Jump to content
  • Sky
  • Blueberry
  • Slate
  • Blackcurrant
  • Watermelon
  • Strawberry
  • Orange
  • Banana
  • Apple
  • Emerald
  • Chocolate
  • Charcoal
Sign in to follow this  
Nervous

Facebrowser - Security vulnerability found in the WoWonder engine

Recommended Posts

Nervous    2336

Hello,

 

We're using WoWonder, which is a social network engine, on its latest version for Facebrowser. We have been informed by a player of a security issue on the website that would disclose another player's hashed password, email, and few others information.

After investigating the issue, it appeared that the Poke system contains a security vulnerability which allows someone YOU poked to collect your hashed password.

Once the issue was understood, we removed the poking feature and contacted WoWonder developer to inform them about the vulnerability so that they can fix the issue for all the other customers.

 

Even If this security vulnerability could not be actively exploited to specifically target you, as it required a specific action from your side, we are listing below the characters that once sent a poke and thus could have had their hashed password leaked If the receiver of the poke performed a malicious action:

  • The list is currently being redone, however If you ever sent a poke then you are in this list.

 

While only the hashes of the passwords were leaked, we still recommend everyone in this list to immediately change their password, on every platform it was used If you were reusing this password elsewhere.

I did not detect any malicious usage (aka someone specifically poking other players massively to get pokes back), however you should not gamble on this risk, thus considering your password compromised If you're on the list is mandatory, and you should always consider your passwords compromised even If only the hashes leaked, for GTAW or any other platforms.

 

On the 07/05, the developer of the engine acknowledged the security vulnerability and confirmed it. A fix is being developed for all their customers. We did not wait for this new update and Facebrowser is already safe to use as we disabled the poke system entirely for now, and will perform an audit on the new update before re-enabling the feature.

Your security is always critical for us, and while we do our best to secure our infrastructure and services, security vulnerabilities on them or on 3rd party engines as WoWonder might always happen, and you can trust us to always be 100% transparent with you when it comes to these issues that some would often hide. While the probability for your real password to be out in the wild from this vulnerability is very low due to the specific context it required, It is my duty as owner of GTAW to inform you of the risks and strongly advise you to change your password If you were in the list.

Edited by Nervous
  • Upvote 5

Share this post


Link to post
Share on other sites
Nervous    2336

Just to highlight it because not everyone reads the full text : We fixed the vulnerability on Facebrowser, it is currently safe to use.

Edited by Nervous

Share this post


Link to post
Share on other sites
dionkoffie    42

I (Justin Miller) have poked several people in the last week or two, but I'm not on the list. Should I still change my passwords?

Share this post


Link to post
Share on other sites
Rukka    85
Just now, dionkoffie said:

I (Justin Miller) have poked several people in the last week or two, but I'm not on the list. Should I still change my passwords?

 

Yes, to be on the safe side.

Share this post


Link to post
Share on other sites
Westen    193
Just now, dionkoffie said:

I (Justin Miller) have poked several people in the last week or two, but I'm not on the list. Should I still change my passwords?

Better safe than sorry.

Share this post


Link to post
Share on other sites
Cobra    117

Just my password - or do I have to change my name, my address, date of birth, my mother's maiden name and go undercover living in the mountains of Tibet? 

Jokes aside - thank you for informing us Nervous! I've changed my password. 

  • Upvote 1

Share this post


Link to post
Share on other sites
Codac    3
Just now, Jak said:

fucking hackermen @Codac

i was just trying to find a way to spam poke someone back not find personal information

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×