RuneMate SAVES our passwords in PLAINTEXT

Seraphic · Dec 17, 2017

Even if they stored them in plaintext it doesn't matter as long as you have 2FA and don't use the same password elsewhere, it's been said over 50000 billion times lol.

Savior · Dec 17, 2017

rcoder said: ↑

"Hint: wireshark and watch the requests that go to runemate when you're adding a new bot account"
Click to expand...

You mean the requests that are encrypted with TLS? lol

rcoder · Dec 17, 2017

Savior said: ↑

You mean the requests that are encrypted with TLS? lol
Click to expand...

You mean installing a self signed local cert to view TLS encrypted requests is impossible? lol

Also really proving you're the one who has no clue about security.

Swych · Dec 17, 2017

rcoder said: ↑

"Hint: wireshark and watch the requests that go to runemate when you're adding a new bot account"
Click to expand...

Show us your logs and I'll believe you.

Savior · Dec 17, 2017

rcoder said: ↑

You mean installing a self signed local cert to view TLS encrypted requests is impossible? lol

Also really proving you're the one who has no clue about security.
Click to expand...

I'm not the one trying to decrypt hashes

--- Double Post Merged, Dec 17, 2017, Original Post Date: Dec 17, 2017 ---

Quinnn said: ↑

Show us your logs and I'll believe you.
Click to expand...

I mean it's possible, but my first impression of him let me believe he would be too retarded to get that done

Jhinn · Dec 17, 2017

TO CASUAL WE GOOOOOOOOOOOOOOOOOOOO

Ozzy · Dec 17, 2017

Just to debunk the whole check the network log claim, (as expected) any communication with Runemate's servers during the process of adding or deleting an account is encrypted. Of course this doesn't prove that accounts are stored in an encrypted form in the remote database but I'm fairly certain they will be.

Aidden · Dec 17, 2017

rcoder said: ↑

And what? Let's say an admin goes rogue. Instant free 10,000 accounts for him

There's SO many options to avoid storing plain text passwords and the admins of this site FOR SOME REASON haven't done them. You can store a local generated encryption key per computer on the fly when they first login. Then hash their RS password with it. You store the hashed password online. Then just keep referencing the crypt key on the local computer for decrypting it. If it's a new computer you give them instructions on how to transfer they key.

OR, don't store ANY passwords online and simply store them locally. Like every other bot is doing. Genius, right?

--- Double Post Merged, Dec 17, 2017 ---

Exposing security risks, totally stupid. LOL

--- Double Post Merged, Dec 17, 2017 ---

That's great and all, but they're not doing that. They're storing the password in their database, no private key to decrypt.
Click to expand...

First you say they're plain text, then you say they're encrypted, now they're plain text again. Which one is it?

Savior · Dec 17, 2017

Ozzy said: ↑

Just to debunk the whole check the network log claim, (As expected) any communication with Runemate's servers during the process of adding or deleting an account is encrypted.

Click to expand...

There are ways around that, check MITMProxy for example

--- Double Post Merged, Dec 17, 2017, Original Post Date: Dec 17, 2017 ---

Aidden said: ↑

First you say they're plain text, then you say they're encrypted, now they're plain text again. Which one is it?
Click to expand...

His point is that they are allegedly stored in plaintext on the servers, which I absolutely can't imagine, knowing arbiter

Aidden · Dec 17, 2017

@Arbiter

Arbiter · Dec 17, 2017

User accounts are not, and never have been, sent to the server in cleartext. I advise OP to heed his own advice and Wireshark his own requests after spoofing the SSL certificate.

Swych · Dec 17, 2017

/thread

skrall · Dec 17, 2017

Savior said: ↑

Bot developers can't access the login data in the first place
Click to expand...

I meant client developer, mb.

Savior · Dec 17, 2017

skrall said: ↑

I meant client developer, mb.
Click to expand...

Ah gotcha. The bot authors do have access to the aliases though.

0PrivacyMatter0 · Dec 17, 2017

i'm not worried about this website hacking me, i bot with my funds on my account and never been hacked, peaked at 700m and still botting, no hacks.

EvilCabbage said: ↑

man if only i fucking cared enough to reply more decently to this..
Click to expand...

legendary comment

Qosmiof2 · Dec 17, 2017

I thought i was retarded :thinking_face:

rcoder · Dec 17, 2017

Arbiter said: ↑

User accounts are not, and never have been, sent to the server in cleartext. I advise OP to heed his own advice and Wireshark his own requests after spoofing the SSL certificate.
Click to expand...

Ok I heeded my own advice and verified that they are encrypted somehow. Both the login name + password are encrypted in one string and sent to the server. The alias is not encrypted. But that's less important.

Example of one account encrypted. I hope there is a private key associated to this encryption string. I highly doubt there is. So it's STILL able to be deciphered by an intruder gaining access to the database, or by any of the admins.

Code (Text):

IfPhZTmAHsrPKBNqZoFwMtysh8lMKAcZT601/+ElDTeuyf8uv6hPFujN3sMi5+YA

unexist · Dec 17, 2017

just get authenticator and u will be safe i had accounts with more then 1B 07 without that on runemate never got hacked

rcoder · Dec 17, 2017

unexist said: ↑

just get authenticator and u will be safe i had accounts with more then 1B 07 without that on runemate never got hacked
Click to expand...

But then I can't run bots overnight. They may get stuck if I lose internet connection. RuneMate should instead store this data locally, or use a private key to encrypt. One supplied by the user, and not stored anywhere. A "mater password".

Qosmiof2 · Dec 17, 2017

yo forreal are you kidding me?

This is probably the safest bot website out there and you're trying to complain about aliases not being encrypted?

cmon.

RuneMate 2.0 Spectre

RuneMate SAVES our passwords in PLAINTEXT

Seraphic Buying & Selling RSGP

Savior Java Warlord

rcoder

Swych

Savior Java Warlord

Jhinn

Ozzy

Aidden Author of MaxiBots

Savior Java Warlord

Aidden Author of MaxiBots

Arbiter Mod Automation

Swych

skrall

Savior Java Warlord

0PrivacyMatter0

Qosmiof2 I've been called a god before.

rcoder

unexist Does not exist.

rcoder

Qosmiof2 I've been called a god before.

Share This Page

Useful Searches

RuneMate 2.0 Spectre

RuneMate SAVES our passwords in PLAINTEXT

Seraphic Buying & Selling RSGP

Savior Java Warlord

Savior Java Warlord

Aidden Author of MaxiBots

Savior Java Warlord

Aidden Author of MaxiBots

Arbiter Mod Automation

Savior Java Warlord

Qosmiof2 I've been called a god before.

unexist Does not exist.

Qosmiof2 I've been called a god before.

Share This Page