[rcoder]

So confirmed, runemate has all of our passwords we use for botting. In plain text.

Why?

 

[staffix]

lol
"Joined: Today"

it's encrypted before the mods can see it, so it doesn't really matter..
they wouldn't be able to get access to your account even if they wanted to

 

[rcoder]

lol
"Joined 2016"

Your point?

It's not encrypted, because the scripts can access it to login

 

[wet rag]

lol
"Joined 2016"

Your point?

It's not encrypted, because the scripts can access it to login

you're fucking retarded

 

[evilcabbage]

man if only i fucking cared enough to reply more decently to this..

 

[rcoder]

It's simple, I setup a new VM and logged in with my runemate user + pw. Then all of a sudden runemate can now login to RS for me using my bot account? Our passwords are stored in runemate servers. Even if it's encrypted, the admin can easily decrypt them since the bot can too.

 

[savior]

here comes the meme train choo chooooo

 

[jux7apose]

Then don't use Runemate, better yet, don't save your account. Manually log in and bot.

 

[rcoder]

Then don't use Runemate, better yet, don't save your account. Manually log in and bot.

So pretend the admins aren't saving our passwords? And don't have access to all our accounts? And can't just run a script to find the highest skilled account they have stored via rs hiscores to steal? LOL ignorance is bliss huh?

inb4 admin closes / deletes thread due to being exposed

 

[skrall]

While I certainly understand you're worried, you have nothing to fear. There's no sane reason why a bot developer would steal its users' login details... RSGP is only worth a small amount, accounts can't be sold because they can be (easily) recovered, etc.

 

[savior]

So pretend the admins aren't saving our passwords? And don't have access to all our accounts? And can't just run a script to find the highest skilled account they have stored via rs hiscores to steal? LOL ignorance is bliss huh?

inb4 admin closes / deletes thread due to being exposed

Literally every single user who has used the autologin knows that runemate stores their passwords, it is absolutely not privileged information whatsoever.
 

While I certainly understand you're worried, you have nothing to fear. There's no sane reason why a bot developer would steal its users' login details... RSGP is only worth a small amount, accounts can't be sold because they can be (easily) recovered, etc.

Bot developers can't access the login data in the first place

 

[swych]

Hello. Yes. The year is 1970, public-key encryption has just started to emerge to the public. I am typing this from the future. This is a WILDLY NEW TECHNOLOGY so I have attached a simple diagram in the form of a JPG file.

 

[jux7apose]

So pretend the admins aren't saving our passwords? And don't have access to all our accounts? And can't just run a script to find the highest skilled account they have stored via rs hiscores to steal? LOL ignorance is bliss huh?

inb4 admin closes / deletes thread due to being exposed

Trust me, they could give a less shit about your account. If I ran this site I'd instantly ban you and close this thread because of your stupidity

 

[rcoder]

Literally every single user who has used the autologin knows that runemate stores their passwords, it is absolutely not privileged information whatsoever.
 

Bot developers can't access the login data in the first place

And what? Let's say an admin goes rogue. Instant free 10,000 accounts for him

There's SO many options to avoid storing plain text passwords and the admins of this site FOR SOME REASON haven't done them. You can store a local generated encryption key per computer on the fly when they first login. Then hash their RS password with it. You store the hashed password online. Then just keep referencing the crypt key on the local computer for decrypting it. If it's a new computer you give them instructions on how to transfer they key.

OR, don't store ANY passwords online and simply store them locally. Like every other bot is doing. Genius, right?
 

Trust me, they could give a less shit about your account. If I ran this site I'd instantly ban you and close this thread because of your stupidity

Exposing security risks, totally stupid. LOL
 

Hello. Yes. The year is 1970, public-key encryption has just started to emerge to the public. I am typing this from the future. This is a WILDLY NEW TECHNOLOGY so I have attached a simple diagram in the form of a JPG file.

That's great and all, but they're not doing that. They're storing the password in their database, no private key to decrypt.

 

[swych]

And what? Let's say an admin goes rogue. Instant free 10,000 accounts for him

There's SO many options to avoid storing plain text passwords and the admins of this site FOR SOME REASON haven't done them. You can store a local generated encryption key per computer on the fly when they first login. Then hash their RS password with it. You store the hashed password online. Then just keep referencing the crypt key on the local computer for decrypting it. If it's a new computer you give them instructions on how to transfer they key.

OR, don't store ANY passwords online and simply store them locally. Like every other bot is doing. Genius, right?
 


Exposing security risks, totally stupid. LOL

Lemme just simplify this real quick.

This is probably a simplified version of runemates database (to which only 1 PERSON has access to btw). Using the diagram I had in my previous post and this table example this is how the client is able to retrieve your password from a secure format. Note how I said client and not admin. Without a decryption key its useless.
 
Out of curiosity what are your thoughts on RiD?

 

[rcoder]

Lemme just simplify this real quick.

This is probably a simplified version of runemates database (to which only 1 PERSON has access to btw). Using the diagram I had in my previous post and this table example this is how the client is able to retrieve your password from a secure format. Note how I said client and not admin. Without a decryption key its useless.

"That's great and all, but they're not doing that. They're storing the password in their database, no private key to decrypt."

Hint: wireshark and watch the requests that go to runemate when you're adding a new bot account

 

[swych]

 
Out of curiosity what are your thoughts on RiD?

 

[staffix]

i missed abnormal prince..

 

[savior]

There's SO many options to avoid storing plain text passwords and the admins of this site FOR SOME REASON haven't done them. You can store a local generated encryption key per computer on the fly when they first login. Then hash their RS password with it. You store the hashed password online. Then just keep referencing the crypt key on the local computer for decrypting it. If it's a new computer you give them instructions on how to transfer they key.

OR, don't store ANY passwords online and simply store them locally. Like every other bot is doing. Genius, right?

First of all, what on earth makes you think they are stored in plain text?
Secondly, as mentioned already, you don't have to enter legit data if you don't trust runemate. In that case you'll have to login to the game on your own every time.

Then hash their RS password with it. You store the hashed password online. Then just keep referencing the crypt key on the local computer for decrypting it.

Also this shows that you have no idea about security so this thread is over for me

lata

 

[rcoder]

First of all, what on earth makes you think they are stored in plain text?
Secondly, as mentioned already, you don't have to enter legit data if you don't trust runemate. In that case you'll have to login to the game on your own every time.


Also this shows that you have no idea about security so this thread is over for me

lata

"Hint: wireshark and watch the requests that go to runemate when you're adding a new bot account"