Menu
What's New
By:
Filters

X-Fire Exposes Your Username and Password

Status
BlackMagicWoman said:
They seem to have removed EU as far as I can tell... so it should be safe.
I used it way before EU was addded tho and its a cool program.
Click to expand...
Thanks for the heads up I may consider reinstalling it then.
And yes it is a cool program.
:)
 
Well I did get alot of responses from thier forum and this one stuck out the most;


--------------------------------------------------------------------------------

So Mfive post is pretty clear but I should explain a couple other things as well.

I understand you realize that the problem is not with Xfire and that it is the way the game is doing their login. However, simply playing with Xfire running on another computer doesn't resolve the issue that the game passes your username and password through command line.

The security risk you are worried about is a flaw in the game's launcher which is open for any program or other on you computer. Since your username and password is being passed through command line the data is likely not encrypted and can be intercepted whether you are running Xfire or not. It could be read from your memory, etc.

Run a program called process explorer after you've launched a game (this is what we did to research your request), you will see that your username and password information is right there plain as day in the command line parameters.

Unfortunately, the only way to avoid this "risk" that you are worried about is to not play Entropia at all. Not running Xfire on that computer doesn't accomplish anything but not running Xfire on that computer. I hope this helps a bit.

RC
Click to expand...
 
Wow! Thanks Mfive. Im sure your prolly not reading these now, but Im very pleased to see such an effective support! Posting on another forum too!? :eek: Excellent. Hell we find It hard enough to get our own support to post here!

Yeah we have some cool smilies =D

:laugh::shots::pic::topic::dancing::nutkick::whip:
 
So Mfive post is pretty clear but I should explain a couple other things as well.

I understand you realize that the problem is not with Xfire and that it is the way the game is doing their login. However, simply playing with Xfire running on another computer doesn't resolve the issue that the game passes your username and password through command line.

The security risk you are worried about is a flaw in the game's launcher which is open for any program or other on you computer. Since your username and password is being passed through command line the data is likely not encrypted and can be intercepted whether you are running Xfire or not. It could be read from your memory, etc.

Run a program called process explorer after you've launched a game (this is what we did to research your request), you will see that your username and password information is right there plain as day in the command line parameters.

Unfortunately, the only way to avoid this "risk" that you are worried about is to not play Entropia at all. Not running Xfire on that computer doesn't accomplish anything but not running Xfire on that computer. I hope this helps a bit.

RC
Click to expand...

Wow, i just checked it, and it's absolutely correct. Here's the program that was mentioned, from the official MS site: http://www.microsoft.com/technet/sysinternals/ProcessesAndThreads/ProcessExplorer.mspx

After launching, just click properties of "Entropia.exe" process, and you'll see your username and password out in the open in comman line parameters....

I think we should be all very worried. I'm shocked :eek:
 
I just have one thing to say GOLD CARD everybody.:eek:
 
Moonbiter said:
Wow, i just checked it, and it's absolutely correct. Here's the program that was mentioned, from the official MS site: http://www.microsoft.com/technet/sysinternals/ProcessesAndThreads/ProcessExplorer.mspx

After launching, just click properties of "Entropia.exe" process, and you'll see your username and password out in the open in comman line parameters....

I think we should be all very worried. I'm shocked :eek:
Click to expand...


Shocked?

I posted about this problem MONTHS ago.

thoreau said:
Yesterday I logged off my other game and noticed that I was looking at my desktop. That game also uses a client loader - but the client loader closes after logging in and while the game is loading.

I think logged into EU and then exited the game. I'm sitting there looking at my client loader with my login and password information still entered.

Why doesn't the client loader automatically close when the game loads?

It seems that not only would my information be better protected with the client loader automatically closing, but MA would benefit because it would force the player to accept the EULA at every login.
Click to expand...
 
Yesterday I logged off my other game and noticed that I was looking at my desktop. That game also uses a client loader - but the client loader closes after logging in and while the game is loading.

I think logged into EU and then exited the game. I'm sitting there looking at my client loader with my login and password information still entered.

Why doesn't the client loader automatically close when the game loads?

It seems that not only would my information be better protected with the client loader automatically closing, but MA would benefit because it would force the player to accept the EULA at every login.
Click to expand...

Yes, but it doesn't matter if Loader is closed or not, you can retrieve username and password anytime by checking entropia.exe process and command line options that it was launched with.

As, Queen said, make sure to order a gold card asap if you don't have it already...
 
weeeeee PE login ftw


But feel free to continue using external software connected to "ClientLoader.exe"...
 
Last edited:
I love my GC! as is said here its MA's fault. simple solution in this case is to not submit any crash reports. although apparently this is fixed so that is good news.
 
hmmmmm

hmmmm I really dun know what to think, Ive never used Xfire, nor will I EVER run 3rd PARTY SOFTWARE with EU,, EVER!!!! why?? for one its against the EULA, I mean wat makes XFIRE so damn specail, just cuz it was addvertised here?? F that, be smart follow the EULA ppl, and if XFIRE was gettin ure user/pw of course their gonna say its safe now! lol COMOOON ppl dont trust NOOOO 3rd party software unless directly indorsed by MA!:wtg: Cant you get banned for breaking the EULA anymore?
 
Primax said:
I love my GC! as is said here its MA's fault. simple solution in this case is to not submit any crash reports. although apparently this is fixed so that is good news.
Click to expand...

It's really not that simple. The login system is messed up and MA should do something about it.
 
sdragonfire said:
hmmmm I really dun know what to think, Ive never used Xfire, nor will I EVER run 3rd PARTY SOFTWARE with EU,, EVER!!!! why?? for one its against the EULA, I mean wat makes XFIRE so damn specail, just cuz it was addvertised here?? F that, be smart follow the EULA ppl, and if XFIRE was gettin ure user/pw of course their gonna say its safe now! lol COMOOON ppl dont trust NOOOO 3rd party software unless directly indorsed by MA!:wtg: Cant you get banned for breaking the EULA anymore?
Click to expand...

:laugh: Xfire is like TeamSpeak, messenger, Skype, or any other thingies that you use on your comp
It DOES NOT influence your gameplay except, maybe, making it a bit more enjoyable as you can actually talk (using your own voice) with your team, for example.
TeamSpeak has been used in the LGs and nobody got banned :)
No need to get scared like that lol
(Actually someone runs a teamspeak server especially for EU with chanells for more societies, if I am correct, I have visited ;))
 
oic

OOOO I understand but id still never run that or any of the ones mentioned "just in case" but then again i have a pc dedicated to runnin eu so its diff in my case and im super paranoid lmao. I just think its safer not to run anything with EU, especailly "warez" PUSHED here on EF. And now that we know EU gives our user/pw via command line unencrypted for any 3rd party software to get we REALLY shouldnt want to lol:laugh:
 
ragethecorp said:
It's really not that simple. The login system is messed up and MA should do something about it.
Click to expand...

Very true, anyone who has access to your pc can get your user and pass, if they know what they are doing, weather you have xfire or not. I have xfire for games that use several servers- graw-hl-ect but I keep EU off its list so i don't get pm's when I play.
 
mfive said:
Fixed :woot:

Man the smilies in this forum are much better than ours.
Click to expand...

OMG, you are so good in fast bug-fixing. Maybe there is a job opening at the MA office for you. :D

I don't know what this anti-Xfire is here by the mods, it seems they are desperately seeking for issues to be able to ban/censor this nice software.

And for the record: Next time you get a MS-crash report that is send to Micro$oft, check the tech details of the report , you will see that your username & password is also exposed in CLEAR-TEXT. :nana:
I haven't seen anyone un-installing windows because of this. :rolleyes:

If MA would encrypt the password when storing it in memory space problem would be solved for all crash reporting software. :wtg:

I am still using it and I love the software. ;)
 
sdragonfire said:
hmmmm I really dun know what to think, Ive never used Xfire, nor will I EVER run 3rd PARTY SOFTWARE with EU,, EVER!!!! why?? for one its against the EULA, I mean wat makes XFIRE so damn specail, just cuz it was addvertised here?? F that, be smart follow the EULA ppl, and if XFIRE was gettin ure user/pw of course their gonna say its safe now! lol COMOOON ppl dont trust NOOOO 3rd party software unless directly indorsed by MA!:wtg: Cant you get banned for breaking the EULA anymore?
Click to expand...


You cant use third party software that interact with the gameplay according to the EULA. Which means for example software like automatically picking up oil barrels at the rig when AFK, make you ava revive, run & die automatically whole day long just to get skills. Autoclick software which let you craft for hours when AFK, ... ETC

Running other software when running EU is unavoidable. or did you install EU on a PC without anti-virus software, office, MSN, etc.... ?

So Xfire is not against the EULA at all.
 
seems to me MA really hasn't done their job here at all. with all the fears of hacking and MAs instance everything is secure this is pure disrespect on their part. they say get a gold card to be secure. little did we realize that they said that because they KNEW the back door was open!?!

okay, here is a analogy. a safe salesperson sells a safe to a buyer telling them that it has a combo lock built in, however they sell a much better one for only $20 more dollars. the buyer refuses, thinking the built in lock should be good enough, but they are not aware the combo is printed in a spot on the safe if you know where to look. so, you do need the fancy new lock to truly be safe with your things. and the salesmans knows it BUT doesn't share that lovely tidbit, because it makes him look bad.
 
This security issue has been know for a long time already.

XFire just made it plainly visible which i think is good.
We have been ignoring it long enough.

MA saying we should not use 3rd party software does not help the issue go away. Now it has been made public so clearly we should MA force to take action. There are good reasons for this.

Now this is known there will be several hackers trying to make trojans/keyloggers with the specific task to look for the entropia process and discover the username and password. Since none of us would willingly and knowingly install such a trojan/keyloger they will probably be spread by viruses or other malicious software. As for the gold card as extra protection it will help prevent the bad guys from easiliy getting acces to your account. But at the very least they could get your account blocked by putting in random GC security numbers. Which would be annoying at the very least.

I will be making a support call for this and would recommend everyone else to do the same.

Cheers
Richard
(ingame Siam)
 
I submitted the following support case to MA.

On a thread about XFire on entropiaforum it has been brought to general attention that any virus/trojan/spyware can just grab the username and password from the entropia.exe process when it is running. Since new virusses/trojan/spyware can go undetected for weeks this means there is a serious security leak. Now that is general knowledge we can be sure there will be a group of hackers trying to get this information.

Even though i have a gold card i would like this security issue solved. Since for the bad guys it is easy to lock my account and thus preventing me from playing the game, they only have to put in 3 random number sequences. If this suddenly would happen on a mass scale non of your customers would be able to play which would result in a financial loss for MA. So even as a business case it would be in MA its interest to solve this issue.

I hope MA will solve this issue fast enough to prevent a big onslaught of virusses/trojans aimed to get our login information.

Regards
Click to expand...

Feel free to use it as a template for your own support call.

Remember the more similar support calls placed the higher it gets on MA its priority list.

Cheers
Richard
(ingame Siam)
 
A bump for rhogenbe support case, please send it in to make MA aware of it.
 
Cheers for that, uninstalling now...and a quick change of password!
 
andy5579 said:
Cheers for that, uninstalling now...and a quick change of password!
Click to expand...

There will still be the issue that any new virus/trojan/spyware aimed at getting this info might be able to succeed in getting your login information. :(

Cheers
Richard
(ingame Siam)
 
Queen said:
I have sent support case to ma aswell,we should all send support case to them so they will investicate further.
I am so mad at xfire now, how dare they abuse our trust like this.:mad:
Click to expand...

If somebody has physical access to your computer the way the game is set they will have access to your login and password if the game is running (and it doesn't require the client loader on)

Problem is how MA wrote their code, xfire only sends what it is common to send on program crashes.

So my advise is to in the mean time get a gold card.

P.S:
Rhogenbe even made a nice copy/paste what support should be getting this days...
 
MG Mighty said:
If somebody has physical access to your computer the way the game is set they will have access to your login and password if the game is running (and it doesn't require the client loader on)

Problem is how MA wrote their code, xfire only sends what it is common to send on program crashes.

So my advise is to get a gold card.
Click to expand...

While a gold card will make the chance of you loosing anything luckily a lot smaller there is still a small annoying problem. If someone would use your login information and would put in 3 wrong gold card numbers your gold card will be out of sync. And you would effectively be under a denial of service attack.

So even with an gold card (i have one myself) i would like this issue solved.

Cheers
Richard
(ingame Siam)
 
Now that I know xfire is not at fault here I may reinstall it but it is a old issue brought back to life and should be dealt with by MA as it affects everyone even goldcard user's like myself.
 
the clientloader.exe is just a GUI interface that will initiate entropia.exe with extra parameters. im guessing this is where xfire picks up the password and username.

start clientloader -> type in login info -> clientloader triggers a command like this "entropia.exe -u sob -p mysupersecretbutnotsecuredpassword -resolution 1024 -window"

if you start EU through xfire or any other application it will pick this up in the logs.

i dont know if the login info is encrypted when its sent from entropia.exe to the server. if its not encrypted, anyone on the network can easily get the password. as a rule all passwords should be encrypted anyways...

i dont use xfire myself. so if someone could tell me exactly how xfire operates compared to EU that would be great (do you start EU though xfire or is xfire running on the side)
 
XFire starts the client loader.

And the issue is not really about XFire but that any process monitoring tool can pick up your login information from the entropia.exe process that is running.

Cheers
Richard
(ingame Siam)
 
Status
Back
Top