Welcome!

By registering with us, you'll be able to discuss, share and private message with other members of our community.

Sign up now!

RuneMate SAVES our passwords in PLAINTEXT

Status
Not open for further replies.
Joined
Dec 17, 2017
Messages
18
So confirmed, runemate has all of our passwords we use for botting. In plain text.

Why?
 
Superior All Knowing Person!
Joined
Oct 9, 2016
Messages
642
lol
"Joined: Today"

it's encrypted before the mods can see it, so it doesn't really matter..
they wouldn't be able to get access to your account even if they wanted to
 
Joined
Dec 17, 2017
Messages
18
lol
"Joined 2016"

Your point?

It's not encrypted, because the scripts can access it to login
 
Joined
Dec 17, 2017
Messages
18
It's simple, I setup a new VM and logged in with my runemate user + pw. Then all of a sudden runemate can now login to RS for me using my bot account? Our passwords are stored in runemate servers. Even if it's encrypted, the admin can easily decrypt them since the bot can too.
 
Joined
Dec 17, 2017
Messages
18
Then don't use Runemate, better yet, don't save your account. Manually log in and bot.

So pretend the admins aren't saving our passwords? And don't have access to all our accounts? And can't just run a script to find the highest skilled account they have stored via rs hiscores to steal? LOL ignorance is bliss huh?

inb4 admin closes / deletes thread due to being exposed
 
Joined
Jul 24, 2014
Messages
633
While I certainly understand you're worried, you have nothing to fear. There's no sane reason why a bot developer would steal its users' login details... RSGP is only worth a small amount, accounts can't be sold because they can be (easily) recovered, etc.
 
Java Warlord
Joined
Nov 17, 2014
Messages
4,906
So pretend the admins aren't saving our passwords? And don't have access to all our accounts? And can't just run a script to find the highest skilled account they have stored via rs hiscores to steal? LOL ignorance is bliss huh?

inb4 admin closes / deletes thread due to being exposed
Literally every single user who has used the autologin knows that runemate stores their passwords, it is absolutely not privileged information whatsoever.
 
While I certainly understand you're worried, you have nothing to fear. There's no sane reason why a bot developer would steal its users' login details... RSGP is only worth a small amount, accounts can't be sold because they can be (easily) recovered, etc.
Bot developers can't access the login data in the first place
 
Hexis bots go brrr
Joined
Dec 9, 2016
Messages
4,057
Hello. Yes. The year is 1970, public-key encryption has just started to emerge to the public. I am typing this from the future. This is a WILDLY NEW TECHNOLOGY so I have attached a simple diagram in the form of a JPG file.
5InImTu.png
 
Joined
Mar 28, 2017
Messages
286
So pretend the admins aren't saving our passwords? And don't have access to all our accounts? And can't just run a script to find the highest skilled account they have stored via rs hiscores to steal? LOL ignorance is bliss huh?

inb4 admin closes / deletes thread due to being exposed

Trust me, they could give a less shit about your account. If I ran this site I'd instantly ban you and close this thread because of your stupidity
 
Joined
Dec 17, 2017
Messages
18
Literally every single user who has used the autologin knows that runemate stores their passwords, it is absolutely not privileged information whatsoever.
 

Bot developers can't access the login data in the first place

And what? Let's say an admin goes rogue. Instant free 10,000 accounts for him

There's SO many options to avoid storing plain text passwords and the admins of this site FOR SOME REASON haven't done them. You can store a local generated encryption key per computer on the fly when they first login. Then hash their RS password with it. You store the hashed password online. Then just keep referencing the crypt key on the local computer for decrypting it. If it's a new computer you give them instructions on how to transfer they key.

OR, don't store ANY passwords online and simply store them locally. Like every other bot is doing. Genius, right?
 
Trust me, they could give a less shit about your account. If I ran this site I'd instantly ban you and close this thread because of your stupidity

Exposing security risks, totally stupid. LOL
 
Hello. Yes. The year is 1970, public-key encryption has just started to emerge to the public. I am typing this from the future. This is a WILDLY NEW TECHNOLOGY so I have attached a simple diagram in the form of a JPG file.
5InImTu.png

That's great and all, but they're not doing that. They're storing the password in their database, no private key to decrypt.
 
Hexis bots go brrr
Joined
Dec 9, 2016
Messages
4,057
And what? Let's say an admin goes rogue. Instant free 10,000 accounts for him

There's SO many options to avoid storing plain text passwords and the admins of this site FOR SOME REASON haven't done them. You can store a local generated encryption key per computer on the fly when they first login. Then hash their RS password with it. You store the hashed password online. Then just keep referencing the crypt key on the local computer for decrypting it. If it's a new computer you give them instructions on how to transfer they key.

OR, don't store ANY passwords online and simply store them locally. Like every other bot is doing. Genius, right?
 


Exposing security risks, totally stupid. LOL
Lemme just simplify this real quick.
OP1NV7n.png


This is probably a simplified version of runemates database (to which only 1 PERSON has access to btw). Using the diagram I had in my previous post and this table example this is how the client is able to retrieve your password from a secure format. Note how I said client and not admin. Without a decryption key its useless.
 
Out of curiosity what are your thoughts on RiD?
 
Joined
Dec 17, 2017
Messages
18
Lemme just simplify this real quick.
OP1NV7n.png


This is probably a simplified version of runemates database (to which only 1 PERSON has access to btw). Using the diagram I had in my previous post and this table example this is how the client is able to retrieve your password from a secure format. Note how I said client and not admin. Without a decryption key its useless.
"That's great and all, but they're not doing that. They're storing the password in their database, no private key to decrypt."

Hint: wireshark and watch the requests that go to runemate when you're adding a new bot account
 
Java Warlord
Joined
Nov 17, 2014
Messages
4,906
There's SO many options to avoid storing plain text passwords and the admins of this site FOR SOME REASON haven't done them. You can store a local generated encryption key per computer on the fly when they first login. Then hash their RS password with it. You store the hashed password online. Then just keep referencing the crypt key on the local computer for decrypting it. If it's a new computer you give them instructions on how to transfer they key.

OR, don't store ANY passwords online and simply store them locally. Like every other bot is doing. Genius, right?
First of all, what on earth makes you think they are stored in plain text?
Secondly, as mentioned already, you don't have to enter legit data if you don't trust runemate. In that case you'll have to login to the game on your own every time.

Then hash their RS password with it. You store the hashed password online. Then just keep referencing the crypt key on the local computer for decrypting it.
Also this shows that you have no idea about security so this thread is over for me

lata
 
Joined
Dec 17, 2017
Messages
18
First of all, what on earth makes you think they are stored in plain text?
Secondly, as mentioned already, you don't have to enter legit data if you don't trust runemate. In that case you'll have to login to the game on your own every time.


Also this shows that you have no idea about security so this thread is over for me

lata

"Hint: wireshark and watch the requests that go to runemate when you're adding a new bot account"
 
Status
Not open for further replies.
Top