Page 1 of 3
[Implemented] Secure Recover Password - new page
Posted: Fri Mar 01, 2013 10:33 am
by neoshagrath
Bug Title - Log-in Recovery Exploit
Universe - Any
Bug Description - You can lock out a player from his account if you know his/her email.
How to repeat - Go to log-in recovery and input their email. The password of the account tied to that email will automatically be reset.
I tried it on my own account resetting the password every few mins for 15 minutes. I think you can go on longer.
Forum mods can find out the email tied to your forum account although not the one you use in-game.
Time it happened - Tried it and reported it on the first 2 months of ZE.
P.S.
I guess it does not really matter if nobody knows your email.
Re: Log-in Recovery Exploit
Posted: Fri Mar 01, 2013 11:02 am
by Zorg
Not really a bug or an exploit as you said, he must know the email.
PLUS, anyone attempting this will earn a nice big permanent ban across all universes.
We really had no such cases.
But I agree that it should be remedied and it will be in the following days.
Re: Log-in Recovery Exploit
Posted: Fri Mar 01, 2013 3:53 pm
by neoshagrath
Everyone has their own definition I guess.
Email addresses can be obtained through simple SE. And it is not something you hide like your passwords. There's even a slot reserved on the player card where you can advertise your email.
So how about we call it a vulnerability that can be exploited.
No such cases huh? So we wait until someone actually tries it?
Lastly, how would you know for sure which player to ban if it happens? If I see a top player attacking me, I could use a proxy and hijack my own account. Will my losses be compensated?
I'm not sure if you are the old zorg from long ago but he said it will also be remedied in the following days. Years have passed. I hope these will speed it up a bit.
Never had intention of making it public since everyone prolly knew but never talked about it until I heard a mod was giving out private player infos to others.
Re: Log-in Recovery Exploit
Posted: Fri Mar 01, 2013 4:42 pm
by MrSinister
Then you should report the Mod you're talking about to the Admin.
Re: Log-in Recovery Exploit
Posted: Fri Mar 01, 2013 4:47 pm
by Sprog
It was well known to a lot of people that it could be done and seems some people will go to any length to be at the top the easy way. But as Zorg stated above it will now be sorted out. I'm sure if someone did suspect it happened to them then there are ways and means to follow the trail regardless of a proxy server. I'm sure Zorg stated in the forum before that it would employ more rigorous checks on people hiding behind a proxy server (no idea how tbh).....Bottom line is it is a shame that some feel the need to cheat in the first place whilst declaring they are great players.....great players don't NEEED to cheat ....... just saying
Re: Log-in Recovery Exploit
Posted: Fri Mar 01, 2013 4:50 pm
by neoshagrath
@ sin
Don't have any solid proof. They might just say "pics or it didn't happen" like the way I did.
They might have obtained the info some other way and are just blaming the mods. But there is still the possibility that it is true and it is pretty disconcerting.
@ sprog
If you are using a reliable VPN, you would need a court order to find out who is behind a specific IP. But then with excelent VPN, you won't get anything at all.
My mouse dropped just now and and the left click is not working.
Re: Log-in Recovery Exploit
Posted: Fri Mar 01, 2013 4:57 pm
by SPY
neoshagrath wrote:
Lastly, how would you know for sure which player to ban if it happens? If I see a top player attacking me, I could use a proxy and hijack my own account. Will my losses be compensated?
i have a better idea... hyjack that top player instead
Re: Log-in Recovery Exploit
Posted: Fri Mar 01, 2013 5:00 pm
by neoshagrath
For what purpose? You would just be delaying him by wasting your own time. :p
Re: Log-in Recovery Exploit
Posted: Fri Mar 01, 2013 5:04 pm
by SPY
I was referring to a possible ninja scenario
Re: Log-in Recovery Exploit
Posted: Fri Mar 01, 2013 5:08 pm
by neoshagrath
An excellent idea indeed.
On a side note, I was wondering...
Would it be better to inform people how to pick a pocket so can they avoid it? Or don't tell them at all so they would not try?