Runes of Magic login security

[Tarrda]

I'm sure a lot of you remember about ~8 months ago when a video on youtube showed that Runes of Magic was sending passwords in plain text over the internet. Two days later Frogster issued a statement that they didn't think this was a security issue (even though it certainly was) but that they still made changes and "improved encryption" because they were dedicated to security... it turns out it was all a big lie. They did not attempt to make the login more secure, they just tried to hide that everything was sent in plain text.

A few friends and I have been reversing the packet handling code and we were stunned to find out that passwords were encrypted with a simple mono-alphabetic cipher.
To show everyone what the implications of this horrible "encryption" are I have created a video that shows you can sniff passwords without ever having access to the computer that runs runes of magic. I've also written an article that goes in more detail about what frogster is doing and especially what it's not doing: keeping you secure.
If you want to know more you can read the article explaining why Runes of Magic still has zero security, you can download the video on that page too. Or you can check out the video on youtube (Might need to watch in HD to make everything readable).

I'm having a hard time getting Frogster to listen, people have made threads on the European and Australian forums and they have all been deleted. My goal is to reach as many players as possible so they can't ignore us any further and give us the security we deserve. So, if it's not too much trouble tell your friends and guild members about this too!

[Rom Botter]

I always knew Frogster doesnt give a sh*t about their players...

so... in other words, everyone can get hacked easily if they know ur ip...?

[miximixi007]

I am sure that the rom got hacked again at last week.

[Administrator]

He's basically just saying that the username and password combination might as well be sent out in plain text. It is incredibly easy for someone inside your network to sniff your login attempt and get the information, or to get it stolen by malware.

[Rom Botter]

He's basically just saying that the username and password combination might as well be sent out in plain text. It is incredibly easy for someone inside your network to sniff your login attempt and get the information, or to get it stolen by malware.

So they have to actually be inside your LAN for them to sniff ur packets?

or like u said malware... but im quite well protected against that

[Tarrda]

Actually, it's far more out of your control. Your password goes through several networks before it reaches Frogster, anyone with access to those networks can sniff your password (this could be a rogue employee, or even a hacker). Those networks being hacked may not be something that happens every day, but it's certainly not an impossibility.
Your home network might also have other computers that are not secure, or other computers that you can't trust. For example, it's impossible to securely log in via a lan party, an internet cafe, or even a coffee shop.You also can't invite your friend over to play RoM because his computer might have a virus that gets your account stolen.

The problem is that Frogster knew this for sure, they deliberately lied to their customers about how networking works. They didn't simply say "It's an issue but we don't think it's important enough" they said "It's not an issue at all, computers don't work that way, your password gets magically secured on the internet".

[Administrator]

So they have to actually be inside your LAN for them to sniff ur packets?

As Tarrda already stated, no. This is just a simplest case. The way local networks work is actually by sending the data in every direction and letting the client decide whether or not it will handle it. That is, even if a packet is for computer A, computer B will still also receive the information. Players from a school, apartment complex, wifi hotspot, or even borrowing a workplace connection would all be at high risk.

That said, the message could still be intercepted at any number of places, but this is less common. When this happens, generally the attack is just looking for any usable data, not just for a specific application or website. This means if your account details were logged, an attacker may then attempt to use them at a variety of location (due to many users using the same username and password across the board). This may, then, mean that your email account actually gets hacked.

or like u said malware... but im quite well protected against that

The malware doesn't even need to be on your machine, or even on your network.

[Rom Botter]

so i guess we're all screwed?? allot of hacking has been going on in my server "ilsitir" ... many High ranked players are getting hacked...

[JackBlonder]

The way local networks work is actually by sending the data in every direction and letting the client decide whether or not it will handle it

This is only true for hubs and wireless lan repeaters which are working on layer 1 in the ISO/OSI model.
Switches work on layer 2 and send only to MAC-Addresses
Routers work on layer 3 and send to IP-Addresses.