Security Tokens/Authenticators are useless; SE needs to fix this immediately.

**One_Time** · 10-08-2013 04:10 AM

Excellent info. I will begin work on a new application with this information you provided.

**Alhanelem** · 10-08-2013 04:20 AM

Ask Reinhart just how much more gets posted in the JP threads from the devs than the English ones, looking over everything he's translated we get about 1 post for every 3 they get even though we have the exact same topics over here(some of which are just as high profile to all countries and not just Japan).

That's just because the devs speak japanese, so it's much easier for them to communicate. That does NOT however mean that stuff doesn't get read on the NA forums nor does it mean that our excellent community reps don't communicate any of our concerns to them.

**Ebon_Drake** · 10-08-2013 04:35 AM

Why hack anyone? Just look at your session ID and then using some common sense write an application that generates random session IDs and tests them against the server for validity reporting back which ones are good.

Seems apple got into trouble with this a while back and whomever discovered it got in a load of trouble if I recall.

SE Fix this please.

**TaranTatsuuchi** · 10-08-2013 04:39 AM

Wow, Yeah gotta agree, this needs fixed fast.

Originally Posted by Eekiki

Hard not to when I've seen it with my own eyes.

Was not expecting to see a link to my post in here... XD

**Ladon** · 10-08-2013 04:41 AM

Originally Posted by Ebon_Drake

Why hack anyone? Just look at your session ID and then using some common sense write an application that generates random session IDs and tests them against the server for validity reporting back which ones are good.

Seems apple got into trouble with this a while back and whomever discovered it got in a load of trouble if I recall.

SE Fix this please.

Because session IDs are 32 hex digit GUIDs with 2^128 possible combinations. Good luck finding an active one especially since the server isn't going to let you check them at any kind of reasonable rate.

**Ebon_Drake** · 10-08-2013 04:51 AM

Originally Posted by Ladon

Because session IDs are 32 hex digit GUIDs with 2^128 possible combinations. Good luck finding an active one especially since the server isn't going to let you check them at any kind of reasonable rate.

my point is it's not impossible.

How long does it take 20 people, 50 people, 100 people trying this method from as many computers before hitting on 1 valid ID that doesn't belong to them. Are you suggesting that since it took so long to get one ID that it's ok? Is it fair to the person whose account they stole?

It shouldn't be possible at all.

**Ladon** · 10-08-2013 04:54 AM

Originally Posted by Ebon_Drake

my point is it's not impossible.

How long does it take 20 people, 50 people, 100 people trying this method from as many computers before hitting on 1 valid ID that doesn't belong to them. Are you suggesting that since it took so long to get one ID that it's ok? Is it fair to the person whose account they stole?

It shouldn't be possible at all.

How long? Uh, many, many years. I don't think you realize the magnitude of the probability we are talking about here. Do you realize how many of the 2^128 GUIDs are actually active at the moment? What a million at the very very most? That's a .000000000000001% chance you are going to hit an active GUID.

Social engineering people into giving you their credentials is going to be far more successful then trying to brute force a 32 digit HEX GUID.

**Ebon_Drake** · 10-08-2013 05:00 AM

Originally Posted by Ladon

How long? Uh, many, many years. I don't think you realize the magnitude of the probability we are talking about here. Do you realize how many of the 2^128 GUIDs are actually active at the moment? What a million at the very very most? That's a .000000000000001% chance you are going to hit an active GUID.

Social engineering people into giving you their credentials is going to be far more successful then trying to brute force a 32 digit HEX GUID.

Well I guess we're safe then, whew.. That's a load of my back.

**Fahzewn** · 10-08-2013 05:01 AM

Originally Posted by Livilda

Twelvedamn. I can't really think of any other game with such a huge security hole. I'll have to try playing around with this myself when I get home.

Rift was bad for the first month or so. Same thing like this one...a player found it and explained it. They were bypassing the Log-In screen pretty much as well.

**Tsukki** · 10-08-2013 05:07 AM

wow....... yeah this is bad... very bad... This needs to be sorted out asap, like right now! *bump*

Thread: Security Tokens/Authenticators are useless; SE needs to fix this immediately.

Thread Tools

Search Thread

Display