Summary
I'm just going to make this short and to the point. For over a year there
have been people combo listing and ever so many people aware of it,
there's been to the lesser known extent but known by flowplay/ourWorld
multiple data breaches. Essentially just things to aid people who want to
hack accounts and steal the items to prosper in game or to sell for real money
on player auctions. I've had my account hacked and been in the complete
dark as to how until recently as I wasn't vulnerable to combo-listing and
have had stopping this or at least raising awareness about it a big priority
in my life.
In the below I'll be discussing various issues and how they were
addressed by flow play behind the scenes or publicly.
The Issues/Topics:
- Combo Listing.
- Database Leaks.
- Server Errors.
- history of prevention
- Failure to acknowledge account hacking.
- Criminal Harassment
- Lack of moderation.
- Community Incompetence
- Secret Question Vulnerabilities
- Victim Blaming.
- What you can do to stay safe.
- Attempts to communicate with Flow Play and end various issues.
- About Me (A short-ish summary.)
Combo Listing
Combo Listing is something that has been around for a long
time but has seemed to become very popular within the last
year not only on ourWorld but other places. the process is
simple and doesn't require anyone engaging in it to do much.
There's some terminology in combo listing that I'll explain below:
Leaks
A leak is essentially a website like ourWorld being hacked and the
data stored in the database being exported and put public for sale
in the case of combo listing this refers specifically to the user/email
and password combinations that the users used on the site, this would
look as follows: user123(at)example(dot)com:password5000.
user123@example(dot)com << being the email.
password5000 << being the password.
Combination Lists
A leak leads to a list of combinations like the above being made
for software that implements the attack technique on a specific
site and checks line by line and tests the email : password combinations.
Obtaining Combination Lists:
Anyone can download combo lists from combo-list(dot)com as well
as various forms by either paying for them or just downloading free
ones.
The Practical Process:
Provided that one isn't going to write a tool and is like
most of the people who combo-list on ourWorld, the process
consists of someone hooking you up with a combo listing tool
b3rb and jess are some of the known people to have hooked
people up with the tools to combo list, Madelyn also introduced
a few people to it and so did many others. Once you've obtained
a combo listing tool it's as simple as selecting a combination list
that you've downloaded and hitting run. It will test each login in the
list and then output working logins to a new list. See to the account
hacking process for more in depth info.
The Current State:
ourWorld has changed the requirements for their authentication
system multiple times and old combo listing tools that didn't provide
the required cookies are now broken. This disables anyone who can't
code from combo listing until someone who can, makes a new tool.
--
Database Leaks
The ourWorld forums were running the long and abandoned jforum
which was vulnerable to remote code execution and potentially SQL
injection. A friend of mine compromised the server via the forums before
it was taken down and at any time in the past they could have been
hacked for more malicious purposes and were. You've never heard about
this or had any warning as flowplay is NOT a transparent company in any
way, shape or form. The first time and only time I had even heard of anything
relating to a database leak was when I was casual with Madelyn and she asked
me if I knew how to crack hashes as she had her friends email. I assumed
it was from another site that was from a list that had the password hashes
instead of passwords.
Additional Design Vulnerability
There's something that comes out as a flaw to the authentication system
of ourWorld that may or may not have mattered this entire time, which
prevents attackers from having to crack the passwords to get on accounts,
the issue comes from ourWorld converting the password to a hash locally
and then sending it in the request, this means that in the events of
a database leak like there had been, there's no need to figure out
the corresponding string/password to the hash and enter it manually
in the game client, you simply need to send the hash in the login
request and you'll get a loginid which you switch yours to in your
cookies and refresh into the account. << On the contrary to the typical
of handing the server a password and it hashing it and converting it
to the one in the database.
Stupidity
Many people like to call me a script kiddie, which isn't the case,
but those same people are the ones who quite literally would have to crack
the hashes. I'm unaware of who exactly knew anything about the auth
system and who didn't. But with the stated above, any account, no
matter what length/strength of the password is accessible in the events of a database leak.
Verification
The database leaks had the last IP address associated with the account
and as you may or may not know IP addreses, like phone numbers, have
certain numbers that are assigned to certain areas, you can look
them up and find the area that they belong to, this is how IP verification
works on ourWorld for the most part, in this case the IP addresses that
were associated/verified on the account were looked up and then proxy
servers that are in that or around that location would be used to login
to the account so that the server wouldn't ask questions about verification.
And incase you're more technical and aware that flash doesn't respect proxy
settings, the ourWorld game server doesn't check the IP address immediately
connected, it checks the one from at sign in on the web server.
The Source:
The main source of the leaks is believed to be the site that was
taken down by the FBI in january: weleakinfo(dot)com
--
Server Errors
Due to the amount of people flooding the one and only webserver
with login attempts, it would get overloaded and throw server errors,
the server errors were a good measurement of how many people were doing it.
--
History of Prevention
There honestly hasn't been a lot done to prevent many of these issues,
but we'll start with the basics, after the server was compromised for
the unknownth time but known to flowplay, they took down the forums.
This leaves the only real attack vectors being things they've written
their CGI scripts and the game server. Additionally all account cracking
tools including my own, used the forums for authentication, this most likely
prevented or slowed down account cracking for a tiny little bit.
From the time that the forums were taken down until approximately january
/february 2020, nothing had seemed to be done, until of course ourWorld started
rate limiting and banning IP addresses that made too many login requests, this
wasn't a proper IP ban and instead of blocking communication with the webserver
it was instead that the webserver would just tell the client "You're not allowed
to access this" on each request, wasting resources and leading to still overloading
the server and causing errors. You may think that this would have or should have
ended combo listing, however, this simply meant that others likely slowed down
how fast they would send login requests and additionally would use proxy lists.
It's to my knowledge that nothing other than this was done until around
the end of May 2020. Mid may/the end of may 2020 I decided to write an
account jammer as a counter attack to the signout thing that people
like Mike would use on myself and others and even used it while
hacking his account, I left it jamming his account until today
actually, when they started filtering XO's in the chat, I didn't
keep this to only Mike and I've used it on anyone who pissed me off
if I'm being honest, I've put up with a lot on the game for so many
years and honestly felt like I didn't have to anymore, and I could
keep accounts down for days at a time, this being said, I did for some
people, in some cases it was warranted and in others it was petty.
With the above being stated, this was around the time that they started
switching up the authentication system, weather the following was for me
or for the combo listers is up to you to decide: I'll start with details
on the first change, they started requiring the machineid cookie being in
the request and potentially even all the "evercookie"'s which are just the
machineid. I adapted and my scripts were able to login again, not too long
later (a few days or so give or take) they changed it again to require another
cookie/cookies. They also for a short while started requiring logins to be from
HTTPS instead of HTTP, presumably because the combo listing tools were accessing
the site by HTTP and not HTTPS and they could see that in the logs, this definitely
wasn't to stop anything I was doing as I had it use HTTPS from the getgo.
After days of jamming and various tickets from many people, one morning most
people were unable to login to the game, I presume that they were trying to
block proxies/vpn's and failed and ended up blocking a lot of regular users
instead, but that's only a guess, for hours a lot of people couldn't login
and it appeared to be IP and potentially even user agent related.
I believe that the incident where nobody could login was an attempt
at them to prevent me from automating login, as this would appear
to be their strategy to stop me at that point, however... It affected
many innocent users and didn't actually stop my account jammer, my
jammer was going unaffected the entire time.
Today they've decided to make XO yet another filtered word.
--
Failure to acknowledge account hacking.
For the entirety of the account hacking situation and many victims
creating support tickets, ourWorld support and moderators have failed
to ever acknowledge or listen to anything said about combo listing or
account hacking. There have been those who have woken up to having
all of their items gone on their account, EVERYTHING taken, not
a single item being left on the account. They would never ban
anyone who traded the items to themselves and it's been as if
it's never even existed. See Victim Blaming for more.
--
Harassment
Account hacking aside, there's issues with harassment that
go untouched and continue and slip under the radar, some people
do not feel safe and are under constant threats by people threatening
them and creating accounts and going around with their real name.
They can report and nothing happens, they don't get banned and it
continues, I've used my account jammer and various things that I can
do to get these people tf off/away from them, but I shouldn't have even
had to, this is something that there should be moderators for.
--
Lack of moderation.
The above issue is something that is TOO prevelant
and that is one of the reasons I've went all out
recently, the people who manage the game DO NOT
seem to care in the slightest that people are
being hacked or that others are walking around
with stolen items. All of these people walk
away without consequences and don't get banned
even though they actively hack accounts and
check ones from leaks. I get banned actively
and they remain untouched.
--
Community Incompetence
I honestly have to say that one of the worst issues
in this has been the community, you've all posted constantly
about the account jamming situation on support, you've made
tickets about me constantly and when it comes to people who
are hacking accounts, you really don't see the same.
The support page is the best example of this, honestly you
all put so much focus into talking smack about blooming bouquet
but yet mike and tahlea were out there hacking accounts and so
were so many others. Nobody who has known anything has done anything
to prevent it, you all put your time into stupid issues instead or
do nothing entirely. Issues like scamming and account hacking could
have been prevented with simple awareness, willful ignorance and lack
of care from those not immediately effected by it has done this community
no good in the slightest. It took the community A LONG time to even acknowledge
combo listing, and when I've peacefully tried to raise awareness, I've recieved
backlash and gotten the blame, been ignored and not taken seriously.
This community could easily do so many things together to raise awareness about
each issue, you could talk about it, you could have events to raise awareness
about it, you could write tickets to support, discuss it on here.
But you all honestly won't, I'll likely be the only person that you'll report,
I'll get more shit from most of you than any of the worst of them ever will.
You can trash talk me on the comments of this post, someone who hacks accounts
can come in and do it to from a most likely compromised one and you'll ignore it.
--
Secret Question Vulnerabilities
First of all, I'd like to state that there was a long period to
me where it was unknown how most were getting past verification
and it wasn't like ANYONE was going to tell me, absolutely nobody
did and I had to figure it out ALL on my own, it was my priority
to, figuring all of this out initially to get it patched was my
initial goal, it later turned into figuring it out to fight back.
Discovery #1
The first secret question vulnerability I had discovered in late december
when I had actually mostly forgoten my answer, I was sending verification
emails and putting my answer in, when one time I hit the back button
and noticed it let me do it again, and I could keep doing it, so I
decided to go to developer tools and see the request being made,
I then I tried replaying the request with curl, it got a proper
failure response and not an expired token one or anything.
I wrote a simple bash script to do it easier and just used
the same token as I was under the impression that it didn't
or wouldn't expire for some time, I kept trying with the
script until I got it, as it was faster than hitting
the back button and I was able to think better while
guessing. I eventually got it and got the success
message (I was printing out anything that wasn't a failure).
^^
From this point I understood that I could verify on an account
via secret question without sending an email, I didn't understand
how this entirely tied into hacking accounts, I assumed that there
was some default value for accounts that didn't have one set that
was being used, but nothing of that sort worked for me.
I was so close and yet so far off at the same time...
Discovery #2
During my time with working with b3rb and almost going insane myself
and going through compromised accounts/automating, I noticed that some
would popup and ask to set the secret question without being verified.
This in combination with the first discovery is the verification vulnerability
and another way/reason that accounts were able to have their items stolen.
--
Victim Blaming
Honestly another big part of all of this and leaving everyone in the dark
is the assumption that the victim did something wrong, that they did something
out of the normal, that they clicked a link, that they gave their credentials
away, anything of that sort. It's the same problem that exists with scamming
on the game, it doesn't help anyone, awareness does and it honestly needs to stop.
--
What you can do to stay safe.
Password Security
1) Use a password that you don't use with your username/email anywhere else
2) Use a password that only you will know.
3) Change your password if you haven't changed it in the past year.
4) Change your password weekly (if there's a leak, ourWorld will fix it, they won't tell you and you'll be vulnerable though)
Verification Security
1) Never share your secret question with anyone!
2) Do not use a real/personal answer for your secret question!
3) Do not put your real country or city on your profile.
4) Do not share your location with anyone suspicious.
Information Security
1) Share this with others
2) Pay attention to these things
3) Talk about it more often
--
Attempts to communicate with Flow Play and end various issues.
As early as november 2019 I've been trying to end combo listing,
I actually had multiple plans and wanted to get people involved,
I had invested so much into plans for stopping scamming as well,
and I had scripts that could detect when players enter the room
by their userid and raise alerts and keep records and bring up
entries from a file. It was for a crew that I was planning called
DCASI and unlike my modern day behavior, it was meant to be professional.
I wanted to take issues into my own hands as well as create a plan (which I did)
to stop combo listing and defend accounts from being hacked, I wanted to use the
power that the sys-admin had to do it, I understand that they can't/don't want to
work with old code, I truly do, but I also understand that you can deal with these
things at a much higher/non-code level as a sys-admin and take care of it with relative ease.
As hard as It is for most people who are going to read this to believe, I'm actually experienced
with a lot of things, MySQL/MariaDB, CentOS (the operating system the main server runs) bash scripting,
linux systems administration, It's all stuff that I really enjoy and am quite familiar with more or less.
And I've gotten a great idea of the ourWorld infrastructure, and I can list off so much and potentially even
why they chose to do certain things they did and the circumstances. That being said, I had a plan that I wanted
to present to them and get their sys-admin to do. I contacted IzzyLoo, someone I was informed that was a moderator.
I decided to go to her over Ooie because ooie is generally percieved to be a non-caring bych. And I didn't want to
risk ruining the only shot that I'd have, not that it mattered in the end. The following is what I sent her and
what she responded with.
DISCLAIMER:
In these messages I was not as informed about anything as I am now and still
hadn't really understood anything pertaining to the game data or how any
of the game hacks others had done were done, I was in the dark and truly
speculating based on what other idiots told me/kept warning me about.
DarkeningLynters:
Message #1
I'd like to talk to you about the people who are breaking into accounts and robbing them of items, I have a few proposals and ideas on how you
and other staff w/ the help of your developers could easily put an end to it. I know that you might not take this seriously at first,
but I come from a background of linux system adminstration, website management and various hjacking/security. I'll give a few examples
of things that I've discovered about ourWorld on my own: ourWorld buys it's music from audiosocket, the songs aren't stored on ourWorld
but rather audiosocket, you guys still have the old songs on your servers for streaming. (this was discovered by basic resource sniffing).
I've started development on a basic TCP proxy, I.E: being able to resend the data that the game send to OW and bck I know that ourWorld data
is encoded with base64. I know that ourWorld is a 2d, 3d illusion. The boardwalk backdrop is a 2d image, and I've once replaced it with one
with adult content overlayed on it, I took a picture with the ingame camera and got it into my album, as ourWorld staff may or may not know,
as my account was chat deactivated for two days at the time. I know that ooie is believed to have a bad attitude/way of dealing with these
things (I've never personally talked to her), based on what I've heard, I've come to you about this.
And to top this message off, I know that ourWorld runs CentOS. My favourite enterprise class linux distribution, basically a community version
of redhat enterprise linux. If you're interested or free to talk, I'd be interested in helping solve this problem. I'm on here almost all the time.
Message #2
I know that you guys use MySQL for your database.
I know (or speculate) that the forums were shutdown
due to jforum not having been updated in a long time and potentially having unknown/never to be patched vulnerabilities.
I know that a bunch of script kiddies on this game are using Winsock Packet Editor (a cluncky and old tool) to attach to
the process of their browsers and resend data, which has resulted in pretty much every hjack on this game under the sun over the years.
I know more than I can even say, but never the less: want to say here.
You might wonder If I'm trust worthy or not, just know that while I've done some stupid shjit on this game, It's only been for attention,
I would never do anything to harm innocent players on this game (keyword: innocent). I've put pjorn in my album,
I've written gem hjacks and given players gems, I've written account hjacking tools that use the forums
(to hjack specific accounts via emjail, not widespread/random ones).
I've actually planned out hjacking the computers of scammers, working on anti-virus evasion and a million other things.
My point is that: I don't have any intention of actually harming this game. And specifically for the trust thing:
all I can say is that: I'm not working with anyone else on this game, every single other hjacker on this game hates me,
as I talk about and make everything possible/public in a way where it could very easily be patched by developers.
I can provide source code to all tools made by me, and even further make new ones to test the security of ourWorld.
I'm eighteen and have been on this game since I was seven years old. I'm well aware of the fact that admitting any of
this could result in the ban hammer being brought down on me.
Do with all of this as you will.
IzzyLoo:
Hello!
First, I want to appologize for late response to you. I have not logged on IzzyLoo in a couple weeks. As I work
on a different FLowplay game.
I will write more to you as I wrap my head around it all and propose it to our CEO - Derrick.
As I am sure it is in his best interest.
Write more soon,
Izzy
DarkeningLynters:
Message #1
I've spent the past week doing everything in my power to warn other players to increase their own security as well
as trying to counter what they've been doing with combo lists by doing the same, only logging the user id's of
compromised accounts which I can detect if near me using packet capture software. I personally have put a lot of
thought and care in the past week or two into trying to stop a lot of the things that have been going on.
players have been crashing each other by flooding each other with Emojis, the account robbers have been doing it too.
I've personally written a tool that would protect some players as a temporary solution (by removing emoticons).
Anyway, what I'm trying to say is that I've actually cared about helping and have tried, only a few things haven't
gone as planned, .A: some players haven't believed me .B some players have accused me of actually doing it. And literally today,
my account got hjacked. which I'm not really sure as to how. I actually originally planned on testing various things and figuring
it all out to bring to staff/developer attention, but... as of today I mostly lost interest due to players not really seeming to
care and the late response, though, this response has sparked my interest back into helping a bit.
Message #2
I've also found other potential issues since then, such as the fact that players can basically resend the data to send an item such as a reverso,
and the server doesn't check weather or not they actually have one or not or take away from them, it'll just allow sending an infinite amount,
over and over again. The blocking system seems to only be client side (not fully tested) as occasionally, when blocking someone,
they could still whisper The blocking system could potentially be easily evaded by changing a function in the client side game code
to always return false to basically say that a user isn't blocking them.
If actually interest is shown in fixing issues and if derrick agrees, I'll stick around and help to the fullest extent.
^^^^^^^^^^^^^^^
The above is the recorded interactions between the moderator "IzzyLoo" and myself, there was more that
I don't have saved, we actually had a conversation over whisper chat and I told her in detail about everything
that I'd done, if anyone's ever spoken to me and I've told them things that I've done, that's how I was to her.
And things looked promising I was really hoping to help, I actually didn't get to drop the plan but I really thought
that it was a good one to prevent combo listing.
My Plan without staff:
My plan essentially was to take the same combo lists, download all the publically available ones that I could get my hands
on and to test the lists and get a list of vulnerable accounts on ourWorld, and the idea was to take the list and put it
in combination with a tool that I wrote for my crew that would detect accounts based on userid, something you may not
know as well is that the success response for login on ourWorld is that it provides the userid of the account and the
generated loginid (session cookie), so the userid would be logged and we would check each userid loaded into the game
against those in the list and popup the vulnerable user when they load in, and again when we click on them, the idea
was to allow us to warn active users (if i could get a trustable/willing crew to do it). I figured with multiple
of us testing it could go faster than those doing it maliciously and we could save anyone active on the game.
It of course didn't work out due to the lack of crew and selfishness of those involved, if being in the crew
risked any harm their accounts from ourWorld or any of the "unknown hackers" at the time, than they wouldn't be in it.
My Plan with staff:
My plan with the staff was nearly identicle, if we exported the database or connected to MySQL and started sorting
through directly, we could easily test a list WAYYY faster and find vulnerable accounts and get a list to then develop
a course of action to take for affected accounts. I actually wrote a bash script which will be on the pastebin that posts
this, it was designed to be able for them to give/show to the sys-admins to propose my idea, it of course didn't get that far,
but I really took this seriously and wanted to actually help.
^^^
This is what happened, IzzyLoo said she would get back to me and she didn't, my account was banned when I hadn't done anything
too wrong, Ooie banned me likely due to the events that Madelyn had on my account "selling for USD". Even though I made a ticket
specifically about that as I was told they explciitly did that to get me banned. But she didn't listen, I was banned anyway.
I contacted IzzyLoo from another account and was suspecting XSS at this point so I wanted them to implement the proper headers
and even did some client side testing/simulation as if the server had those headers and got them perfected to be able to send,
I sent it all in a pastebin, a patch to vulnerabilites you're seeing be exploited for popups right now. The staff didn't listen
to me and I was practically ignored, not responded to that much and nothing happened. It crushed me. I can't even imagine a time
where I was that willing to help, that's how different I am right now. I'm not the same person that I was then.
After this I officially gave up on helping/relying on the staff to do anything, my priority day in and day out had been and has been
hacking the game for the sake of doing it before others do for worse purposes and not becoming disadvantaged. I know so much that I
could put here, but I do believe that a lot of others don't know much about hacking the game, even though they'll talk their sh**.
--
About Me (A short-ish Summary)
You can say and think what you want about me, but my entire time on this
game I've spent mostly selfless over the years, I used to earn gems explicitly to
gift others and make them happy in 2012. and in 2016 when returning to the game
I had earned over 800 gems one day on jungroup and had spent it all on others,
each day after doing gem offers for hours I would gift it all. I was always
giving to people on the game. I've been scammed out of what I did not give
and have always cared greatly about others on the game, only being on the
game to make friends and date. Hate me if you will, but I put a lot of time
into helping others and wanted the best for the sake of the future of this game.
^^^^^
The above was everything you should know about this and what I've tried,
I'll potentially release a list of usernames/people soon and what will
happen will be up to the community, I've tried leading by example but
I don't think that many of you will follow, I'm sure that a lot of you
know about various people involved, though you refrain from doing anything
or talking about it. The solution for many of you has been to come to me,
but that just isn't good enough, I wish to see this community actually do
something about the problems. If you all put just as much effort as you
did towards me or blooming bouquet into the account hacking issues and those
behind it and talked about them like you did to me, we wouldn't have even been
in this situation for as long. Weather I'm going to continue actively planning
or fighting them or not, I don't know. Hacking mike wasn't fun, It wasn't as easy
as It looked and frankly It was very annoying to be fighting with someone trying
to get back onto their account, these people need account bans. If I can get to be
banned on sight, they should get to be too. But yeah, I've learned something I guess
I'm probably not going anywhere, or maybe I am, I don't know yet, but while on here
I'll chill my shit and won't be attempting to jam anyone permanently over petty sh**.
This game is gonna die if the community doesn't do something and honestly if it's going
to die and nobody is going to do anything, I'm not going to waste my time trying to save it,
I'm just gonna sit back, relax and enjoy the remainder of the game.
I'm just going to make this short and to the point. For over a year there
have been people combo listing and ever so many people aware of it,
there's been to the lesser known extent but known by flowplay/ourWorld
multiple data breaches. Essentially just things to aid people who want to
hack accounts and steal the items to prosper in game or to sell for real money
on player auctions. I've had my account hacked and been in the complete
dark as to how until recently as I wasn't vulnerable to combo-listing and
have had stopping this or at least raising awareness about it a big priority
in my life.
In the below I'll be discussing various issues and how they were
addressed by flow play behind the scenes or publicly.
The Issues/Topics:
- Combo Listing.
- Database Leaks.
- Server Errors.
- history of prevention
- Failure to acknowledge account hacking.
- Criminal Harassment
- Lack of moderation.
- Community Incompetence
- Secret Question Vulnerabilities
- Victim Blaming.
- What you can do to stay safe.
- Attempts to communicate with Flow Play and end various issues.
- About Me (A short-ish summary.)
Combo Listing
Combo Listing is something that has been around for a long
time but has seemed to become very popular within the last
year not only on ourWorld but other places. the process is
simple and doesn't require anyone engaging in it to do much.
There's some terminology in combo listing that I'll explain below:
Leaks
A leak is essentially a website like ourWorld being hacked and the
data stored in the database being exported and put public for sale
in the case of combo listing this refers specifically to the user/email
and password combinations that the users used on the site, this would
look as follows: user123(at)example(dot)com:password5000.
user123@example(dot)com << being the email.
password5000 << being the password.
Combination Lists
A leak leads to a list of combinations like the above being made
for software that implements the attack technique on a specific
site and checks line by line and tests the email : password combinations.
Obtaining Combination Lists:
Anyone can download combo lists from combo-list(dot)com as well
as various forms by either paying for them or just downloading free
ones.
The Practical Process:
Provided that one isn't going to write a tool and is like
most of the people who combo-list on ourWorld, the process
consists of someone hooking you up with a combo listing tool
b3rb and jess are some of the known people to have hooked
people up with the tools to combo list, Madelyn also introduced
a few people to it and so did many others. Once you've obtained
a combo listing tool it's as simple as selecting a combination list
that you've downloaded and hitting run. It will test each login in the
list and then output working logins to a new list. See to the account
hacking process for more in depth info.
The Current State:
ourWorld has changed the requirements for their authentication
system multiple times and old combo listing tools that didn't provide
the required cookies are now broken. This disables anyone who can't
code from combo listing until someone who can, makes a new tool.
--
Database Leaks
The ourWorld forums were running the long and abandoned jforum
which was vulnerable to remote code execution and potentially SQL
injection. A friend of mine compromised the server via the forums before
it was taken down and at any time in the past they could have been
hacked for more malicious purposes and were. You've never heard about
this or had any warning as flowplay is NOT a transparent company in any
way, shape or form. The first time and only time I had even heard of anything
relating to a database leak was when I was casual with Madelyn and she asked
me if I knew how to crack hashes as she had her friends email. I assumed
it was from another site that was from a list that had the password hashes
instead of passwords.
Additional Design Vulnerability
There's something that comes out as a flaw to the authentication system
of ourWorld that may or may not have mattered this entire time, which
prevents attackers from having to crack the passwords to get on accounts,
the issue comes from ourWorld converting the password to a hash locally
and then sending it in the request, this means that in the events of
a database leak like there had been, there's no need to figure out
the corresponding string/password to the hash and enter it manually
in the game client, you simply need to send the hash in the login
request and you'll get a loginid which you switch yours to in your
cookies and refresh into the account. << On the contrary to the typical
of handing the server a password and it hashing it and converting it
to the one in the database.
Stupidity
Many people like to call me a script kiddie, which isn't the case,
but those same people are the ones who quite literally would have to crack
the hashes. I'm unaware of who exactly knew anything about the auth
system and who didn't. But with the stated above, any account, no
matter what length/strength of the password is accessible in the events of a database leak.
Verification
The database leaks had the last IP address associated with the account
and as you may or may not know IP addreses, like phone numbers, have
certain numbers that are assigned to certain areas, you can look
them up and find the area that they belong to, this is how IP verification
works on ourWorld for the most part, in this case the IP addresses that
were associated/verified on the account were looked up and then proxy
servers that are in that or around that location would be used to login
to the account so that the server wouldn't ask questions about verification.
And incase you're more technical and aware that flash doesn't respect proxy
settings, the ourWorld game server doesn't check the IP address immediately
connected, it checks the one from at sign in on the web server.
The Source:
The main source of the leaks is believed to be the site that was
taken down by the FBI in january: weleakinfo(dot)com
--
Server Errors
Due to the amount of people flooding the one and only webserver
with login attempts, it would get overloaded and throw server errors,
the server errors were a good measurement of how many people were doing it.
--
History of Prevention
There honestly hasn't been a lot done to prevent many of these issues,
but we'll start with the basics, after the server was compromised for
the unknownth time but known to flowplay, they took down the forums.
This leaves the only real attack vectors being things they've written
their CGI scripts and the game server. Additionally all account cracking
tools including my own, used the forums for authentication, this most likely
prevented or slowed down account cracking for a tiny little bit.
From the time that the forums were taken down until approximately january
/february 2020, nothing had seemed to be done, until of course ourWorld started
rate limiting and banning IP addresses that made too many login requests, this
wasn't a proper IP ban and instead of blocking communication with the webserver
it was instead that the webserver would just tell the client "You're not allowed
to access this" on each request, wasting resources and leading to still overloading
the server and causing errors. You may think that this would have or should have
ended combo listing, however, this simply meant that others likely slowed down
how fast they would send login requests and additionally would use proxy lists.
It's to my knowledge that nothing other than this was done until around
the end of May 2020. Mid may/the end of may 2020 I decided to write an
account jammer as a counter attack to the signout thing that people
like Mike would use on myself and others and even used it while
hacking his account, I left it jamming his account until today
actually, when they started filtering XO's in the chat, I didn't
keep this to only Mike and I've used it on anyone who pissed me off
if I'm being honest, I've put up with a lot on the game for so many
years and honestly felt like I didn't have to anymore, and I could
keep accounts down for days at a time, this being said, I did for some
people, in some cases it was warranted and in others it was petty.
With the above being stated, this was around the time that they started
switching up the authentication system, weather the following was for me
or for the combo listers is up to you to decide: I'll start with details
on the first change, they started requiring the machineid cookie being in
the request and potentially even all the "evercookie"'s which are just the
machineid. I adapted and my scripts were able to login again, not too long
later (a few days or so give or take) they changed it again to require another
cookie/cookies. They also for a short while started requiring logins to be from
HTTPS instead of HTTP, presumably because the combo listing tools were accessing
the site by HTTP and not HTTPS and they could see that in the logs, this definitely
wasn't to stop anything I was doing as I had it use HTTPS from the getgo.
After days of jamming and various tickets from many people, one morning most
people were unable to login to the game, I presume that they were trying to
block proxies/vpn's and failed and ended up blocking a lot of regular users
instead, but that's only a guess, for hours a lot of people couldn't login
and it appeared to be IP and potentially even user agent related.
I believe that the incident where nobody could login was an attempt
at them to prevent me from automating login, as this would appear
to be their strategy to stop me at that point, however... It affected
many innocent users and didn't actually stop my account jammer, my
jammer was going unaffected the entire time.
Today they've decided to make XO yet another filtered word.
--
Failure to acknowledge account hacking.
For the entirety of the account hacking situation and many victims
creating support tickets, ourWorld support and moderators have failed
to ever acknowledge or listen to anything said about combo listing or
account hacking. There have been those who have woken up to having
all of their items gone on their account, EVERYTHING taken, not
a single item being left on the account. They would never ban
anyone who traded the items to themselves and it's been as if
it's never even existed. See Victim Blaming for more.
--
Harassment
Account hacking aside, there's issues with harassment that
go untouched and continue and slip under the radar, some people
do not feel safe and are under constant threats by people threatening
them and creating accounts and going around with their real name.
They can report and nothing happens, they don't get banned and it
continues, I've used my account jammer and various things that I can
do to get these people tf off/away from them, but I shouldn't have even
had to, this is something that there should be moderators for.
--
Lack of moderation.
The above issue is something that is TOO prevelant
and that is one of the reasons I've went all out
recently, the people who manage the game DO NOT
seem to care in the slightest that people are
being hacked or that others are walking around
with stolen items. All of these people walk
away without consequences and don't get banned
even though they actively hack accounts and
check ones from leaks. I get banned actively
and they remain untouched.
--
Community Incompetence
I honestly have to say that one of the worst issues
in this has been the community, you've all posted constantly
about the account jamming situation on support, you've made
tickets about me constantly and when it comes to people who
are hacking accounts, you really don't see the same.
The support page is the best example of this, honestly you
all put so much focus into talking smack about blooming bouquet
but yet mike and tahlea were out there hacking accounts and so
were so many others. Nobody who has known anything has done anything
to prevent it, you all put your time into stupid issues instead or
do nothing entirely. Issues like scamming and account hacking could
have been prevented with simple awareness, willful ignorance and lack
of care from those not immediately effected by it has done this community
no good in the slightest. It took the community A LONG time to even acknowledge
combo listing, and when I've peacefully tried to raise awareness, I've recieved
backlash and gotten the blame, been ignored and not taken seriously.
This community could easily do so many things together to raise awareness about
each issue, you could talk about it, you could have events to raise awareness
about it, you could write tickets to support, discuss it on here.
But you all honestly won't, I'll likely be the only person that you'll report,
I'll get more shit from most of you than any of the worst of them ever will.
You can trash talk me on the comments of this post, someone who hacks accounts
can come in and do it to from a most likely compromised one and you'll ignore it.
--
Secret Question Vulnerabilities
First of all, I'd like to state that there was a long period to
me where it was unknown how most were getting past verification
and it wasn't like ANYONE was going to tell me, absolutely nobody
did and I had to figure it out ALL on my own, it was my priority
to, figuring all of this out initially to get it patched was my
initial goal, it later turned into figuring it out to fight back.
Discovery #1
The first secret question vulnerability I had discovered in late december
when I had actually mostly forgoten my answer, I was sending verification
emails and putting my answer in, when one time I hit the back button
and noticed it let me do it again, and I could keep doing it, so I
decided to go to developer tools and see the request being made,
I then I tried replaying the request with curl, it got a proper
failure response and not an expired token one or anything.
I wrote a simple bash script to do it easier and just used
the same token as I was under the impression that it didn't
or wouldn't expire for some time, I kept trying with the
script until I got it, as it was faster than hitting
the back button and I was able to think better while
guessing. I eventually got it and got the success
message (I was printing out anything that wasn't a failure).
^^
From this point I understood that I could verify on an account
via secret question without sending an email, I didn't understand
how this entirely tied into hacking accounts, I assumed that there
was some default value for accounts that didn't have one set that
was being used, but nothing of that sort worked for me.
I was so close and yet so far off at the same time...
Discovery #2
During my time with working with b3rb and almost going insane myself
and going through compromised accounts/automating, I noticed that some
would popup and ask to set the secret question without being verified.
This in combination with the first discovery is the verification vulnerability
and another way/reason that accounts were able to have their items stolen.
--
Victim Blaming
Honestly another big part of all of this and leaving everyone in the dark
is the assumption that the victim did something wrong, that they did something
out of the normal, that they clicked a link, that they gave their credentials
away, anything of that sort. It's the same problem that exists with scamming
on the game, it doesn't help anyone, awareness does and it honestly needs to stop.
--
What you can do to stay safe.
Password Security
1) Use a password that you don't use with your username/email anywhere else
2) Use a password that only you will know.
3) Change your password if you haven't changed it in the past year.
4) Change your password weekly (if there's a leak, ourWorld will fix it, they won't tell you and you'll be vulnerable though)
Verification Security
1) Never share your secret question with anyone!
2) Do not use a real/personal answer for your secret question!
3) Do not put your real country or city on your profile.
4) Do not share your location with anyone suspicious.
Information Security
1) Share this with others
2) Pay attention to these things
3) Talk about it more often
--
Attempts to communicate with Flow Play and end various issues.
As early as november 2019 I've been trying to end combo listing,
I actually had multiple plans and wanted to get people involved,
I had invested so much into plans for stopping scamming as well,
and I had scripts that could detect when players enter the room
by their userid and raise alerts and keep records and bring up
entries from a file. It was for a crew that I was planning called
DCASI and unlike my modern day behavior, it was meant to be professional.
I wanted to take issues into my own hands as well as create a plan (which I did)
to stop combo listing and defend accounts from being hacked, I wanted to use the
power that the sys-admin had to do it, I understand that they can't/don't want to
work with old code, I truly do, but I also understand that you can deal with these
things at a much higher/non-code level as a sys-admin and take care of it with relative ease.
As hard as It is for most people who are going to read this to believe, I'm actually experienced
with a lot of things, MySQL/MariaDB, CentOS (the operating system the main server runs) bash scripting,
linux systems administration, It's all stuff that I really enjoy and am quite familiar with more or less.
And I've gotten a great idea of the ourWorld infrastructure, and I can list off so much and potentially even
why they chose to do certain things they did and the circumstances. That being said, I had a plan that I wanted
to present to them and get their sys-admin to do. I contacted IzzyLoo, someone I was informed that was a moderator.
I decided to go to her over Ooie because ooie is generally percieved to be a non-caring bych. And I didn't want to
risk ruining the only shot that I'd have, not that it mattered in the end. The following is what I sent her and
what she responded with.
DISCLAIMER:
In these messages I was not as informed about anything as I am now and still
hadn't really understood anything pertaining to the game data or how any
of the game hacks others had done were done, I was in the dark and truly
speculating based on what other idiots told me/kept warning me about.
DarkeningLynters:
Message #1
I'd like to talk to you about the people who are breaking into accounts and robbing them of items, I have a few proposals and ideas on how you
and other staff w/ the help of your developers could easily put an end to it. I know that you might not take this seriously at first,
but I come from a background of linux system adminstration, website management and various hjacking/security. I'll give a few examples
of things that I've discovered about ourWorld on my own: ourWorld buys it's music from audiosocket, the songs aren't stored on ourWorld
but rather audiosocket, you guys still have the old songs on your servers for streaming. (this was discovered by basic resource sniffing).
I've started development on a basic TCP proxy, I.E: being able to resend the data that the game send to OW and bck I know that ourWorld data
is encoded with base64. I know that ourWorld is a 2d, 3d illusion. The boardwalk backdrop is a 2d image, and I've once replaced it with one
with adult content overlayed on it, I took a picture with the ingame camera and got it into my album, as ourWorld staff may or may not know,
as my account was chat deactivated for two days at the time. I know that ooie is believed to have a bad attitude/way of dealing with these
things (I've never personally talked to her), based on what I've heard, I've come to you about this.
And to top this message off, I know that ourWorld runs CentOS. My favourite enterprise class linux distribution, basically a community version
of redhat enterprise linux. If you're interested or free to talk, I'd be interested in helping solve this problem. I'm on here almost all the time.
Message #2
I know that you guys use MySQL for your database.
I know (or speculate) that the forums were shutdown
due to jforum not having been updated in a long time and potentially having unknown/never to be patched vulnerabilities.
I know that a bunch of script kiddies on this game are using Winsock Packet Editor (a cluncky and old tool) to attach to
the process of their browsers and resend data, which has resulted in pretty much every hjack on this game under the sun over the years.
I know more than I can even say, but never the less: want to say here.
You might wonder If I'm trust worthy or not, just know that while I've done some stupid shjit on this game, It's only been for attention,
I would never do anything to harm innocent players on this game (keyword: innocent). I've put pjorn in my album,
I've written gem hjacks and given players gems, I've written account hjacking tools that use the forums
(to hjack specific accounts via emjail, not widespread/random ones).
I've actually planned out hjacking the computers of scammers, working on anti-virus evasion and a million other things.
My point is that: I don't have any intention of actually harming this game. And specifically for the trust thing:
all I can say is that: I'm not working with anyone else on this game, every single other hjacker on this game hates me,
as I talk about and make everything possible/public in a way where it could very easily be patched by developers.
I can provide source code to all tools made by me, and even further make new ones to test the security of ourWorld.
I'm eighteen and have been on this game since I was seven years old. I'm well aware of the fact that admitting any of
this could result in the ban hammer being brought down on me.
Do with all of this as you will.
IzzyLoo:
Hello!
First, I want to appologize for late response to you. I have not logged on IzzyLoo in a couple weeks. As I work
on a different FLowplay game.
I will write more to you as I wrap my head around it all and propose it to our CEO - Derrick.
As I am sure it is in his best interest.
Write more soon,
Izzy
DarkeningLynters:
Message #1
I've spent the past week doing everything in my power to warn other players to increase their own security as well
as trying to counter what they've been doing with combo lists by doing the same, only logging the user id's of
compromised accounts which I can detect if near me using packet capture software. I personally have put a lot of
thought and care in the past week or two into trying to stop a lot of the things that have been going on.
players have been crashing each other by flooding each other with Emojis, the account robbers have been doing it too.
I've personally written a tool that would protect some players as a temporary solution (by removing emoticons).
Anyway, what I'm trying to say is that I've actually cared about helping and have tried, only a few things haven't
gone as planned, .A: some players haven't believed me .B some players have accused me of actually doing it. And literally today,
my account got hjacked. which I'm not really sure as to how. I actually originally planned on testing various things and figuring
it all out to bring to staff/developer attention, but... as of today I mostly lost interest due to players not really seeming to
care and the late response, though, this response has sparked my interest back into helping a bit.
Message #2
I've also found other potential issues since then, such as the fact that players can basically resend the data to send an item such as a reverso,
and the server doesn't check weather or not they actually have one or not or take away from them, it'll just allow sending an infinite amount,
over and over again. The blocking system seems to only be client side (not fully tested) as occasionally, when blocking someone,
they could still whisper The blocking system could potentially be easily evaded by changing a function in the client side game code
to always return false to basically say that a user isn't blocking them.
If actually interest is shown in fixing issues and if derrick agrees, I'll stick around and help to the fullest extent.
^^^^^^^^^^^^^^^
The above is the recorded interactions between the moderator "IzzyLoo" and myself, there was more that
I don't have saved, we actually had a conversation over whisper chat and I told her in detail about everything
that I'd done, if anyone's ever spoken to me and I've told them things that I've done, that's how I was to her.
And things looked promising I was really hoping to help, I actually didn't get to drop the plan but I really thought
that it was a good one to prevent combo listing.
My Plan without staff:
My plan essentially was to take the same combo lists, download all the publically available ones that I could get my hands
on and to test the lists and get a list of vulnerable accounts on ourWorld, and the idea was to take the list and put it
in combination with a tool that I wrote for my crew that would detect accounts based on userid, something you may not
know as well is that the success response for login on ourWorld is that it provides the userid of the account and the
generated loginid (session cookie), so the userid would be logged and we would check each userid loaded into the game
against those in the list and popup the vulnerable user when they load in, and again when we click on them, the idea
was to allow us to warn active users (if i could get a trustable/willing crew to do it). I figured with multiple
of us testing it could go faster than those doing it maliciously and we could save anyone active on the game.
It of course didn't work out due to the lack of crew and selfishness of those involved, if being in the crew
risked any harm their accounts from ourWorld or any of the "unknown hackers" at the time, than they wouldn't be in it.
My Plan with staff:
My plan with the staff was nearly identicle, if we exported the database or connected to MySQL and started sorting
through directly, we could easily test a list WAYYY faster and find vulnerable accounts and get a list to then develop
a course of action to take for affected accounts. I actually wrote a bash script which will be on the pastebin that posts
this, it was designed to be able for them to give/show to the sys-admins to propose my idea, it of course didn't get that far,
but I really took this seriously and wanted to actually help.
^^^
This is what happened, IzzyLoo said she would get back to me and she didn't, my account was banned when I hadn't done anything
too wrong, Ooie banned me likely due to the events that Madelyn had on my account "selling for USD". Even though I made a ticket
specifically about that as I was told they explciitly did that to get me banned. But she didn't listen, I was banned anyway.
I contacted IzzyLoo from another account and was suspecting XSS at this point so I wanted them to implement the proper headers
and even did some client side testing/simulation as if the server had those headers and got them perfected to be able to send,
I sent it all in a pastebin, a patch to vulnerabilites you're seeing be exploited for popups right now. The staff didn't listen
to me and I was practically ignored, not responded to that much and nothing happened. It crushed me. I can't even imagine a time
where I was that willing to help, that's how different I am right now. I'm not the same person that I was then.
After this I officially gave up on helping/relying on the staff to do anything, my priority day in and day out had been and has been
hacking the game for the sake of doing it before others do for worse purposes and not becoming disadvantaged. I know so much that I
could put here, but I do believe that a lot of others don't know much about hacking the game, even though they'll talk their sh**.
--
About Me (A short-ish Summary)
You can say and think what you want about me, but my entire time on this
game I've spent mostly selfless over the years, I used to earn gems explicitly to
gift others and make them happy in 2012. and in 2016 when returning to the game
I had earned over 800 gems one day on jungroup and had spent it all on others,
each day after doing gem offers for hours I would gift it all. I was always
giving to people on the game. I've been scammed out of what I did not give
and have always cared greatly about others on the game, only being on the
game to make friends and date. Hate me if you will, but I put a lot of time
into helping others and wanted the best for the sake of the future of this game.
^^^^^
The above was everything you should know about this and what I've tried,
I'll potentially release a list of usernames/people soon and what will
happen will be up to the community, I've tried leading by example but
I don't think that many of you will follow, I'm sure that a lot of you
know about various people involved, though you refrain from doing anything
or talking about it. The solution for many of you has been to come to me,
but that just isn't good enough, I wish to see this community actually do
something about the problems. If you all put just as much effort as you
did towards me or blooming bouquet into the account hacking issues and those
behind it and talked about them like you did to me, we wouldn't have even been
in this situation for as long. Weather I'm going to continue actively planning
or fighting them or not, I don't know. Hacking mike wasn't fun, It wasn't as easy
as It looked and frankly It was very annoying to be fighting with someone trying
to get back onto their account, these people need account bans. If I can get to be
banned on sight, they should get to be too. But yeah, I've learned something I guess
I'm probably not going anywhere, or maybe I am, I don't know yet, but while on here
I'll chill my shit and won't be attempting to jam anyone permanently over petty sh**.
This game is gonna die if the community doesn't do something and honestly if it's going
to die and nobody is going to do anything, I'm not going to waste my time trying to save it,
I'm just gonna sit back, relax and enjoy the remainder of the game.
" last night..but I'm not even mad after reading this, lmfao.