1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

RuneMate SAVES our passwords in PLAINTEXT

Discussion in 'Discussions' started by rcoder, Dec 17, 2017.

Thread Status:
Not open for further replies.
  1. rcoder

    Joined:
    Dec 17, 2017
    Messages:
    17
    Likes Received:
    0
    So confirmed, runemate has all of our passwords we use for botting. In plain text.

    Why?
     
  2. staffix

    staffix Superior All Knowing Person!

    Joined:
    Oct 9, 2016
    Messages:
    641
    Likes Received:
    224
    lol
    "Joined: Today"

    it's encrypted before the mods can see it, so it doesn't really matter..
    they wouldn't be able to get access to your account even if they wanted to
     
    delta likes this.
  3. rcoder

    Joined:
    Dec 17, 2017
    Messages:
    17
    Likes Received:
    0
    lol
    "Joined 2016"

    Your point?

    It's not encrypted, because the scripts bots can access it to login
     
  4. Wet Rag

    Wet Rag easily triggered ✌

    Joined:
    Dec 31, 2015
    Messages:
    4,449
    Likes Received:
    1,692
    you're fucking retarded
     
    delta and Shocked like this.
  5. EvilCabbage

    Joined:
    Nov 3, 2013
    Messages:
    2,389
    Likes Received:
    849
    man if only i fucking cared enough to reply more decently to this..
     
    delta and 0PrivacyMatter0 like this.
  6. rcoder

    Joined:
    Dec 17, 2017
    Messages:
    17
    Likes Received:
    0
    It's simple, I setup a new VM and logged in with my runemate user + pw. Then all of a sudden runemate can now login to RS for me using my bot account? Our passwords are stored in runemate servers. Even if it's encrypted, the admin can easily decrypt them since the bot can too.
     
  7. Savior

    Savior Java Warlord

    Joined:
    Nov 17, 2014
    Messages:
    4,906
    Likes Received:
    2,748
    here comes the meme train choo chooooo
     
  8. Jux7apose

    Joined:
    Mar 28, 2017
    Messages:
    286
    Likes Received:
    58
    Then don't use Runemate, better yet, don't save your account. Manually log in and bot.
     
  9. rcoder

    Joined:
    Dec 17, 2017
    Messages:
    17
    Likes Received:
    0
    So pretend the admins aren't saving our passwords? And don't have access to all our accounts? And can't just run a script bot to find the highest skilled account they have stored via rs hiscores to steal? LOL ignorance is bliss huh?

    inb4 admin closes / deletes thread due to being exposed
     
  10. skrall

    Joined:
    Jul 24, 2014
    Messages:
    634
    Likes Received:
    161
    While I certainly understand you're worried, you have nothing to fear. There's no sane reason why a bot developer would steal its users' login details... RSGP is only worth a small amount, accounts can't be sold because they can be (easily) recovered, etc.
     
  11. Savior

    Savior Java Warlord

    Joined:
    Nov 17, 2014
    Messages:
    4,906
    Likes Received:
    2,748
    Literally every single user who has used the autologin knows that runemate stores their passwords, it is absolutely not privileged information whatsoever.
    --- Double Post Merged, Dec 17, 2017, Original Post Date: Dec 17, 2017 ---
    Bot developers can't access the login data in the first place
     
  12. Swych

    Joined:
    Dec 9, 2016
    Messages:
    2,975
    Likes Received:
    1,024
    Hello. Yes. The year is 1970, public-key encryption has just started to emerge to the public. I am typing this from the future. This is a WILDLY NEW TECHNOLOGY so I have attached a simple diagram in the form of a JPG file.
    [​IMG]
     
  13. Jux7apose

    Joined:
    Mar 28, 2017
    Messages:
    286
    Likes Received:
    58
    Trust me, they could give a less shit about your account. If I ran this site I'd instantly ban you and close this thread because of your stupidity
     
  14. rcoder

    Joined:
    Dec 17, 2017
    Messages:
    17
    Likes Received:
    0
    And what? Let's say an admin goes rogue. Instant free 10,000 accounts for him

    There's SO many options to avoid storing plain text passwords and the admins of this site FOR SOME REASON haven't done them. You can store a local generated encryption key per computer on the fly when they first login. Then hash their RS password with it. You store the hashed password online. Then just keep referencing the crypt key on the local computer for decrypting it. If it's a new computer you give them instructions on how to transfer they key.

    OR, don't store ANY passwords online and simply store them locally. Like every other bot is doing. Genius, right?
    --- Double Post Merged, Dec 17, 2017 ---
    Exposing security risks, totally stupid. LOL
    --- Double Post Merged, Dec 17, 2017 ---
    That's great and all, but they're not doing that. They're storing the password in their database, no private key to decrypt.
     
  15. Swych

    Joined:
    Dec 9, 2016
    Messages:
    2,975
    Likes Received:
    1,024
    Lemme just simplify this real quick.
    [​IMG]

    This is probably a simplified version of runemates database (to which only 1 PERSON has access to btw). Using the diagram I had in my previous post and this table example this is how the client is able to retrieve your password from a secure format. Note how I said client and not admin. Without a decryption key its useless.
    --- Double Post Merged, Dec 17, 2017, Original Post Date: Dec 17, 2017 ---
    Out of curiosity what are your thoughts on RiD?
     
    Jux7apose likes this.
  16. rcoder

    Joined:
    Dec 17, 2017
    Messages:
    17
    Likes Received:
    0
    "That's great and all, but they're not doing that. They're storing the password in their database, no private key to decrypt."

    Hint: wireshark and watch the requests that go to runemate when you're adding a new bot account
     
  17. Swych

    Joined:
    Dec 9, 2016
    Messages:
    2,975
    Likes Received:
    1,024
     
  18. staffix

    staffix Superior All Knowing Person!

    Joined:
    Oct 9, 2016
    Messages:
    641
    Likes Received:
    224
    i missed abnormal prince..
     
    forbobo and Jux7apose like this.
  19. Savior

    Savior Java Warlord

    Joined:
    Nov 17, 2014
    Messages:
    4,906
    Likes Received:
    2,748
    First of all, what on earth makes you think they are stored in plain text?
    Secondly, as mentioned already, you don't have to enter legit data if you don't trust runemate. In that case you'll have to login to the game on your own every time.

    Also this shows that you have no idea about security so this thread is over for me

    lata
     
    Jux7apose likes this.
  20. rcoder

    Joined:
    Dec 17, 2017
    Messages:
    17
    Likes Received:
    0
    "Hint: wireshark and watch the requests that go to runemate when you're adding a new bot account"
     
Thread Status:
Not open for further replies.

Share This Page

Loading...