Just over a month ago, Game Maker Blog reported that the popular GameMaker Community forums had been hacked. YoYo Games, the company who own the GameMaker program and operate the board, estimated that between 5000-8000 user accounts had been compromised by a password logging script.
They were wrong.
Game Maker Blog has hosted an exclusive interview with the hacker who stole the credentials and passwords of over 200,000 community members.
Prior to starting the interview, it was vital that the individual proved that he was who he claimed to be. Appropriate proof was provided, and we are very confident that the information provided is accurate. Minor changes to phrasing have been made to improve readability and clarify context.
Continue reading for our full interview with the GameMaker Community forum hacker.
“Thank you for contacting Game Maker Blog. Why did you decide to write to us, and what do you hope to achieve by doing so?”
“I saw the official forum topic about the hack and cringed at the amount of misinformation that was present, and especially the attitude of prominent community member NakedPaulToast. Since the topic is now locked, this seemed like the easiest way to convey the truth.”
“Details on how the hack was achieved are scarce. How did you gain access to the login script on the forum server?”
“Basically, one of the forum administrators used the same password on his own site which I hacked, so I retrieved the password and logged into his account on the GameMaker Community forums. Escalating from that to system level access is rather trivial.”
“Were you able to access the database?”
“The login script itself has to have access to the database, so why would it be safe? The web server executes PHP code which needs user credentials to connect to the MySQL database. Thus the web server has ‘direct’ access to the database.
In the forum topic NakedPaulToast seemed to convey that being able to modify a login script does not mean the database was/can be compromised. It can and was compromised. I downloaded the entire database.
In addition, I modified the forum’s login script to store plaintext passwords in the now-famous ‘log.txt’ file. I also changed the forum’s code to force everyone who’s password wasn’t recorded in ‘log.txt’ to logout and log back in.”
“How many plaintext passwords did you gain access to in total?”
“211,016 users and their hashed passwords were compromised, and of those passwords 96.8% have been cracked so far in addition to the 2163 unique plaintext passwords which were recorded by the login script.
The forum software, IP.Board, uses the md5(md5($salt).md5($pass)) algorithm, which is basically a triple MD5 hash with unique randomized salts. With a GPU you can achieve 3 billion tries per second easily. Most of the passwords were cracked using dictionaries and mutations.”
“Which administrator had their site compromised originally, and which site was it?”
“Trollsplatterer. His site www.trollsplatterer.be was in his profile and thus lead me to compromise it and retrieve his password. The site was compromised through a simple SQL injection.”
“What do you plan to do with the acquired data?”
“I’ve so far sold the data to a friend to be used to compromise Runescape accounts and sell the gold on them for good money (according to him). Personally I’ve used it to gain access to the email accounts of a few individuals.
Because of the relations of GameMaker creator Mark Overmars, the board actually contains quite a few high profile users. These are ideal to have in your database bank to compromise other sites.”
“Are you a GameMaker user yourself?”
“Yes, and I have been for a multitude of years. Ever since I took up hacking years ago I’ve been wanting to hack the GameMaker Community forums just for the fun of it. Hacking websites you visit is the nectarine of life and unimaginably fun and exciting.”
“How would you sum up the way in which YoYo Games handled the situation?”
“They downplayed the situation or are even more incompetent than I thought.
First of all, no other announcement than the topic on the forum was made. Second, they could’ve easily determined how long the script had been running by looking at the modified files and especially the creation date of ‘log.txt’. Third, they have done nothing else than reset admin passwords and upgrade the forum software to prevent this from happening again.
The incompetence of the GameMaker Community forum administrators led to their security downfall.
Security audits anyone?”
Game Maker Blog was criticized by both community members and YoYo Games staff for suggesting that the forum hack may have affected all 200,000+ members of the board, with YoYo Games employee and shareholder Mike Dailly quoted as saying “the post on GMB was vastly over-exaggerated” and “sensationalized”, further claiming that the compromised data was “virtually useless”.
Given that YoYo Games were getting ready to attend GDC 2013 just as news of the hack came to light, it seems very likely that they did indeed downplay this massive security violation. As the issue was not addressed thoroughly, thousands upon thousands of users are currently not aware that their username, email address, and plaintext password have been compromised.
Community members expressed concerns on the matter: “I think consumers knowing if their data is secure is more important than the GDC…”
At the very least, YoYo Games should send an email to their mailing list subscribers to alert them to the breach. The user-base should be given complete and utter priority, and it certainly seems like we haven’t been.
Click here to contact YoYo Games »
And another sociopathic hacker who gets off by harming others. Why are such people considered heroes and get media exposure?
If one knows the identity of the hacker, and the hacker has committed a criminal act, by law, isn’t this information needed to be submitted to law enforcement, or would those who know this information could be liable for obstruction of justice?
Beware the difference between knowing their alias and knowing the actual identity of the person.
Interesting. Well, I’m sad to see you go since I like your straightforwardness in dealing with locking topics and similar actions.
I think this who ordeal was a big mess that was handled rather poorly by everyone, in my opinion. TV seems to have just got the worst of it since he tried to be so active in investigating. Oh well, I guess that’s how it works. Looks like someone shot the messenger. =/
Lucky my password takes approx 5 quintillion years to crack… after being changed.
This is very interesting, thank you. I’m really glad I signed up for your newsletter.
I would like to clear up some things.
“In the forum topic NakedPaulToast seemed to convey that being able to modify a login script does not mean the database was/can be compromised. It can and was compromised. I downloaded the entire database.”
I never said anything about being able to modify a login script. I didn’t discuss the modification of the login script. I took exception to TV’s claim: that simply being able to access a local file, then they can definitely access the database. In this case the “log.txt” file.
I was also quite clear in defining access as being “direct” access. Accessing the database via MySQL is not having direct access. MySQL has direct access, those accessing it via MySQL do not. I even clarified it in one of my posts with the statement.
“you don’t understand the differences between directly accessing data under the authority of the OS, or via the webserver or through the MySQL server process.”
and
“When you are accessing the database via MySQL, MySQL controls/filters the data. Simply put, an unprivlegded account does NOT have access to all tables, nor all fields, nor all values. That’s why you can not draw the conclusion that you did.”
and
“There is no relation to the ability to create a local file and being granted (via MySQL) read-access to the table and fields that contains all the email addresses. Therefore by creating the local file, that does NOT equate to access to the database and specifically the email addresses. Which is a requirement for your claim to be true.”
and
“The webserver is an unprivledged account (with regard to the database), when I as an unpriveledged user login to the forum then my creditentials are used to govern what tables, fields and data can be accessed. When you login your more priveledged account has more access to data, this is managed by IPB, but it is also managed by MySQL.”
In the interview you said the same thing:
“The login script itself has to have access to the database, so why would it be safe? The web server executes PHP code which needs user credentials to connect to the MySQL database. Thus the web server has ‘direct’ access to the database.”
As I said, simply created a file in the filesystem in the webroot, does not mean you have access to the database. Obtaining the privileges of the webserver does nothing regarding the database, you still need credentials into the database.
Your ability to access the database was because you had Admin privileges into the data base.
TV’s claim about why you were able to access the database was inaccurate then and it still is now.
I also commented on how YYGs could verify how long the exploit was running. Namely checking the MACtimes on the “log.txt” file. I was correct there as well.
You can always count on a script-kiddie to seek desperate approval for his misanthropy. Smart criminals keep their mouths shut.
It appears they are having a P.R. problem. They have had that problem for a while but it is only getting worse.
BURN IN HELL 🙂
Wasn’t me, I’ve been busy for a while.
You’re about the 6th person to blame me for this without any proof or cause.
The things I worked on had to do with expanding what could be done with the GameMaker software, I’m not a thief. The things I’ve worked on in terms of GameMaker security have all been kept contained between a fairly small group of people, if they wish to release anything I’ve worked on that’s their call. I’m not about to go inconvenience 211,016 people for the sake of money.
That said, I want to shake this man’s hand.
Zach: At your service, rootinabox @ Skype or Twitter.
I’d like to point out something obvious, but perhaps necessary. This individual who compromised security on the GMC Forums committed a criminal act for personal gain. They admit to sharing the cracked passwords with a friend so that they can compromise other accounts on other systems in order to make money by it.
While YYG’s security and incident response may well be deplorable and ineffective, don’t believe for a second that this cracker is doing everyone a public service by point it out. What they have done is very clearly black hat, and they feel very self-righteous and justified for taking the action that they have, while harming YYG and the Game Maker Community and its members.
Matthew, I hope that you will provide any information that could help identify the culprit to YYG, so they may pursue the matter with the appropriate authorities if they so choose. I don’t care whether they’re in the right or not for removing your status as a moderator, this matter comes above any personal disagreements you might have with them. The security of the GMC community members who may still be vulnerable comes first.
YoYoGames, I hope that you take further action as appropriate not only to press charges against this hacker, but to improve security on the site and do better when incidents happen in the future.
Plot Twist! TrueValhalla is the hacker!
Nah, but seriously, I have a few guesses about which member it is… :3
It wouldn’t surprise me if it was that Zach fellow.
G’day TV
I’d just like to leave a thought. I’ve been a member of the GMC since ’07, and I’ve always loved keeping up with the community. Being a prominent contributer, I’ve always read NPTs posts and to be honest I’ve never liked a word the guy has said. There is a certain arrogant spin applied to every word he says, and I think its been reinforced and solidified throughout the years as no one has Rustled him for being such an ass. I’m glad someone with an standing reputation like yours, someone that is well renound on the GMC finally had the balls to tell him to shove it in a not-so-lovely place.
I am very sorry to hear about your loss of moderator on the GMC. It is indeed ridiculous for them to punish someone who gave out this unfortunate but real truth.
My hat comes off to you good sir.
I’d say the same, from my experience.
So, only one thing to ask: If I login via Twitter, I’m more safe than using the login+password on the forum?
I would assume you are safe if you login via Twitter, as that uses Twitter’s secure API.
Thank you for the email you have sent me.
I am very impressed that a lot of people have not yet understand how immature and overly negative/unwisely/infantile thinkers are YoYoGames’ staff members (with maybe a few exceptions). Talking from personal experience (I may be wrong in overall).
Please note you were not demoted on the GMC for this post. You were demoted because there is an obvious conflict of interests here, and you have a history of problems already due to your self-promotion overkill, abuse of moderating privileges and harsh ways of dealing with members. So, don’t make yourself out to be a martyr as this was just the last straw…
I won’t make myself out to be a martyr if you don’t downplay my work as a moderator, a position I was committed to fulfilling and did so daily.
I’m not saying I was a robotic staff member that served only to keep everyone happy, but don’t make me out to be some villain.
I’m only shocked that this was what pushed it over the line.
No, I won’t underplay that at all and I’m not trying to make you out as a villain. I’ll happily state here that I think you did a great job on the forums. However, no other mod has ever received so many complaints from the forum user-base. You can’t say that you were demoted ONLY for this… There is history here that you neglected to mention in your own self interest.
I must admit I thought the same thing than Dan, knowing the different Matthew had with NPT about the hacking situation. However, I don’t think he would invent an interview like this; it would be quite stupid and unprofessional.
My previous password on the GMC was unique to the forums, so I shouldn’t have any problems.
Interesting and it is kind of depressing…
Very interesting stuff…
While it’s important to spread this knowledge if true, without public proof of the hacker’s identity it’s hard to believe everything said here. Especially with the disclaimer at the start (“Minor changes to phrasing have been made to improve readability and clarify context.”), which gives rise to an uneasy feeling of bias (particularly as NPT is mentioned several times and I know he and Matthew have some history).
Not saying no interview took place at all – but it could be that another member infatuated with Matthew because of his success was glad of the attention?
Having changed my password (and not used the other one for anything other than the GMC anyway) I reserve my judgement on the further breach of security until I’m sure this is legit.
It is somewhat ironic that both myself and the hacker have similar views on the situation — in the forum topic I can be seen trying to push the logic that “if they had access to a local login script, they surely had access to the database”, and NPT attempted to suggest they didn’t.
The fact that the hacker also brought NPT into the discussion is just a coincidence. I’m a fan of NPT in general and he has been mentioned on this blog numerous times.
Any “minor changes to phrasing and context” are exactly that — minor. Extending the abbreviation ‘IPB’ to ‘IP.Board’, for example.
Regarding proving this is legitimate, as I said on Twitter if you can suggest a foolproof way to do so I’m open to hearing it. Since this entire event deals with sensitive data like passwords, it’s difficult to publicly prove anything. But as mentioned, I did confirm this privately, so your options here are to trust my reporting, or not.