Exclusive: Interview With The GameMaker Community Hacker
April 22, 2013
Just over a month ago, Game Maker Blog reported that the popular GameMaker Community forums had been hacked. YoYo Games, the company who own the GameMaker program and operate the board, estimated that between 5000-8000 user accounts had been compromised by a password logging script.
They were wrong.
Game Maker Blog has hosted an exclusive interview with the hacker who stole the credentials and passwords of over 200,000 community members.
Prior to starting the interview, it was vital that the individual proved that he was who he claimed to be. Appropriate proof was provided, and we are very confident that the information provided is accurate. Minor changes to phrasing have been made to improve readability and clarify context.
Continue reading for our full interview with the GameMaker Community forum hacker.
“Thank you for contacting Game Maker Blog. Why did you decide to write to us, and what do you hope to achieve by doing so?”
“I saw the official forum topic about the hack and cringed at the amount of misinformation that was present, and especially the attitude of prominent community member NakedPaulToast. Since the topic is now locked, this seemed like the easiest way to convey the truth.”
“Details on how the hack was achieved are scarce. How did you gain access to the login script on the forum server?”
“Basically, one of the forum administrators used the same password on his own site which I hacked, so I retrieved the password and logged into his account on the GameMaker Community forums. Escalating from that to system level access is rather trivial.”
“Were you able to access the database?”
“The login script itself has to have access to the database, so why would it be safe? The web server executes PHP code which needs user credentials to connect to the MySQL database. Thus the web server has ‘direct’ access to the database.
In the forum topic NakedPaulToast seemed to convey that being able to modify a login script does not mean the database was/can be compromised. It can and was compromised. I downloaded the entire database.
In addition, I modified the forum’s login script to store plaintext passwords in the now-famous ‘log.txt’ file. I also changed the forum’s code to force everyone who’s password wasn’t recorded in ‘log.txt’ to logout and log back in.”
“How many plaintext passwords did you gain access to in total?”
“211,016 users and their hashed passwords were compromised, and of those passwords 96.8% have been cracked so far in addition to the 2163 unique plaintext passwords which were recorded by the login script.
The forum software, IP.Board, uses the md5(md5($salt).md5($pass)) algorithm, which is basically a triple MD5 hash with unique randomized salts. With a GPU you can achieve 3 billion tries per second easily. Most of the passwords were cracked using dictionaries and mutations.”
“Which administrator had their site compromised originally, and which site was it?”
“What do you plan to do with the acquired data?”
“I’ve so far sold the data to a friend to be used to compromise Runescape accounts and sell the gold on them for good money (according to him). Personally I’ve used it to gain access to the email accounts of a few individuals.
Because of the relations of GameMaker creator Mark Overmars, the board actually contains quite a few high profile users. These are ideal to have in your database bank to compromise other sites.”
“Are you a GameMaker user yourself?”
“Yes, and I have been for a multitude of years. Ever since I took up hacking years ago I’ve been wanting to hack the GameMaker Community forums just for the fun of it. Hacking websites you visit is the nectarine of life and unimaginably fun and exciting.”
“How would you sum up the way in which YoYo Games handled the situation?”
“They downplayed the situation or are even more incompetent than I thought.
First of all, no other announcement than the topic on the forum was made. Second, they could’ve easily determined how long the script had been running by looking at the modified files and especially the creation date of ‘log.txt’. Third, they have done nothing else than reset admin passwords and upgrade the forum software to prevent this from happening again.
The incompetence of the GameMaker Community forum administrators led to their security downfall.
Security audits anyone?”
Game Maker Blog was criticized by both community members and YoYo Games staff for suggesting that the forum hack may have affected all 200,000+ members of the board, with YoYo Games employee and shareholder Mike Dailly quoted as saying “the post on GMB was vastly over-exaggerated” and “sensationalized”, further claiming that the compromised data was “virtually useless”.
Given that YoYo Games were getting ready to attend GDC 2013 just as news of the hack came to light, it seems very likely that they did indeed downplay this massive security violation. As the issue was not addressed thoroughly, thousands upon thousands of users are currently not aware that their username, email address, and plaintext password have been compromised.
Community members expressed concerns on the matter: “I think consumers knowing if their data is secure is more important than the GDC…”
At the very least, YoYo Games should send an email to their mailing list subscribers to alert them to the breach. The user-base should be given complete and utter priority, and it certainly seems like we haven’t been.