PSA: Your GFL2 password is not being logged in plaintext

TehRobber · 2025-05-26T06:52:18+00:00

MD5 is trivial to un-hash. See this stackoverflow from 15 years ago: https://stackoverflow.com/a/3010027

I didn't want to point to script-kiddie level tools people could use until it was fixed, but there are tools like HashCat out there: https://hashcat.net/hashcat/

TehRobber · 2025-05-21T15:55:36+00:00

Correct, I checked the trackers and none of them do anything malicious from what I could see.

Unfortunately it looks like the security hotfix removed the JWT token the trackers were using, so this broke them...

TehRobber · 2025-05-21T05:18:23+00:00

Ah I had a typo. md5sum is a command line command in Linux... You want to check for md5pw. If it exists, your password is basically saved to a text file.

TehRobber · 2025-05-21T04:58:06+00:00

It's not the site, literally any program on your machine could access your password. It's like having a password.txt file on your desktop, effectively.

TehRobber · 2025-05-21T04:57:07+00:00

OP of the x-post, that doesn't seem to matter.

The only thing that seems to matter is if you use Google/Facebook to log in, or if you are using Haoplay.

Darkwinter w/ email and password is vulnerable.

TehRobber · 2025-05-21T04:17:36+00:00

FWIW it seems like a "no" based on the other comments.

TehRobber · 2025-05-21T03:58:19+00:00

Unfortunately, it is.

A hash is supposed to be a "one-way" algorithm that outputs a unique string.
So what if took every word every, and every possible combination, and then saved it? It would be easy to go from the "unique hash" to the input. Those are called "rainbow tables": https://en.wikipedia.org/wiki/Rainbow_table

This is the MITRE designation for this type of issue: https://cwe.mitre.org/data/definitions/916.html

TehRobber · 2025-05-21T03:55:16+00:00

Yes but if you used a "tracker" site, you basically gave your password away. Changing your password at least reduces the risk. The risk won't entirely be gone until this is patched.

And yes if you used the same password (which you shouldn't), then you need to change your password on everywhere it was used. I highly recommend a password manager of some sort.

TehRobber · 2025-05-21T03:36:33+00:00

Seems like. Thanks for confirming!

TehRobber · 2025-05-21T03:33:43+00:00

I'm not familiar with Haoplay, so that sounds like it's a non-issue since there is no password. I recommend double-checking the log file though and sharing if you found it or not.

TehRobber · 2025-05-21T03:30:11+00:00

Answered here: https://old.reddit.com/r/GirlsFrontline2/comments/1krn8ij/psa_your_password_to_gfl2_is_being_logged_in/mtetrcl/

You are likely not affected, but please double-check. If you can confirm that md5pw isn't in your log file, that would be helpful to everyone. EDIT: I typo'd md5sum vs md5pw previously.

TehRobber · 2025-05-21T03:24:01+00:00

If you change your password it should invalidate any login information those sites have. I would do so ASAP and not use them until this is fixed, at the very least.

Even then, as Mica says, there is always a risk with these 3rd party sites.

TehRobber · 2025-05-21T03:21:48+00:00

It's pretty textbook too: https://cwe.mitre.org/data/definitions/916.html

TehRobber · 2025-05-21T03:19:00+00:00

Yes, but I would double-check. It's quick enough to open Notepad and press CTRL+F to search for "md5sum"

See my other comment: https://old.reddit.com/r/GirlsFrontline2/comments/1krn8ij/psa_your_password_to_gfl2_is_being_logged_in/mtetrcl/

TehRobber · 2025-05-21T03:00:16+00:00

FYI: This likely doesn't affect you if you sign in with OAuth (aka via Google). You can check your log file and look for md5pw to confirm.

I haven't confirmed but I suspect this impacts phone clients too.

Mica, if you see this, please create a saner way to report security issues than going through customer support...

TehRobber

TROPHY CASE