GMC Forum Hacked?

by **Pinneaple Studios** Sun 28 Apr 2013, 18:43

Exclusive: Interview With The GameMaker Community Hacker

Just over a month ago, Game Maker Blog reported that the popular GameMaker Community forums had been hacked. YoYo Games,
the company who own the GameMaker program and operate the board,
estimated that between 5000-8000 user accounts had been compromised by a
password logging script.

They were wrong.

Game Maker Blog has hosted an exclusive interview with the hacker who
stole the credentials and passwords of over 200,000 community members.

Prior to starting the interview, it was vital that the individual
proved that he was who he claimed to be. Appropriate proof was provided,
and we are very confident that the information provided is accurate.
Minor changes to phrasing have been made to improve readability and
clarify context.

Continue reading for our full interview with the GameMaker Community forum hacker.

“Thank you for contacting Game Maker Blog. Why did you decide to write to us, and what do you hope to achieve by doing so?”
“I saw the official forum topic about the hack and cringed at the amount of misinformation that was present, and especially the attitude of prominent community member NakedPaulToast. Since the topic is now locked, this seemed like the easiest way to convey the truth.”

“Details on how the hack was achieved are scarce. How did you gain access to the login script on the forum server?”

“Basically, one of the forum administrators used the same password on
his own site which I hacked, so I retrieved the password and logged
into his account on the GameMaker Community forums. Escalating from that
to system level access is rather trivial.”

“Were you able to access the database?”

“The login script itself has to have access to the database, so why
would it be safe? The web server executes PHP code which needs user
credentials to connect to the MySQL database. Thus the web server has
‘direct’ access to the database.

In the forum topic NakedPaulToast seemed to convey
that being able to modify a login script does not mean the database
was/can be compromised. It can and was compromised. I downloaded the
entire database.

In addition, I modified the forum’s login script to store plaintext
passwords in the now-famous ‘log.txt’ file. I also changed the forum’s
code to force everyone who’s password wasn’t recorded in ‘log.txt’ to
logout and log back in.”

“How many plaintext passwords did you gain access to in total?”

“211,016 users and their hashed passwords were compromised, and of
those passwords 96.8% have been cracked so far in addition to the 2163
unique plaintext passwords which were recorded by the login script.

The forum software, IP.Board, uses the md5(md5($salt).md5($pass))
algorithm, which is basically a triple MD5 hash with unique randomized
salts. With a GPU you can achieve 3 billion tries per second easily.
Most of the passwords were cracked using dictionaries and mutations.”

“Which administrator had their site compromised originally, and which site was it?”

“Trollsplatterer. His site www.trollsplatterer.be
was in his profile and thus lead me to compromise it and retrieve his
password. The site was compromised through a simple SQL injection.”

“What do you plan to do with the acquired data?”

“I’ve so far sold the data to a friend to be used to compromise Runescape
accounts and sell the gold on them for good money (according to him).
Personally I’ve used it to gain access to the email accounts of a few
individuals.

Because of the relations of GameMaker creator Mark Overmars,
the board actually contains quite a few high profile users. These are
ideal to have in your database bank to compromise other sites.”

“Are you a GameMaker user yourself?”

“Yes, and I have been for a multitude of years. Ever since I took up
hacking years ago I’ve been wanting to hack the GameMaker Community
forums just for the fun of it. Hacking websites you visit is the
nectarine of life and unimaginably fun and exciting.”

“How would you sum up the way in which YoYo Games handled the situation?”

“They downplayed the situation or are even more incompetent than I thought.

First of all, no other announcement than the topic on the forum was
made. Second, they could’ve easily determined how long the script had
been running by looking at the modified files and especially the
creation date of ‘log.txt’. Third, they have done nothing else than
reset admin passwords and upgrade the forum software to prevent this
from happening again.

The incompetence of the GameMaker Community forum administrators led to their security downfall.

Security audits anyone?”

Game Maker Blog
was criticized by both community members and YoYo Games staff for
suggesting that the forum hack may have affected all 200,000+ members of
the board, with YoYo Games employee and shareholder Mike Dailly quoted as saying
“the post on GMB was vastly over-exaggerated” and “sensationalized”,
further claiming that the compromised data was “virtually useless”.

Given that YoYo Games were getting ready to attend GDC 2013
just as news of the hack came to light, it seems very likely that they
did indeed downplay this massive security violation. As the issue was
not addressed thoroughly, thousands upon thousands of users are
currently not aware that their username, email address, and plaintext
password have been compromised.

Community members expressed concerns on the matter: “I think consumers knowing if their data is secure is more important than the GDC…”

At the very least, YoYo Games should send an email to their mailing
list subscribers to alert them to the breach. The user-base should be
given complete and utter priority, and it certainly seems like we
haven’t been.

Click here to contact YoYo Games »