Hunter Is Deleting Posts Allowing Dangerous Software

[Zeffer]

https://www.mpgh.net/forum/showthread.php?t=1156518

This trainer in the AQW hacks section at the moment is a blatant account stealer which is clearly unsafe and any attempts of me to mention it to the section moderator @Hunter have been deleted without reason and he has refused conference with me over the issue. I'd love to explain to him why it isn't safe, but since he doesn't seem to want to hear it I'll just tell you here.



This is the post request sent when adding a bot with the trainer's add bot feature. The username and password there are my AQW login credentials being sent to noticemeae.cf which is the creator's personal website. Also take note of how my password is being sent completely unencrypted which means anyone connected to the same wifi as me could easily intercept and steal my password.



Here is a message from the owner defending it saying that it deletes your password and does not store them. We can take this for a grain of salt though considering all the handling of the data is done within the PHP which is 100% server sided. Meaning it can be changed at any time without the knowledge of any of the users or staff who may have inspected it.

[Hunter]

Thanks for your concern, but @master131 analyzed the said file himself and deemed it to be safe so yeah, not going to do anything about the file in question as such.

[Zeffer]

master131 analyzed the file himself and deemed it to be safe so no offense, but I don't really care about what you say.

I've provided all the proof required, all the data is handled on the server so even if he analyzed it and said that its safe, they could change the PHP to store passwords without your knowledge, none of it is handled client sided, what are you having trouble understanding?

- - - Updated - - -
@Hunter I appreciate your opinion but I don't believe you're qualified to weigh in on the matter, could you please get some other staff in here that will be able to discuss the logistics of the program's operations? You said you don't care about me so you're obviously playing biases hard.

[Hunter]

@Hunter I appreciate your opinion but I don't believe you're qualified to weigh in on the matter, could you please get some other staff in here that will be able to discuss the logistics of the program's operations? You said you don't care about me so you're obviously playing biases hard.

Playing biases hard? Oh please, give me a break. Everyone knows I've no problem in punishing one for their wrongdoing regardless of who they may be. The thing is, master131 is our finest file analyzer and as such, I'd rather trust his judgement over yours. If he deems the said file not to be safe after all, then I'll delete its thread otherwise I won't do absolutely anything about it.

[Zeffer]

Playing biases hard? Oh please, give me a break. Everyone knows I've no problem in punishing one for their wrongdoing regardless of who they are. The thing is, master131 is our finest fine analyzer and as such, I'd rather trust his judgement over yours. If he deems the said file not to be safe after all, then I'll delete its thread otherwise I won't do absolutely anything about it.

@master131

Can you come and tell me how this program is safe given the information I've provided? Give me facts, all I've been given so far is that you've checked it, I've been given no facts on how it's actually safe considering the way the program operates.

[[MPGH]Dave84311]

Sending a password/username to a third party server isn't safe.

I'll investigate it.

[[MPGH]Dave84311]

The file should not have been approved. The reason sounds like bullshit... to ensure that no spamming occurs? What does that even mean? @ToxLP

[sa3m]

ty hunter for reassuring us that the file is 100% safe

[ToxLP]

The file should not have been approved. The reason sounds like bullshit... to ensure that no spamming occurs? What does that even mean?

Hey so lemme explain please in v0.01 when i did not add any security what users did was spam more than 10k bots luckily they had similar names like name-1,name-2 etc.

I had to delete all that with a Delete where like sql query so in v0.02 i needed to implement a feature which stops spamming so i thought of this

I made the user and pass get sent to the php post what i used the user and pass for is

Make a curl post request to the actual game login with the user and pass supplied if the response was a success it meant the user is legit and can add a bot, if it wasn't it blocked the request

I only saved the Username,BotName,BotData,Ip

Ip,Username are used to ban users from adding to make sure there the right spammers,

So the delete bot function can make sure the the correct user is deleting it,It also had the User,Pass sent there and made a curl request again to make sure spammers weren't spamming delete.

Edit:
In the end i never saved any password of any user,

Only thing i saved that was there's is Just there Username And Ip.

[Zeffer]

- snip -

You ever think of a captcha?

[chibizs]

Why was the pass even needed, check the current state of login and username.. Kek. A captcha, anything would work. And if you save a username and ip, if your app isn't secure, whats to say the server is? One db dump and you have fucked everyone using your bot. Might as well be a username collector for ae.


Also, I can spam create aqw accounts and then spam your bot, so your security wouldn't have worked except for basic spamming.


Edit: you could've also just checked character pages to see if the account existed.

[[MPGH]Hero]

Thread won't be undeleted and will remain that way. Reprimand will be handed out.