In light of the recent Naica Online security issues claim brought to the attention of the mods of MMORPG, we have conducted a full and frank autopsy into the events that led to the current situation.
On March 8, 2021, a user called /u/gamingsec posted on our subreddit a thread concerning the alleged security practices of Naica Online. This user disclosed to us a number of username and password combinations, of which 5 of these, at random, were tested by a single moderator, and all 5 worked on the main Naica website without difficulty. This moderator reached the same conclusion as in the original post that this was a legitimate credential dump, and believed /u/gamingsec that this was indeed due to the company storing passwords in plain text in their database, despite no actual proof of this beyond the word of /u/gamingsec. This moderator then made a thread further pointing out this "vulnerability" and throwing fuel on the proverbial fire, which is when traction started to pick up on this topic from other providers, such as MMO Bomb, who treated our "verification" of the situation as legitimate.
Another thread, posted by /u/ralopd, provided a statement issued by Naica on their Discord server, in which they denied that they stored passwords in plain text, but did admit that their systems were previously vulnerable to credentials potentially being brute-forced as part of a credential farming operation (where there are no checks on the frequency of a password attempt), and asserted that the previously-compromised details handed to us were in fact stolen from a previous report from the website Have I Been Pwned? that listed compromised credentials. They have stated that their login servers are now much more robust in the face of a future attack of this nature.
/u/ralopd also made several comments that we wanted to address directly:
We agree that /u/gamingsec very likely made up the plain-text password claim, and are now confident that this was done due to a personal feud with the company. We also agree that their comments, in hindsight, are incredibly suspicious and at the very least indicate bad-faith reporting.
MassivelyOP in fact did not verify the data breach, and only wrote about players claiming that the game's ecosystem had exploits, and the moderator above failed to check this.
The moderator in question did indeed remove the original post after the post made by /u/ralopd, as only then did it become clear that they felt that they were potentially misled by /u/gamingsec, and took down the post to avoid further alarm.Загрузка...
In our super-secret treehouse moderator chat, the issue was discussed by the original moderator and a Senior Moderator, during which the conversation very quickly escalated to a PSA and adding anything related to Naica to our automod system; there was no further input on the next steps from any other member of the moderation team, and the Senior Moderator in question granted the PSA post, knowing only what the other moderator had told them and not being in a position to question the data at the time.
For those who are new to the subreddit, I would like to re-iterate that we believe we have a duty to expose legitimate MMO-related problems to our community, especially if we believe there is a cover-up, or if a company is not treating the situation seriously. The initial comments made by Naica (out of context as they were) were used as justification for a PSA in this circumstance.
Frankly, we as a subreddit have fucked up. Too much emphasis was put on exposing what was initially seen as a fundamental security problem not being taken seriously, and not enough critical thinking was applied with respect to either /u/gamingsec's intentions, or Naica's own internal situation.
Firstly, we are not going to demote the moderator in question; we believe his intentions were in the right place, and this was ultimately not an act of malice. However, we are going to shake up how we handle such threads in the future.
If we receive a request for a post to be made regarding a sensitive or a security-related post (be it via modmail, or an actual thread created in the subreddit) about an MMO or an associated company in the future, we will put that post on hold for 48 Working Hours. In the meantime, we will reach out to a representative of the game for an official response regarding the issue. Once that 48 Working Hours window is up, the post is permitted with whatever response has been gathered from a company representative; no response received is also noted, as is a refusal to provide a response i.e. 'no comment'. The reason for 48 Working Hours is that it covers weekends and national holidays in the country of the office we contact for a response and is a reasonable amount of time for any decent company to issue a response to an emerging development.
We let you, the community down in this situation, and we also let down the people who trust us enough for our verification of a situation to mean something; we apologise profusely for any distress we've caused the developers of Naica Online, and for any confusion, we have caused our readers in both our claims and subsequent retraction of those claims. We want people to be able to trust us when we say "We've verified this", and in this instance, our conduct fell far short of this expectation. We will be holding ourselves to a higher standard moving forward, and you can expect in future a higher standard of journalistic integrity from the moderation team of MMORPG on such topics in the future.
Source: Original link
© Post "Regarding our mistake about the (fake) Naïca vulnerability." for game Gaming News.
Top 10 Most Anticipated Video Games of 2020
2020 will have something to satisfy classic and modern gamers alike. To be eligible for the list, the game must be confirmed for 2020, or there should be good reason to expect its release in that year. Therefore, upcoming games with a mere announcement and no discernible release date will not be included.
Top 15 NEW Games of 2020 [FIRST HALF]
2020 has a ton to look forward to...in the video gaming world. Here are fifteen games we're looking forward to in the first half of 2020.