get someone else's 'cookie' and thus their login identity. Rather a nasty problem if so, because it does mean you could accidentally end up on an admin's account. vBulletin is however secured rather well in that an admin needs to reenter the password when editing posts or banning users, so apart from seeing some hidden forums the security leak is limited to information I suppose.

  • Upvote 1
Link to post
Share on other sites

My prime recommendation is that no one who is interested in the security of their systems and game login information should be using the official "Community" site at all. There have been significant concerns about the framework security, raised ad nauseum without due consideration (and, in several cases, with derision by the "loyal elite" and infractions from the moderators), and there has not been an attempt by Turbine to consider that things may not be as secure on their end as they contend.

Link to post
Share on other sites

Hehe!

Tell that to SOE!

They thought they were invulnerable and their systems were all perrrrrfect!

I am one the lucky ones who got a nice email saying my old out of date 2004 credit card number is now in the hands of a nice criminal _O-

Link to post
Share on other sites

Hehe!

Tell that to SOE!

They thought they were invulnerable and their systems were all perrrrrfect!

I am one the lucky ones who got a nice email saying my old out of date 2004 credit card number is now in the hands of a nice criminal _O-

same here.. My son uses PSN and they sent him a mail saying my out of date credit card was also in the hnds of criminals.

This is disturbing news about the forums.

Not sure how far they could go.. hmm.. well maybe change email on account and utilize forgotten password.. set the secret answer to the secret question and ifnd out some stuff.

Depends how serious and knowledgable the person who wrote the code was how secure stuff was and given problems with session tracking.. not that careful.

Link to post
Share on other sites

Hehe!

Tell that to SOE!

They thought they were invulnerable and their systems were all perrrrrfect!

I am one the lucky ones who got a nice email saying my old out of date 2004 credit card number is now in the hands of a nice criminal _O-

No emails for me as yet from SOE - and I had three SWG accounts pre-NGE!

Back on topic - this makes me very nervous about EVER visiting the Turbine forums! Especially as, from what the OP said, Turbine appear to be completely ignoring the issue.

Link to post
Share on other sites

Turbine appear to be completely ignoring the issue.

in addition, there are other possible security and huge privacy flaws in Turbine's community site (which Turbine is ignoring, as you can see in this thread: http://forums.lotro.com/showthread.php?393561-turbine-my.lotro-shows-everything-to-everyone-no-matter-what )

my.lotro allows significant profiling of us players. If you know one toon of a player, you easily get access to _every_ toon on this player's account _and_ to the activity-log for each toon.

Some of you know the activity-log of the WOW-Armory, which shows the last 50 entrys. But that's nothing compared to my.lotro. The my.lotro log shows every single log-entry since spring 2007.

Some of you may say, yeah - but you can hide these logs. But the only thing that is hidden, is the link to this logs. They are still there, just by appending /activitylog /skirmishlog or /skirmishcharts to the my.lotro character URL (my.lotro.com/home/character/ANYserver/ANYcharacter).

Does anyone of you share "our" privacy-issues? Or are we (who are posting in the US-Forums) the only ones who care?

  • Upvote 1
Link to post
Share on other sites

in addition, there are other possible security and huge privacy flaws in Turbine's community site.

my.lotro allows significant profiling of us players. If you know one toon of a player, you easily get access to _every_ toon on this player's account _and_ to the activity-log for each toon.

Some of you know the activity-log of the WOW-Armory, which shows the last 50 entrys. But that's nothing compared to my.lotro. The my.lotro log shows every single log-entry since spring 2007.

Some of you may say, yeah - but you can hide these logs. But the only thing that is hidden, is the link to this logs. They are still there, just by appending /activitylog /skirmishlog or /skirmishcharts to the my.lotro character URL (my.lotro.com/home/character/ANYserver/ANYcharacter).

Does anyone of you share "our" privacy-issues? Or are we (who are posting in the US-Forums) the only ones who care?

I'd like to note that you don't have to log in for these issues to possibly affect you. When you create a game account and start playing a forum account is automatically created for you and the two are tied together. This also makes it impossible to be anonymous in-game (even though they give you a little check box in the fellowing panel that makes you think you're anonymous.)

Link to post
Share on other sites

I'd like to note that you don't have to log in for these issues to possibly affect you. When you create a game account and start playing a forum account is automatically created for you and the two are tied together. This also makes it impossible to be anonymous in-game (even though they give you a little check box in the fellowing panel that makes you think you're anonymous.)

And I bet Turbine will still blame you if your account gets hacked! Inspite of the glaringly obvious security and privacy issues they have at their end. :(

Link to post
Share on other sites

The official reply was really crappy in my opinion. "Working As Intended" with a hint of "Shut It Or Ban."

Okay, the problem isn't probably as bad as I imagine it could be, but I got a Facebook Security Shiver from this affair. :/

Link to post
Share on other sites

Okay, the problem isn't probably as bad as I imagine it could be, but I got a Facebook Security Shiver from this affair. :/

^^

but facebook at least allows you to _really_ hide erything from everyone and show it only to specific people.

Turbine shows everything of you to everyone. All you can do is to uncheck a box and hide the direct link to everything, but it is still available -.-

+ it is easily possible to show _all_ toons connected to your account, freeps as well as creeps, and there is _nothing_ you can do about it...

Link to post
Share on other sites

Not sure how far they could go.. hmm.. well maybe change email on account and utilize forgotten password.. set the secret answer to the secret question and ifnd out some stuff.

vBulletin requires you to re-enter your current account password whenever you change anything that could lead to hijacking, such as your email address or password. Hence a session hijack cannot lead to an account hijack without further exploits being used. Worst damage is posting under another person's account and seeing hidden forums.

Link to post
Share on other sites

Does vBulletin also log you out regularly even though you've checked the box 'Keep me logged in'? }:| I'm getting so sick of having to log in every day. Isn't this what we have cookies for?!

Link to post
Share on other sites

No, vB keeps you logged in, period. MueR uses it for our Alliance forum. You do still have to relog for Admin privileges on a new session, but that's entirely reasonable.

Link to post
Share on other sites

They appear to be using some crappy loadbalancer with a shared session server. That's why it often redirects you back to where you came from, not where you want to go.

Link to post
Share on other sites

They'll probably introduce new priority access services on the forums for a nice modest fee from the store. The new Tome of Forum Acceleration is coming soon™ |:(

Link to post
Share on other sites

In post #47 Sapience says

This, in a nutshell.

This conversation, by the way,isn't new. It is an exact copy of the conversation and concerns expressed by a small number of players when the MyLOTRO service was launched. So I'm not surprised a similar number of EU players are expressing the same concerns as all of this is new to them now.

As I said then, and have said a number of times, this is exactly how the service is intended to work. MyLOTRO is a social network and functions as such.

However on a social network site you at least get to say who your friends are and what information they can see about you.

MyLOTRO is not a social network it is just an easily accessible database of all your character data.

I would post this over there but I don't have a US account, yet :/

Link to post
Share on other sites

we did, multiple times ... but we fall on deaf ears at Turbine, especially Sapience with this...

+ he is kinda insulting ppl who STILL think, it cannot be WAI ..

http://community.codemasters.com/forum/lord-rings-online-general-discussion-424/463042-mylotro.html#post7051032

http://archive.lotrocommunity.eu/lord-rings-online-general-discussion-424/463042-mylotro.html#post7051032

Link to post
Share on other sites

we did, multiple times ... but we fall on deaf ears at Turbine, especially Sapience with this...

+ he is kinda insulting ppl who STILL think, it cannot be WAI ..

http://community.cod...tml#post7051032

If I insulted a customer base like he did, I don't imagine I would keep my job. Those who agree with him are eligible to be his Twitter friends; those who disagree with him are either "trolls" or "conspiracy theorists".

What that poor Patience had to deal with...

Link to post
Share on other sites

They appear to be using some crappy loadbalancer with a shared session server. That's why it often redirects you back to where you came from, not where you want to go.

Why am I suddenly getting flashbacks to Microsoft ISA Server, the 'Internet Security and Acceleration' proxy that couldn't keep cookies connected to the right user way back in the last century?

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
×
  • Create New...