Why doesn't RealGM support SSL/TLS?

YFZblu · Post #1 » by **YFZblu** » Fri Mar 28, 2014 4:37 am

When I was debugging some HTTP traffic this afternoon, I decided to login to RealGm and saw this in my proxy logs:

====================================================================================================
POST /boards/ucp.php?mode=login HTTP/1.1
Host: forums.realgm.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:27.0) Gecko/20100101 Firefox/27.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: ucp.php?mode=login

username=yfzblu&password=[redacted]&autologin=on&redirect=http%3A%2F%2Fforums.realgm.com%2Fboards%2Fviewtopic.php%3Ff%3D40%26t%3D1304665&sid=2d5bc4f995fcf1a0a9157a4cf0&login=Login
====================================================================================================

I have no idea how I never noticed this before. My larger concern relates to how our passwords might be stored in the database. I have my own ideas of how things should be done, but I don't want to sound demanding.

Thoughts?

YFZblu · Post #2 » by **YFZblu** » Tue Apr 1, 2014 12:05 am

Is there a different place I should be asking this question?

I'm extremely concerned that User passwords are stored in the clear in the database - or that our POST requests to the login page are logged somewhere in cleartext.

Post #3 » by **dream34** » Tue Apr 1, 2014 7:20 pm

Passwords are not stored in clear text

Post #4 » by **StocktonShorts** » Wed Apr 2, 2014 3:39 am

Just to be pragmatic for a moment, what's the worst someone could do if they got your RealGM password? Unless of course you use the same password/login on other sites... but no one would do that, right?

YFZblu · Post #5 » by **YFZblu** » Wed Apr 2, 2014 4:44 am

StocktonShorts wrote:Just to be pragmatic for a moment, what's the worst someone could do if they got your RealGM password? Unless of course you use the same password/login on other sites... but no one would do that, right?

IMO, assuming certain account information is worthless to attackers is not pragmatic at all - It's just a misunderstanding of the threats involved and their capabilities.

But to give a specific example - Let's say someone, somewhere, discovered that the phpBB forum software RealGM runs on contains a SQL injection vulnerability - and instead of alerting the software vendor so it can be fixed, this person decided to sell the vulnerability on the cyber black market as a zero-day to crackers and blackhats to be used maliciously.

Someone purchases the zero-day, and begins to enumerate the internet looking for vulnerable phpBB installations; one of which being RealGM.com. We'll say the exploit worked, and the attacker was able to dump RealGM's account database - which includes the credentials of dream34, our site admin. Now, our attacker can login and hide malicious code (or anything) on the domain to facilitate any number of things. Anything from bitcoin mining, storing child pornography, or perhaps drop information-stealing malware on RealGM visitors' computers. This malware would silently execute on your system, evade antivirus, keylog you, take screenshots when you visit your bank's website, the list goes on.

Perhaps this attacker takes all of our email addresses, and crafts an email purporting to be from RealGM asking us to click a malicious link. Or the attacker could monetize the information and sell our usernames, passwords, and email addresses to yet another criminal to do any number of things with - and as you hinted at, many many people use identical credentials for other accounts. This would be low-hanging fruit for anyone with the funds and willingness to break the law.

So what's the WORST that could happen? If an attacker is capable of creating the right conditions, some pretty terrible things.

Anyway, I'll probably just start rambling if I continue this post - and I'm sure many would accuse me of rambling already. These are the things I think about when I see an opportunity to improve security posture. Ultimately it's everyone's responsibility to keep this information safe - that seemingly insignificant user account information could be easily manipulated into a very valuable product.

Post #6 » by **dream34** » Wed Apr 2, 2014 3:27 pm

YFZblu, I think it's good and smart that you are concerned and interested about the security of websites you use. Without going in to detail, our servers are secure and the kind of attacks you describe would be detected. We keep up to date with all security patches.