It could be done, but you can catch them beforehand, by checking the code after every update and new script. Of course people don't take time to do this, but the point is, encryption wouldn't help.Originally Posted by kitchenrange
Retired Administrator
It could be done, but you can catch them beforehand, by checking the code after every update and new script. Of course people don't take time to do this, but the point is, encryption wouldn't help.
SRL Junior Member
I think there is a on update hook for SVN, don't know anything about Git though...
Somebody could write one and Wizzup could add it. Basically it would be what Boreas said and just scan through all the core files + maybe SMART, for the decryptpassword function being used in any function other than the allowed ones. If it doesn't exist anywhere else, commit, else flag or deny.
It wouldn't do it for scripts because that is the user's responsibility..
Join the IRC! irc.rizon.net:6667/srl | SQLite (0.99rc3+) | SRL Doc | Simba Doc | Extra Simba Libraries (openSSL & sqlite3)
"A programmer is just a tool which converts caffeine into code"
Retired Developer
The easiest way to do this would be for the developers to pack some code in the .dlls to steal your accounts. Or wizzup could simply pack similar code into simba on release, although that possibly could be picked up by virus detection.
SRL Member
I concede on the encryption/decryption.
But my main point was that it could be done, I keep seeing posts, one by you yourself I believe saying that good thing this cant happen at SRL or something similiar. I just didn't want the communities eyes to be closed to the possibility.
Retired Administrator
I don't remember saying it can't happen (I investigated password stealing incidents quite a bit in 2007). Agreed, everyone should be aware of the possibility.I concede on the encryption/decryption
But my main point was that it could be done, I keep seeing posts, one by you yourself I believe saying that good thing this cant happen at SRL or something similiar. I just didn't want the communities eyes to be closed to the possibility.
_____________________________________
There should be a tutorial on how to check for password stealing. Something along the lines of:
Your password is stored in a variable called Players[<NUMBER>].Pass. (<NUMBER> is which player in the array, often the variable CurrentPlayer.) It is a global variable in Players.simba, and can be accessed by other parts of SRL, and scripts that include SRL. AFAIK plugins can not access this variable unless it is passed as a parameter of a function in a plugin, called from a script that can access it. The following locations in SRL access it ... The following are ways scripts can access it.... The following are ways it could be stolen...
SRL Member
Funny name to call it.. stealthbot
that's a battle.net bot :O
anyways.. yea.. whatever really did happen (people on SRL say he didn't do the keyloggers) anyway, change your password if you used any powerbot IMO
The only true authority stems from knowledge, not from position.
You can contact me via matrix protocol: @grats:grats.win or you can email me at the same domain, any user/email address.
SRL Member
On IRC I joined #RSBOT and it had ~30 people, time went on I went to bed I Woke up and it had over 200 people, and I had a PM from some random which said "rsbot got hacked go here to see whether your account is safe" and it was the RS login page (phising lol)
The LINK BELOW IS TO A SITE THAT WILL STEAL YOUR PASSWORD. IT IS SAFE TO CLICK ON IT AND LOOK AT IT, BUT DO NOT ENTER ANY ACCOUNT INFORMATION.
E: Added spaces between the .tk so you don't accidentally click on it then accidentally click on the phising link and then accidentally write in your username and password<aFrX> rsbot was hacked check if your account is in danger http://powerbothacked . tk
Last edited by YoHoJo; 02-07-2011 at 02:40 AM.
Click here to find out how to get full screen without members! | Click here to check out my Ultimate Bitmap Tutorial! Edited to work with Simba! |
SRL Member
Just put in an account "gull" pass "ible"
The only true authority stems from knowledge, not from position.
You can contact me via matrix protocol: @grats:grats.win or you can email me at the same domain, any user/email address.
SRL Member
This is probably the most HILARIOUS thing thats happened this year! Gho$t is my idol. However i got to say, close call. I couldve lost my level 136 (however unlikely due to the fact they could just get other level 138 with 1b+ net worth.), and i wouldve...not cared cause i quit and i didnt even put any REAL effort to my account other than paying electric bills if you know what i mean ;p
To people complaining saying Gho$t is an ass and what not.. Sure he is! But hes the good kind of ass that just taught everyone to be more careful with their accounts. Personally, hes done Jagex a favor about trusting bots.
SRL Member
I just made the user and pass aaaaaaaaaa and it actually redirected me to a proper article.
Its funny how on the fake RS login screen it says ONLY login if you see the green HTTPS bar on the top, too bad there was none.
Also, runescape-services? epic fail lol, its runescape.services
Click here to find out how to get full screen without members! | Click here to check out my Ultimate Bitmap Tutorial! Edited to work with Simba! |
Senior SRL Member
pretty good phishing site, lets spam it with swear words to make their eyes bleed when they read the logs! lol
AWESOME 300 parody.
AND then watch this cool RC car video I made, in HD, then watch the other vids I've uploadedProud owner of "Efferator" my totally boted main account!
"You see, sometimes, science is not a guess" -Xiaobing Zhou (my past physics professor, with heavy Chinese accent)
SRL Member
anyone else lose anything? i lost about 80 million on two accounts and that was the first time i downloaded powerbot/rsbot
Stick to Simba and you'll never have to even worry about future hacks like this, there's no safer method to botting than Scar/Simba.
SRL Member
It can still happen here. It's happened before and it's bound to happen again.
Moderator / SRL Developer
So much hacking going on these days..
Wikileaks, Egypt hackings, Runescape Hackings....
SRL Aristocrat
True, but it's a lot harder to do it discretely here, and get away with it.
<3
Senior SRL Member
Gold4rs owns powerbot right? Maybe they have involved in this somehow... And now selling the gold.
SRL Member
I'd say it's just as easy if not easier here, as you can pretty easily hide stuff in scripts. It wouldn't be on the scale as it happened on rsbot, unless someone distributed their own version of simba, but code can be hidden in scripts quite easily. Especially since it'd only take up one line.
(Not that you can't hide things in java scripts, but people are generally trusted here so people won't be as cautious.)
Last edited by i luffs yeww; 02-07-2011 at 07:11 PM.
Moderator / SRL Developer
This is true. Anyone who's released a script could release a new version with a simple GET page in it. It would also be easy for anyone who's got MSI committing rights to do that for MSI.
Luckily there's no-one in MSI that would do such a thing.
SRL Member
People trusted people who did this in the past but it still happened.
All I'm saying is that it's not like this is rsbot's fault or anything, it's quite an easy thing to do, hacking that is.
I suppose the only safe scripts are user-made then. Our usernames and passwords are stored within the script itself (with the exception of MSI I believe?). I've always been a fan of creating my own scripts and using them, as opposed to other's work for this reason especially. Just take a good look at a script before you use it, it could mean all the difference.
SRL Member
I'd be more worried about MSI tbh, since so many people have access to it and so the chances are higher that one of them would get hacked and someone would do bad things with the access they now have.
MSI Leader
So many people..? There's only 6 of us including RM.
SRL Member
6 > 1.
There are currently 1 users browsing this thread. (0 members and 1 guests)
Posting Permissions
Reply With Quote
