Welcome!

By registering with us, you'll be able to discuss, share and private message with other members of our community.

Sign up now!

RuneMate SAVES our passwords in PLAINTEXT

Status
Not open for further replies.
Buying & Selling RSGP
Joined
Dec 5, 2017
Messages
19
Even if they stored them in plaintext it doesn't matter as long as you have 2FA and don't use the same password elsewhere, it's been said over 50000 billion times lol.
 
Joined
Dec 17, 2017
Messages
18
You mean the requests that are encrypted with TLS? lol

You mean installing a self signed local cert to view TLS encrypted requests is impossible? lol

Also really proving you're the one who has no clue about security.
 
Java Warlord
Joined
Nov 17, 2014
Messages
4,906
You mean installing a self signed local cert to view TLS encrypted requests is impossible? lol

Also really proving you're the one who has no clue about security.
I'm not the one trying to decrypt hashes
 
Show us your logs and I'll believe you.
I mean it's possible, but my first impression of him let me believe he would be too retarded to get that done :D
 
Joined
Nov 5, 2014
Messages
505
Just to debunk the whole check the network log claim, (as expected) any communication with Runemate's servers during the process of adding or deleting an account is encrypted. Of course this doesn't prove that accounts are stored in an encrypted form in the remote database but I'm fairly certain they will be.

g7Z4izY.png
 
Author of MaxiBots
Joined
Dec 3, 2013
Messages
6,861
And what? Let's say an admin goes rogue. Instant free 10,000 accounts for him

There's SO many options to avoid storing plain text passwords and the admins of this site FOR SOME REASON haven't done them. You can store a local generated encryption key per computer on the fly when they first login. Then hash their RS password with it. You store the hashed password online. Then just keep referencing the crypt key on the local computer for decrypting it. If it's a new computer you give them instructions on how to transfer they key.

OR, don't store ANY passwords online and simply store them locally. Like every other bot is doing. Genius, right?
 


Exposing security risks, totally stupid. LOL
 


That's great and all, but they're not doing that. They're storing the password in their database, no private key to decrypt.
First you say they're plain text, then you say they're encrypted, now they're plain text again. Which one is it?
 
Java Warlord
Joined
Nov 17, 2014
Messages
4,906
Just to debunk the whole check the network log claim, (As expected) any communication with Runemate's servers during the process of adding or deleting an account is encrypted.

g7Z4izY.png

a8b35f4f-7900-4cc9-a1c1-fd6d93629789
There are ways around that, check MITMProxy for example
 
First you say they're plain text, then you say they're encrypted, now they're plain text again. Which one is it?
His point is that they are allegedly stored in plaintext on the servers, which I absolutely can't imagine, knowing arbiter
 
Joined
Dec 17, 2017
Messages
18
User accounts are not, and never have been, sent to the server in cleartext. I advise OP to heed his own advice and Wireshark his own requests after spoofing the SSL certificate.

Ok I heeded my own advice and verified that they are encrypted somehow. Both the login name + password are encrypted in one string and sent to the server. The alias is not encrypted. But that's less important.

Example of one account encrypted. I hope there is a private key associated to this encryption string. I highly doubt there is. So it's STILL able to be deciphered by an intruder gaining access to the database, or by any of the admins.

Code:
IfPhZTmAHsrPKBNqZoFwMtysh8lMKAcZT601/+ElDTeuyf8uv6hPFujN3sMi5+YA
 
Does not exist.
Joined
Jun 8, 2015
Messages
333
just get authenticator and u will be safe i had accounts with more then 1B 07 without that on runemate never got hacked :)
 
Joined
Dec 17, 2017
Messages
18
just get authenticator and u will be safe i had accounts with more then 1B 07 without that on runemate never got hacked :)

But then I can't run bots overnight. They may get stuck if I lose internet connection. RuneMate should instead store this data locally, or use a private key to encrypt. One supplied by the user, and not stored anywhere. A "mater password".
 
I've been called a god before.
Joined
Aug 5, 2014
Messages
3,212
yo forreal are you kidding me?

This is probably the safest bot website out there and you're trying to complain about aliases not being encrypted?

cmon.
 
Status
Not open for further replies.
Top