PST Time 00:00:00GMT-8

Local Server Time 00:00:00GMT+8

ID
Password

News

Game News & Updates

Live Polls

NF Weekly Event

Navy Field Community

General Discussion

Regional Forums

Off-Topic

Tip and Tactics

Technical Support

Suggestions

Trade and Barter

Test Server Discussion

Image Board

Nation Specific Forums

U.S Navy

Royal Navy

Imperial Japanese Navy

Kriegsmarine

Marine Nationale

Soviet Navy

Regia Marina

Security Hole
06. 22. 2011 06:12

Gtdawg

In case anyone was wondering, they should change their passwords immediately.

There is a massive security hole in how accounts and emails are verified that I've been talking about for a week.

I have submitted a support ticket already, but it is a change that can't happen right away.

If you have given your account password out to anyone at all, change the password as soon as you read this.

Do not assume that having the trade password provides additional security!!!!!!!!!!!

The announcement stated that this website included increased security when, in fact, they've undone a few things and have completely opened up everyone to losing their account.

Re : Security Hole
06. 22. 2011 06:44

Piombo	for some reason im getting an Error page and Tracert stack packet when atemting to edit personal info

Re : Security Hole
06. 22. 2011 06:46

Piombo

Originally Posted by Piombo

for some reason im getting an Error page and Tracert stack packet when atemting to edit personal info

Server Error in '/' Application.
Timeout expired. The timeout period elapsed prior to obtaining a connection from the pool. This may have occurred because all pooled connections were in use and max pool size was reached.
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details: System.InvalidOperationException: Timeout expired. The timeout period elapsed prior to obtaining a connection from the pool. This may have occurred because all pooled connections were in use and max pool size was reached.

Source Error:

An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.

Stack Trace:

[InvalidOperationException: Timeout expired. The timeout period elapsed prior to obtaining a connection from the pool. This may have occurred because all pooled connections were in use and max pool size was reached.]
System.Data.ProviderBase.DbConnectionFactory.GetConnection(DbConnection owningConnection) +4863722
System.Data.ProviderBase.DbConnectionClosed.OpenConnection(DbConnection outerConnection, DbConnectionFactory connectionFactory) +117
System.Data.SqlClient.SqlConnection.Open() +122
Olivelab.ModuleClass.MemberInfoClass.InsertMemberLoginLog(String strUIdx, String strUID, String strUIP) +102
Olivelab.UserControls.OlivelabBase.SetMemberInfo() +199
Olivelab.UserControls.OlivelabBase.OnInitComplete(EventArgs e) +184
System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +467

Version Information: Microsoft .NET Framework Version:2.0.50727.3623; ASP.NET Version:2.0.50727.3618

^^said error page say i timed out but only took about 5secs for this to happen

Re : Security Hole
06. 22. 2011 06:56

ZaGaTo19	Im getting the same error (browsing from my blackberry) was this disabled by SDE to prevent hacking?

Re : Security Hole
06. 22. 2011 07:23

vick11

If you have not shared your password then there the only danger is to have something inappropriate as your password that someone could easily guess, like having your game ID as your password. If you have shared your password previously then it is always recommended that you a) you stop and dont do it again, b) you change it now - exactly what we have been saying as well.

Thank you for the ticket GT - nothing new and yes something we already considered doing, but if introduced it will not be linked to the trade password, which is now totally game specific. However, even if we do introduce another step in to a the change process for emails, passwords and/or trade passwords then it does not change the position that any sharing of your account is strongly discouraged and we reserve the option not to provide assistance if a player chooses to ignore the warning.

Re : Security Hole
06. 22. 2011 07:46

mako089

The obvious flaw here is that it is first come first serve. If you have shared your password with someone,
the first person to log in to the website and verify the new email has control of the account. This should
have been better thought out although the original account owner should know better than to share. Some
people may be in for a rude awakening when they return to their accounts to find someone else has control
of it.

Re : Security Hole
06. 22. 2011 07:51

Splid	I don't understand why (even though people shouldn't be account sharing) this system ENCOURAGES people to take shared accounts for themselves... Why even have this huge security hole which people can benefit from at all? It just doesn't make sense...

Re : Security Hole
06. 22. 2011 07:56

BBR_InsUW	Originally Posted by Piombo for some reason im getting an Error page and Tracert stack packet when atemting to edit personal info What browser are you using?

Re : Security Hole
06. 22. 2011 08:01

Amorgan	Changed..thx Gt

Re : Security Hole
06. 22. 2011 08:59

Gtdawg

I understand that people aren't supposed to account share. That's the same response I got in the support ticket.

Personally, nobody but me has been on my account for, probably, 3+ years. However, that doesn't change the fact that the password system can easily be compromised.

The trade password encourages account sharing since there is an added level of security to gain access to items, hq, etc. Yes, it was to keep people from accidentally deleting sailors...but it was most definitely implemented to allow people to protect their sailors and items while sharing their account.

The verification email should be sent to the CURRENT verified email allowing someone to accept the email change. Currently, someone's verified email will change without them ever seeig a notification or going through an approval process.

And, to top it off, there is no added security protecting the change of emails, passwords, or trades passwords.

Saying "well, people shouldn't account share" is not a sufficient solution when it has been tacitly approved in the past.

Re : Security Hole
06. 22. 2011 09:03

IceTom	gt, you call their intentional process a security hole? :D first come, first serve.

1 2 3 4 5 6 7 8

Security Hole 06. 22. 2011 06:12

Re : Security Hole 06. 22. 2011 06:44

Re : Security Hole 06. 22. 2011 06:46

Re : Security Hole 06. 22. 2011 06:56

Re : Security Hole 06. 22. 2011 07:23

Re : Security Hole 06. 22. 2011 07:46

Re : Security Hole 06. 22. 2011 07:51

Re : Security Hole 06. 22. 2011 07:56

Re : Security Hole 06. 22. 2011 08:01

Re : Security Hole 06. 22. 2011 08:59

Re : Security Hole 06. 22. 2011 09:03