Welcome!

seraphic · Dec 17, 2017

Even if they stored them in plaintext it doesn't matter as long as you have 2FA and don't use the same password elsewhere, it's been said over 50000 billion times lol.

savior · Dec 17, 2017

rcoder said:
"Hint: wireshark and watch the requests that go to runemate when you're adding a new bot account"

You mean the requests that are encrypted with TLS? lol

rcoder · Dec 17, 2017

Savior said:
You mean the requests that are encrypted with TLS? lol

You mean installing a self signed local cert to view TLS encrypted requests is impossible? lol

Also really proving you're the one who has no clue about security.

swych · Dec 17, 2017

rcoder said:
"Hint: wireshark and watch the requests that go to runemate when you're adding a new bot account"

Show us your logs and I'll believe you.

savior · Dec 17, 2017

rcoder said:
You mean installing a self signed local cert to view TLS encrypted requests is impossible? lol

Also really proving you're the one who has no clue about security.

I'm not the one trying to decrypt hashes

Quinnn said:
Show us your logs and I'll believe you.

I mean it's possible, but my first impression of him let me believe he would be too retarded to get that done

jhinn · Dec 17, 2017

TO CASUAL WE GOOOOOOOOOOOOOOOOOOOO

ozzy · Dec 17, 2017

Just to debunk the whole check the network log claim, (as expected) any communication with Runemate's servers during the process of adding or deleting an account is encrypted. Of course this doesn't prove that accounts are stored in an encrypted form in the remote database but I'm fairly certain they will be.

aidden · Dec 17, 2017

rcoder said:
And what? Let's say an admin goes rogue. Instant free 10,000 accounts for him

There's SO many options to avoid storing plain text passwords and the admins of this site FOR SOME REASON haven't done them. You can store a local generated encryption key per computer on the fly when they first login. Then hash their RS password with it. You store the hashed password online. Then just keep referencing the crypt key on the local computer for decrypting it. If it's a new computer you give them instructions on how to transfer they key.

OR, don't store ANY passwords online and simply store them locally. Like every other bot is doing. Genius, right?

Exposing security risks, totally stupid. LOL

That's great and all, but they're not doing that. They're storing the password in their database, no private key to decrypt.

First you say they're plain text, then you say they're encrypted, now they're plain text again. Which one is it?

savior · Dec 17, 2017

Ozzy said:
Just to debunk the whole check the network log claim, (As expected) any communication with Runemate's servers during the process of adding or deleting an account is encrypted.

There are ways around that, check MITMProxy for example

Aidden said:
First you say they're plain text, then you say they're encrypted, now they're plain text again. Which one is it?

His point is that they are allegedly stored in plaintext on the servers, which I absolutely can't imagine, knowing arbiter

aidden · Dec 17, 2017

@Arbiter

arbiter · Dec 17, 2017

User accounts are not, and never have been, sent to the server in cleartext. I advise OP to heed his own advice and Wireshark his own requests after spoofing the SSL certificate.

swych · Dec 17, 2017

/thread

skrall · Dec 17, 2017

Savior said:
Bot developers can't access the login data in the first place

I meant client developer, mb.

savior · Dec 17, 2017

skrall said:
I meant client developer, mb.

Ah gotcha. The bot authors do have access to the aliases though.

0privacymatter0 · Dec 17, 2017

i'm not worried about this website hacking me, i bot with my funds on my account and never been hacked, peaked at 700m and still botting, no hacks.

EvilCabbage said:
man if only i fucking cared enough to reply more decently to this..

legendary comment

qosmiof2 · Dec 17, 2017

I thought i was retarded :thinking_face:

rcoder · Dec 17, 2017

Arbiter said:
User accounts are not, and never have been, sent to the server in cleartext. I advise OP to heed his own advice and Wireshark his own requests after spoofing the SSL certificate.

Ok I heeded my own advice and verified that they are encrypted somehow. Both the login name + password are encrypted in one string and sent to the server. The alias is not encrypted. But that's less important.

Example of one account encrypted. I hope there is a private key associated to this encryption string. I highly doubt there is. So it's STILL able to be deciphered by an intruder gaining access to the database, or by any of the admins.

Code:

IfPhZTmAHsrPKBNqZoFwMtysh8lMKAcZT601/+ElDTeuyf8uv6hPFujN3sMi5+YA

unexist · Dec 17, 2017

just get authenticator and u will be safe i had accounts with more then 1B 07 without that on runemate never got hacked

rcoder · Dec 17, 2017

unexist said:
just get authenticator and u will be safe i had accounts with more then 1B 07 without that on runemate never got hacked

But then I can't run bots overnight. They may get stuck if I lose internet connection. RuneMate should instead store this data locally, or use a private key to encrypt. One supplied by the user, and not stored anywhere. A "mater password".

qosmiof2 · Dec 17, 2017

yo forreal are you kidding me?

This is probably the safest bot website out there and you're trying to complain about aliases not being encrypted?

cmon.

Search

Navigation

Navigation section

Welcome!

RuneMate SAVES our passwords in PLAINTEXT

seraphic

Buying & Selling RSGP

savior

Java Warlord

rcoder

swych

Hexis bots go brrr

savior

Java Warlord

jhinn

ozzy

aidden

Author of MaxiBots

savior

Java Warlord

aidden

Author of MaxiBots

arbiter

Mod Automation

swych

Hexis bots go brrr

skrall

savior

Java Warlord

0privacymatter0

qosmiof2

I've been called a god before.

rcoder

unexist

Does not exist.

rcoder

qosmiof2

I've been called a god before.

We value your privacy