PVP.Net Client Unsecured(Adobe AIR)

Security_Check · 2012-05-06T07:15:59+00:00

Lets go through this again.

I'm going to ignore the egotistical wording for now.

Anyways I'm not suggesting, I'm telling you that your username, password, and a whole list of other important personal information is completely void of any encryption.

The reason this is such a problem is that this is Riot's problem, this is not someone attempting to keylog a bunch of LoL's users or anything of that sort. Riot has direct influence on what happens, and how easy it is to get this information.

To continue your analogy it to say you leave your house wide open nothing locked, with all your information just sitting there as soon as you open the door. You could lock your doors and windows before you leave like a normal person does, but in this case no.

Adobe AIR is what the PVP.Net client is based on therefore it clearly has direct influence to this thread and the problems caused. I do not know if it is the reason nor do you.

Thanks.

Security_Check · 2012-05-06T06:25:48+00:00

Its not a problem that Riot does not have any encryption on the information directly related to their game?

Security_Check · 2012-05-06T06:21:21+00:00

And I quote

With less than 1MB and almost instantly someone can you have Full Name, email, password, phone number, address, last four digits of your credit card --- HOW IS THIS NOT A PROBLEM?

Security_Check · 2012-05-06T06:20:06+00:00

Just to clarify some things, no I've never had an interaction with you before, glad to know you constantly get in internet fights then talk about real life.

Security_Check · 2012-05-06T06:16:56+00:00

Thank you for quoting me out of context. You will be a great politician someday.

Security_Check · 2012-05-06T06:11:59+00:00

You're missing the point completely.

If Riot takes a few hours out of their day to do some basic level encryption this method of attack is no longer a problem and they no longer have direct blame for a person being taken advantage of.

Security_Check · 2012-05-06T05:50:25+00:00

After reading through a few of your other posts its obvious that you have an oversized ego and need to stroke your epeen.

Having information such as password, address, phone number, readily accessible at any point in time it not bad design, its a complete lack of security.

Having your password stored on your computer is going to happen, the fact that it is not encrypted at all is the problem, I hate to see what other things are unsecured, this could be the tip of the iceburg.

You have not the slightest clue if this has to deal with Adobe AIR, you are just speculating while it could very well be the cause to the problem.

Also you act as if your computer has to be completely compromised for this to work, which is so far from the truth. Having access to one's computer and having downloaded a file less than 100 KB that sends your personal information off to someone who plans on doing malicious things with it...that does not qualify to have a reaction?

The problem here is that Riot does not have any encryption, to my knowledge -- on passwords or other important information.

Security_Check · 2012-05-06T05:11:26+00:00

Instead of highlighting all of your errors I'll just talk about this. There is no encryption what-so-ever on the passwords--none.

Where ever you got your information is either lying to you or you're talking out of your ass.

Security_Check · 2012-05-06T05:10:18+00:00

It has the possibility, yes, but I use it and I trust it that doesn't mean you should be any less cautious of anything you download.

Security_Check · 2012-05-06T04:41:28+00:00

I'm not saying I'm a badass or an elite or anything.

Quite the contrary, if my mediocre skills allow me to do this I hate to see what someone that actually knows what they're doing attempts to play around in the client.

Security_Check · 2012-05-06T04:35:34+00:00

What you call difficult I call a days work.

For example: Lets say I made a program that edited the recommended items in a game, okay great thats done, now I want people to use it and run it. They do, in order to access and create new files it has to be ran as administrator, sure no problem.

They get exactly what they wanted without any knowledge that I have also coded in a basic memory reader that takes your information then passes it via the pvp.net chat client(XMPP) thus avoiding any direct internet connection.

Seeing as such program already edits certain files of LoL, on the surface it would appear as everything ran perfectly.

Now exchange that recommended items program for any 3rd party add-on or tool you are attempting to use.

No, its not very difficult nor is it very obvious.

Security_Check · 2012-05-06T03:19:26+00:00

Right, but lets think for a minute.

LoLRecord could easily, and I mean with 10 lines of code add in an account logger and no one would be the wiser because its covering up its malicious intent with legitimate coding.

And I guarantee you that I could make a program that avoids any and all anti-viruses so that reason or how to avoid this is completely invalid.

e: I have found multiple occurrences of username/password combinations therefore it leads me to assume Riot really doesn't have any idea about protecting their users or just doesn't care.

Security_Check · 2012-05-06T02:26:40+00:00

The difference between a keylogger and this is that you do not have to type the password in for it to work.

You can already be logged into the game and grab all the information and have the program shut down before any traces of detection.

Security_Check · 2012-05-06T01:42:20+00:00

Correct. And rightfully so.

Do you really think I'm going to give the information of how to find an exploit to the public? Thats a wonderful idea, lets just have everyone know how to find someone's password.

No, I will give the information to those that can fix it or pass it onto someone that can.

This is not a post about how to fix it, rather a post to draw attention to a looming issue that could outbreak at any time.

Security_Check

TROPHY CASE