Website & forum behaviors

[Nelythia]

You know what would be handy is if the password reset actually worked

It does.

Visit https://en.nostalrius.org/password to change your password.

You will only get an email if your account has one attached.

You also have to be logged out of the en.nostalrius.org website to get the reset to work.

[Eligius]

It looks like the bugtracker (which was embedded into the official website) might very well be the source of the breach indeed.

[ceoddyn]

This makes more sense, because most of Nostalrius did not play on old private servers. Unfortunately, they are attempting to help Nostalrius by reporting bugs to a tracker with clearly broken encryption. The good news here is that Chrome protected me from registering with an easy to understand explanation about the problem.

Correct password protocol is not to generate a new password for every site, unless that happens on the backend of a password manager for which you have one memorized strong password that can be stolen. It is to not use broken websites.

[Dish]

I know at least of two people who never used the bugtracker, but used the same account info on other p-servers (feenix/kronos) and got "hacked".

So that's definitely one source.

[Hashmire]

As one of the players with a compromised (and currently banned) account, it is unlikely that the bugtracker is the only attack vector. I do not have an account on the bug tracker, I had an account with a decent, but not impossible to brute-force password.

If we take out the option of simple social engineering that leaves few vectors...
--A popular addon has been compromised
--A core area of Nostalrius has been compromised
--Nostalrius' brute-force protections are not good enough (seems to be the current assumption)
--Keylogger present on computer (really the same as the first option, but w/e)
--Hacker got super lucky (unlikely, but I'm trying to be fair here)
--*edit* Also a compromise of other private servers is possible, although I haven't played on those either

While the bugtracker may not be perfectly secure, it is childish to point the finger at one spot.

An important aspect that is being overlooked is that many innocent players seem to have been caught as collateral damage in the ban waves that are going out and so far, there have been no responses from staff even acknowledging the issue.

[SV001]

Hi,

It seems I can't change my pw, the link I got in the mail just send me back to the nostalrius front page, when I c/c de link, it does the same..

Any help?

[Sauska]

An important aspect that is being overlooked is that many innocent players seem to have been caught as collateral damage in the ban waves that are going out and so far, there have been no responses from staff even acknowledging the issue.

Amen, sticky please!

[Andraxion]

... --A popular addon has been compromised ...

I don't get where people keep falling for scare tactics about addons, they aren't compiled code, they aren't really even directly "interpreted" by a known exploitable interpreter. They are raw text files that WoW's custom LUA interpreter reads and handles, that's it. Unless there is an executable file inside of the archive or someone renamed a .lua to .exe and attached code, there's no risk AT ALL.

--Source, software engineering and real world working experience in disassembly and testing in datacenters.

[Soupa]

You know what would be handy is if the password reset actually worked

It does.

Visit https://en.nostalrius.org/password to change your password.

You will only get an email if your account has one attached.

You also have to be logged out of the en.nostalrius.org website to get the reset to work.

What about the poor people that didn't have an email associated with their account?

[Euronymous]

... --A popular addon has been compromised ...

I don't get where people keep falling for scare tactics about addons, they aren't compiled code, they aren't really even directly "interpreted" by a known exploitable interpreter. They are raw text files that WoW's custom LUA interpreter reads and handles, that's it. Unless there is an executable file inside of the archive or someone renamed a .lua to .exe and attached code, there's no risk AT ALL.

--Source, software engineering and real world working experience in disassembly and testing in datacenters.

Still doesn't mean a standard API function can't be used to scam plebs out of all their money when shrouded in some good ol obfuscation.

http://i.imgur.com/mhso8aO.png

https://embed.gyazo.com/6324f96583cee0051a06c8d7ddc5dadc.png

--Source, you talking out your ass