Jump to content

Heartbleed vulnerability


dotChuckles

Recommended Posts

Hello, I was checking all the sites that I have logins for the Heartbleed vulnerability and the online checker is coming back with digitalcombatsimulator.com as being vulnerable and the forums as being "unsure".

 

Does anyone from that side of things know when the SSL will be updated so I can change my password?

 

Thanks!

 

Chuckles

[sIGPIC][/sIGPIC]

Link to comment
Share on other sites

The issue is known and SSL will be updated soon, no exact date known at this time however.

[sIGPIC][/sIGPIC]

Daniel "EtherealN" Agorander | Даниэль "эфирныйн" Агорандер

Intel i7 2600K @ 4.4GHz, ASUS Sabertooth P67, 8GB Corsair Vengeance @ 1600MHz, ASUS GTX 560Ti DirectCU II 1GB, Samsung 830series 512GB SSD, Corsair AX850w, two BENQ screens and TM HOTAS Warthog

DCS: A-10C Warthog FAQ | DCS: P-51D FAQ | Remember to read the Forum Rules |

|
| Life of a Game Tester
Link to comment
Share on other sites

All servers should now be updated.

[sIGPIC][/sIGPIC]

Daniel "EtherealN" Agorander | Даниэль "эфирныйн" Агорандер

Intel i7 2600K @ 4.4GHz, ASUS Sabertooth P67, 8GB Corsair Vengeance @ 1600MHz, ASUS GTX 560Ti DirectCU II 1GB, Samsung 830series 512GB SSD, Corsair AX850w, two BENQ screens and TM HOTAS Warthog

DCS: A-10C Warthog FAQ | DCS: P-51D FAQ | Remember to read the Forum Rules |

|
| Life of a Game Tester
Link to comment
Share on other sites

[...] and the online checker is coming back with digitalcombatsimulator.com as being vulnerable and the forums as being "unsure".

 

Hold on, there's SSL for the forum? I just tried but get a connection error for https.

Link to comment
Share on other sites

Forum does not use SSL.

[sIGPIC][/sIGPIC]

Daniel "EtherealN" Agorander | Даниэль "эфирныйн" Агорандер

Intel i7 2600K @ 4.4GHz, ASUS Sabertooth P67, 8GB Corsair Vengeance @ 1600MHz, ASUS GTX 560Ti DirectCU II 1GB, Samsung 830series 512GB SSD, Corsair AX850w, two BENQ screens and TM HOTAS Warthog

DCS: A-10C Warthog FAQ | DCS: P-51D FAQ | Remember to read the Forum Rules |

|
| Life of a Game Tester
Link to comment
Share on other sites

Okay, that's what I thought. Thx for the info. :)

But the ED shop used SSL, so the Forum accounts are affected, if you have bought in it.

 

https://www.digitalcombatsimulator.com/en/shop/

 

So please send a message to all shop user if the ssl bug is fixed.

 

Changing the password is only useful if the bug is closed and the SSL key was regenerated by ED. But the passwords should be changed.


Edited by Anastasiuss

[sIGPIC][/sIGPIC]

360th TFW Falconeers

last video ->

 

ASUS P6X58D Premium, Intel Core i7 920, 6GB DDR3, SAPPHIRE TOXIC HD 5850, Win7 64 Bit. X52, Track IR 4, Momo Racing.

ArmA1+2+3, DCS: World, K-50, A-10C, CA, P-51D, UH-1H, Mi-8FC1+2+3, FalconAF, FC1+FC2, IL2'46, rFactor.

Link to comment
Share on other sites

Well, with no SSL on forums, the forum passwords aren't vulnerable to this exploit. Ironically, in the case of this vulnerability, sites that do NOT use SSL were sort of more secure than those that did use it. (Thus the rabble-rabble etc.)

 

But yes, if you used the same password on both, changing password on both is a good precaution. However, I doubt the DCS site would have been a "hot exploit", since there's plenty of other sites that handle a lot more user data and more sensitive types of data.

[sIGPIC][/sIGPIC]

Daniel "EtherealN" Agorander | Даниэль "эфирныйн" Агорандер

Intel i7 2600K @ 4.4GHz, ASUS Sabertooth P67, 8GB Corsair Vengeance @ 1600MHz, ASUS GTX 560Ti DirectCU II 1GB, Samsung 830series 512GB SSD, Corsair AX850w, two BENQ screens and TM HOTAS Warthog

DCS: A-10C Warthog FAQ | DCS: P-51D FAQ | Remember to read the Forum Rules |

|
| Life of a Game Tester
Link to comment
Share on other sites

But the ED shop used SSL, so the Forum accounts are affected, if you have bought in it.

 

Not entirely sure what you mean here. Purchases cannot be made with a forum account. The forum account is completely separate and runs on a separate server.

[sIGPIC][/sIGPIC]

Daniel "EtherealN" Agorander | Даниэль "эфирныйн" Агорандер

Intel i7 2600K @ 4.4GHz, ASUS Sabertooth P67, 8GB Corsair Vengeance @ 1600MHz, ASUS GTX 560Ti DirectCU II 1GB, Samsung 830series 512GB SSD, Corsair AX850w, two BENQ screens and TM HOTAS Warthog

DCS: A-10C Warthog FAQ | DCS: P-51D FAQ | Remember to read the Forum Rules |

|
| Life of a Game Tester
Link to comment
Share on other sites

Well, with no SSL on forums, the forum passwords aren't vulnerable to this exploit.

 

Depends. Back in the day, around the time A-10C went into pre-purchase, it was suggested that users use the same username, password and email on digitalcombatsimulator.com that they also used on the forum to gain access to the Beta forum IIRC. Users who never changed their passwords or kept them in sync since then would indeed be affected even though forum and store keep their data in different locations/databases/hosts/whatever.

 

In any case, I just changed my passwords and made sure that they're different. :)

 

Edit: A quick search came up with this post, but I'm sure it was announced officially somewhere.


Edited by Yurgon
Link to comment
Share on other sites

Depends. [...]

 

Yeah:

 

But yes, if you used the same password on both, changing password on both is a good precaution.

 

Point is that that is a LONG time ago. 4 years, to be pseudo-exact. And in the context of this vulnerability, the forum accounts are not breacheable, since the vulnerability the exploit uses is in a piece of software that the Forum has never used. But as mentioned, if you have the same password/username, you should change it. (Indeed, you "should" change it ever couple months no matter what.)

 

What I was explaining is that this exploit cannot be used to attack the forum server - thus the "unsure" in the test, since the test was asked to try to exploit a vulnerability in a piece of software that isn't even running on this server. :)

 

EDIT: To bring into context: if you used Sony's service when their PlayStation Network was cracked, you should change password on anything and EVERYTHING that uses the same password. Doesn't matter if it's related to Sony or not.


Edited by EtherealN

[sIGPIC][/sIGPIC]

Daniel "EtherealN" Agorander | Даниэль "эфирныйн" Агорандер

Intel i7 2600K @ 4.4GHz, ASUS Sabertooth P67, 8GB Corsair Vengeance @ 1600MHz, ASUS GTX 560Ti DirectCU II 1GB, Samsung 830series 512GB SSD, Corsair AX850w, two BENQ screens and TM HOTAS Warthog

DCS: A-10C Warthog FAQ | DCS: P-51D FAQ | Remember to read the Forum Rules |

|
| Life of a Game Tester
Link to comment
Share on other sites

And in the context of this vulnerability, the forum accounts are not breacheable, since the vulnerability the exploit uses is in a piece of software that the Forum has never used.

 

I don't intend to go into too many iterations here, I just think it's important to point out that if someone uses the same username + password on the forum as on the main page, then it's not necessary for an attacker to attack the forum, because the same data could have been retrieved from the main page.

 

I don't think such a targeted attack on this particular forum and/or the ED main page is a likely scenario. As you pointed out, there are much "juicy-er" sites out there. It's a valid scenario nonetheless.

 

Besides, the term "attacker" is somewhat arbitrary and ever since Snowden we must definitely include powerful, state-funded services that don't care about ED or us in particular -- they just want to collect as much as is technically possible. Who knows whether or not they might use such data against any of us in the future? (*)

 

But as mentioned, if you have the same password/username, you should change it. (Indeed, you "should" change it ever couple months no matter what.)

 

Does the forum happen to store the date that the password was last changed? It'd be interesting to see a statistical analysis of how many of the active users did not change their password in $time_frame. Of course, I would never keep my password unchanged for 4 years... :music_whistling:

 

EDIT: To bring into context: if you used Sony's service when their PlayStation Network was cracked, you should change password on anything and EVERYTHING that uses the same password. Doesn't matter if it's related to Sony or not.

 

I totally agree. :)

 

(*) Haha, interesting point. Whenever I write some kind of nonsense, I'll just blame it on $three_letter_service in an attempt to undermine my credibility. :D (**)

 

(**) Of course that never happens. :lol:


Edited by Yurgon
Link to comment
Share on other sites

Yeah, but what I am saying is: why would someone attack the main page (where both our and your "data" is) in order to figure out logins to a forum that... well... allows you possibly to pretend you're someone else, I guess, if you happen get their login.

 

But this is why I from the beginning said that if you have the same password, it's advicable to change it.

 

Basically, I don't even understand what we are arguing about. :D

  • Like 1

[sIGPIC][/sIGPIC]

Daniel "EtherealN" Agorander | Даниэль "эфирныйн" Агорандер

Intel i7 2600K @ 4.4GHz, ASUS Sabertooth P67, 8GB Corsair Vengeance @ 1600MHz, ASUS GTX 560Ti DirectCU II 1GB, Samsung 830series 512GB SSD, Corsair AX850w, two BENQ screens and TM HOTAS Warthog

DCS: A-10C Warthog FAQ | DCS: P-51D FAQ | Remember to read the Forum Rules |

|
| Life of a Game Tester
Link to comment
Share on other sites

Basically, I don't even understand what we are arguing about. :D

 

I don't, either. I though you did. :lol:

 

To anyone who wants to know how this vulnerability actually works, this xkcd is spot-on. :thumbup:

 

heartbleed_explanation.png

Link to comment
Share on other sites

Yup, I was actually about to post it here too. A very good one. :)

[sIGPIC][/sIGPIC]

Daniel "EtherealN" Agorander | Даниэль "эфирныйн" Агорандер

Intel i7 2600K @ 4.4GHz, ASUS Sabertooth P67, 8GB Corsair Vengeance @ 1600MHz, ASUS GTX 560Ti DirectCU II 1GB, Samsung 830series 512GB SSD, Corsair AX850w, two BENQ screens and TM HOTAS Warthog

DCS: A-10C Warthog FAQ | DCS: P-51D FAQ | Remember to read the Forum Rules |

|
| Life of a Game Tester
Link to comment
Share on other sites

Yeah, but what I am saying is: why would someone attack the main page...

 

To collect account & password combinations. Most of internet user use the same combination for all her other sites/ accounts. paypal is not affected by heartbleed, but maybe one of us use the same account & password combinations.

[sIGPIC][/sIGPIC]

360th TFW Falconeers

last video ->

 

ASUS P6X58D Premium, Intel Core i7 920, 6GB DDR3, SAPPHIRE TOXIC HD 5850, Win7 64 Bit. X52, Track IR 4, Momo Racing.

ArmA1+2+3, DCS: World, K-50, A-10C, CA, P-51D, UH-1H, Mi-8FC1+2+3, FalconAF, FC1+FC2, IL2'46, rFactor.

Link to comment
Share on other sites

To collect account & password combinations. Most of internet user use the same combination for all her other sites/ accounts. paypal is not affected by heartbleed, but maybe one of us use the same account & password combinations.

 

We were talking about the forum here though.

 

You don't attack the forum via the site anyway. Separate servers. No SSL on forum, so no Heartbleed exploit. To sploit with heartbleed, you'd have had to sploit the site first.

You don't gain more account/password combinations through testing the account/password you got from the site through Heartbleed when you check if that account/password combo also works on the forum. You already have them. But okey, it does add the gain of confirming that the stolen account details do work on a web forum where the worst you could do with them is to perhaps ghost-post someone or spam for 5 seconds until the ban is in effect. :P

 

Check this out:

 

Step 1) I 'sploit Heartbleed and gain the username and password you use on the DCS site.

Step 2) What do I gain through using your username and password on the forum? Remember, I already have the username and password, clearly.

 

Remember: the forum is not vulnerable to this exploit and never was, so the only way for the forum to be relevant to Heartbleed is if they already gained your account/password combo. You don't gain more accounts through taking ones you already have. ;)

 

However, as I did mention:

 

But yes, if you used the same password on both, changing password on both is a good precaution.

[sIGPIC][/sIGPIC]

Daniel "EtherealN" Agorander | Даниэль "эфирныйн" Агорандер

Intel i7 2600K @ 4.4GHz, ASUS Sabertooth P67, 8GB Corsair Vengeance @ 1600MHz, ASUS GTX 560Ti DirectCU II 1GB, Samsung 830series 512GB SSD, Corsair AX850w, two BENQ screens and TM HOTAS Warthog

DCS: A-10C Warthog FAQ | DCS: P-51D FAQ | Remember to read the Forum Rules |

|
| Life of a Game Tester
Link to comment
Share on other sites

Clarification:

 

When I logon to my account on http://www.digitalcombatsimulator.com it does not say https anywhere but I get verified as the user that I am with my credentials. Only when I click on "Personal Section" the URL changes to https.

 

Is the logon process secured via https even when I can't see it in the URL or anywhere else ?

 

If it isnt't, that this all would make no sense, so I guess the Logon button itself is https secured we just can't see it.

 

Is this correct ?

 

 

Anyway, be sure there are many open holes left and NSA knows most of them. Security is a joke when you mess with thousands of highly paid and educated NSA employees. Nothing is safe and all can be faked.

 

Bit

Gigabyte Aorus X570S Master - Ryzen 5900X - Gskill 64GB 3200/CL14@3600/CL14 - Asus 1080ti EK-waterblock - 4x Samsung 980Pro 1TB - 1x Samsung 870 Evo 1TB - 1x SanDisc 120GB SSD - Heatkiller IV - MoRa3-360LT@9x120mm Noctua F12 - Corsair AXi-1200 - TiR5-Pro - Warthog Hotas - Saitek Combat Pedals - Asus PG278Q 27" QHD Gsync 144Hz - Corsair K70 RGB Pro - Win11 Pro/Linux - Phanteks Evolv-X 

Link to comment
Share on other sites

  • ED Team

Dear users!

 

Your passwords at digitalcombasimulator.com were not affected by heartbleed vulnerability! Our logon process is not secured with SSL, but after you click login button your password is encrypted before it is sent (you should see lock icon near the password field), so there is no way to intercept your DCS password.

 

But we rechecked and updated all our servers.


Edited by const

image_259187.png.12ec9a78d99caec431e08ab83fd4ee4d.png

 

Link to comment
Share on other sites

Hmm...

I've just checked it and I'm really disappointed.

Our passwords are not sent in encrypted form.

They're being sent in PLAIN TEXT in http POST request.

 

Why are you trying to fool us that they're encrypted? THe lock icon near password field means nothing beside when you click it it sends request to http://mc.yandex.ru/clmap/20852101 with some additional parameters.

 

Anybody can check that I'm right using simple tools like Fiddler2 or similiar.

 

When you're logging into digitalcomatsimulator.com there is POST form sent to url:

http://www.digitalcombatsimulator.com/en/?login=yes

and in sent content there are your login and password put as form fields values:

 

sessid=[hereComesSessionID]&backurl=%2Fen%2F&AUTH_FORM=Y&TYPE=AUTH&USER_LOGIN=[yourLoginHereInPlainText]&USER_PASSWORD=[yourPasswordHereInPlainText]

 

So without use of https our sensitive data (uername/paswords) are just carelessly sent over the internet. Thats not nice, and your post only makes it worse...:doh:

[sIGPIC][/sIGPIC]

--

"The three best things in life are a good landing, a good orgasm, and a good shit.

A night carrier landing is one of the few opportunities to experience all three at the same time."

Link to comment
Share on other sites

(...)

Our passwords are not sent in encrypted form.

They're being sent in PLAIN TEXT in http POST request.

(...)

 

Actually it does use https if you first go to the login page using a url that specifies it. From there it also posts using https. So the problem is rather that it doesn't enforce https for the login process.

 

https://www.digitalcombatsimulator.com

 

http://www.digitalcombatsimulator.com

[sIGPIC][/sIGPIC]

Link to comment
Share on other sites

  • ED Team
Hmm...

I've just checked it and I'm really disappointed.

Our passwords are not sent in encrypted form.

They're being sent in PLAIN TEXT in http POST request.

 

Why are you trying to fool us that they're encrypted? THe lock icon near password field means nothing beside when you click it it sends request to http://mc.yandex.ru/clmap/20852101 with some additional parameters.

 

Anybody can check that I'm right using simple tools like Fiddler2 or similiar.

 

When you're logging into digitalcomatsimulator.com there is POST form sent to url:

http://www.digitalcombatsimulator.com/en/?login=yes

and in sent content there are your login and password put as form fields values:

 

sessid=[hereComesSessionID]&backurl=%2Fen%2F&AUTH_FORM=Y&TYPE=AUTH&USER_LOGIN=[yourLoginHereInPlainText]&USER_PASSWORD=[yourPasswordHereInPlainText]

 

So without use of https our sensitive data (uername/paswords) are just carelessly sent over the internet. Thats not nice, and your post only makes it worse...:doh:

 

Fixed.

image_259187.png.12ec9a78d99caec431e08ab83fd4ee4d.png

 

Link to comment
Share on other sites

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...