|3 posts found|
OP 3/18/13 10:00:37 PM#1
Lord of the Rings Online currently has a security hole that makes possible for someone to get game usernames and passwords. Lotro forces players to use their game account names and passwords for the official forums. The forums used to use https but now only use http for login, and so now sends your username and password in plain unencrytped text. So anyone on a network or capturing data on a wifi network can catch a player's name and password for the game. At some point the forums at Lotro stopped using https and so now everything is sent unencrypted.
I play Lotro and am pretty concerned about this. A bunch of players have emailed about this to Turbine, but they have been silent on this and done nothing for more than a month. This seems like a pretty big security hole. I can't believe a company running one of the top MMOs would let this happen.
More information is here on the offcial forums. Apparently this would be pretty easy to fix, but Turbine has a tendency to let things go and not to fix game bugs and other forum problems.
I think people assume that games like LOTRO will protect your account and passwords better. Or are other MMOs this bad at security?
3/19/13 2:35:34 AM#2
There's an easy fix for that, don't use the forum :) (or use it with a separate, strictly forum account like I do)
I still remember before the server transfer there were pretty serious concerns about the forum over there, regarding both Sapience and security. Same with my.lotro's security issues. Heck, the lotrocommunitiy page is started just because of that :)
So yep, after we got merged to a new Turbine acc I haven't even set a forum name on my accounts, nor activated my.lotro (lotteries aren't my style anyways). But I feel for those who actively use the forum, it's a pretty bad move to switch back for plain http. Someone posted though the https auth.php link which is still accessible.
3/19/13 5:58:39 AM#3
I'll repeat here what I've said on the official forum, in case it gets lost or moved.
If you're concerned about your account's security, you can:
Depending on your browser's settings, the login page may look a little different than usual, but your account name and password will be securely encrypted.
Keep in mind that it might take some time for your new password to become active on the community site, but it should become active immediately for logging into the game.
If you've read this far, you probably wonder if you should take the word of a stranger regarding your account security and click on potentially unfamiliar links. Good for you, because the answer is no. I hope some other helpful community members will confirm these steps as safe.
This is not an emergency, and if your account hasn't been compromised already, these steps will help protect you.