It seems that you're using an outdated browser. Some things may not work as they should (or don't work at all).
We suggest you upgrade newer and better browser like: Chrome, Firefox, Internet Explorer or Opera

×
avatar
chandra: Thanks for reaching out about this. This situation is currently being investigated.
avatar
RickyAndersen: Will we hear back from you after the investigation?
I often use wallet funds, I want to know if it's not safe!
Hi RickyAndersen.

Wallet funds cannot be transferred to another user, so at "best" if someone else logged in your account, by mistake, they would be able to buy games you wouldn't like and download them for themselves.
The games would stay in your library of course, while I am not sure if your refund request would be granted if you wanted your wallet funds back.
Either way they couldn't steal any funds from your wallet, or buy a game that wouldn't remain in your library afterwards.

*Also read post #93*

Cheers.
Post edited June 06, 2019 by Fate-is-one-edge
avatar
paintedindigo: This is pretty much what happened to Steam on Christmas 2015: https://arstechnica.com/gaming/2015/12/valve-explains-ddos-induced-caching-problem-led-to-xmas-day-steam-data-leaks-and-downtime/

In that case, their caching servers had issues and served the wrong pages to people. It could be what happened here.
Thanks my dude, this was a pretty straightforward read.
avatar
RWarehall: Wouldn't the credit card token be client side, on one's own computer or mobile device?
Thus, this is a non-issue for someone who accidentally is logged into one's account.

Nonetheless, this is a serious issue, not only for privacy concerns and potential mischief, but as I pointed out, if one has Wallet Funds on one's account.
Your cc information is always stored server side. Putting it client side is 100% a PCI 3.0 compliance violation.

Note all it does is aleviate the need for vendors to store your cc information. This allows them to dodge potential issues if their servers are compromised. As they don't have your actual cc information, but instead just a 'token' which really can't be used for anything nor can your cc information be extracted from it. Essentially its a tactic of "you cant steal cc info if we dont store it". the token introduces a layer of obfuscation in the event of a server compromise.

But this is easily solved via requiring ccv input on checkout. Though there seem sto be conflicting reports as to whether GOG does this.

This of course doesn't alleviate issues with stored wallet value

But as I've said in previous threads, there's not a whole lot of value in stealing a gog account and using it CURRENTLY. There's no market for GOG games on third party resellers, nor for selling gog accounts either. This will become a bigger issue once Cyberpunk 2077 comes out for pre-order, and then there is actual demand for such things. Better to sort this kind for thing out now, rather than figuring it out when accounts get hijacked by the truckload trying to sell off copies of the game on shady cd key websites
avatar
RickyAndersen: Will we hear back from you after the investigation?
I often use wallet funds, I want to know if it's not safe!
avatar
Fate-is-one-edge: Hi RickyAndersen.

Wallet funds cannot be transferred to another user, so at "best" if someone else logged in your account, by mistake, they would be able to buy games you wouldn't like and download them for themselves.
The games would stay in your library of course, while I am not sure if your refund request would be granted if you wanted your wallet funds back.
Either way they couldn't steal any funds from your wallet, or buy a game that wouldn't remain in your library afterwards.

Cheers.
You can gift games to other people

https://support.gog.com/hc/en-us/articles/212804445-How-do-I-buy-something-as-a-gift-

Which is why GOG had to shutdown Gifting of the witcher 3 because of rampant credit card fraud being used to sell GOG copies of the witcher 3 on shady websites

avatar
GameRager: Was it after a period of not buying? I ask as it doesn't ask me every time for such info, and I feel that they should(as others said) each time.
avatar
DebbieL: Yes, it was. I just tested it out again by buying a cheap game in my wishlist from the sale, and it didn't ask for the CVV or a confirmation. And you're right, it should.
Note that some systems will require the CCV on initial checkout, but subsequent purchases may not require it ifyou do them on the same day. Usually they time out after 24 hours and the CCV is required again. This is mostly to make purchases have less friction other than the initial one, so you can buy lots of gifts in a single session. Though each vendor may or may not implement such strategies.
Post edited June 06, 2019 by satoru
avatar
satoru: You can gift games to other people
Ehh...right. Totally forgot about that. Thanks for noting the omission of that possibility, on my part.

In this case, a gift can be recalled.
But I believe it would be required for the receiving part to agree on the recall or dismiss the gift, by contacting GOG.com support.
If something like that happens, while the storefront security is breached, then GOG.com support would surely show a degree of understanding and recall "reported" gifts either way, right?
In the case of money laundering, unconfirmed purchases of games as gifts, would have GOG.com invalidating those codes, hopefully, as long as they are reported by the users.
Another issue, would be finding out whose money was actually stolen, so that they could be refunded, or wouldn't it?

Oh boy, what a mess that would be.

Edit; Indeed, the heist would benefit the anonymous intruders, who committed a gift code scam, even if GOG.com invalidated the suspicious gift codes afterwards.
Post edited June 06, 2019 by Fate-is-one-edge
avatar
satoru: You can gift games to other people
avatar
Fate-is-one-edge: Ehh...right. Totally forgot about that. Thanks for noting the omission of that possibility, on my part.

In this case, a gift can be recalled.
But I believe it would be required for the receiving part to agree on the recall or dismiss the gift, by contacting GOG.com support.
If something like that happens, while the storefront security is breached, then GOG.com support would surely show a degree of understanding and recall "reported" gifts either way, right?
In the case of money laundering, unconfirmed purchases of games as gifts, would have GOG.com invalidating those codes, hopefully, as long as they are reported by the users.
Another issue, would be finding out whose money was actually stolen, so that they could be refunded, or wouldn't it?

Oh boy, what a mess that would be.
I mean the scammer just needs to sell the game on the shady cd key site. It doesnt matter if the game is recalled because the scammer already got their money. If they sell something like Cyberpunk 2077 for like 50% off it'll sell almost immediately, and then can just run with the money before the victim figures out they've gotten screwed.

While yes GOG can fix things after the fact, that still generally leaves a bad taste in people's mouths. Its very stressful and you're not really sure what the outcome is. Its better for GOG to prevent such incidents via some security measures such as requiring a CCV, or alternatively for wallet transactions asking for the email 2 factor code would be a deterrent as well.
avatar
Fate-is-one-edge: Ehh...right. Totally forgot about that. Thanks for noting the omission of that possibility, on my part.

In this case, a gift can be recalled.
But I believe it would be required for the receiving part to agree on the recall or dismiss the gift, by contacting GOG.com support.
If something like that happens, while the storefront security is breached, then GOG.com support would surely show a degree of understanding and recall "reported" gifts either way, right?
In the case of money laundering, unconfirmed purchases of games as gifts, would have GOG.com invalidating those codes, hopefully, as long as they are reported by the users.
Another issue, would be finding out whose money was actually stolen, so that they could be refunded, or wouldn't it?

Oh boy, what a mess that would be.
avatar
satoru: I mean the scammer just needs to sell the game on the shady cd key site. It doesnt matter if the game is recalled because the scammer already got their money. If they sell something like Cyberpunk 2077 for like 50% off it'll sell almost immediately, and then can just run with the money before the victim figures out they've gotten screwed.

While yes GOG can fix things after the fact, that still generally leaves a bad taste in people's mouths. Its very stressful and you're not really sure what the outcome is. Its better for GOG to prevent such incidents via some security measures such as requiring a CCV, or alternatively for wallet transactions asking for the email 2 factor code would be a deterrent as well.
Still though, the indented scammers could spam dozens of GOG.com accounts if they had money laundering in mind. No need to use a random user's account. Wouldn't it be situational if they did?
But it certainly would be for the best, if GOG.com beefed up their security. So it might just be the right time to do so.
Post edited June 06, 2019 by Fate-is-one-edge
avatar
satoru: I mean the scammer just needs to sell the game on the shady cd key site. It doesnt matter if the game is recalled because the scammer already got their money. If they sell something like Cyberpunk 2077 for like 50% off it'll sell almost immediately, and then can just run with the money before the victim figures out they've gotten screwed.

While yes GOG can fix things after the fact, that still generally leaves a bad taste in people's mouths. Its very stressful and you're not really sure what the outcome is. Its better for GOG to prevent such incidents via some security measures such as requiring a CCV, or alternatively for wallet transactions asking for the email 2 factor code would be a deterrent as well.
avatar
Fate-is-one-edge: Still though, the indented scammers could spam dozens of GOG.com accounts if they had money laundering in mind. No need to use a random user's account. Wouldn't it be situational if they did?
But it certainly would be for the best, if GOG.com beefed up their security. So it might just be the right time to do so.
A scammer with GOG curreent security model would by trying to hijack as many accounts as possible to get as many 'hits' as they can.For example 2fA is not mandatory on GOG. this likely means that you could use a standard username/password table from any number of high profile hijack and likely get a lot of hits. Of those, you'd then see which ones have viable credit cards or wallet to steal. Because GOG has several security loopholes, scammers woudl simply employ a shotgun 'hijack as much as you can' approach.

Contrast that with STeam. Note that on steam the account itself is of no use, its the inventory that has value. But on steam to trade you must have 2FA enabled. This means a shotgun approach to hijacking random accounts is useless. That's why all hijackers now are using a phishing model to hijck steam accounts with the lure of "FREE KNIVES" which ensures your targets have 2FA and will give your phishing site the necessary token. Steam doesnt enforce 2FA 'in general' but accounts that dont have 2FA arent raelly targetted because without 2FA the hijacker cant get at what they want, the inventory.

On GOG, currently the really only way you can make money when scamming is to sell a high value game. Which used to be pre-orders for the Witcher 3. And will be in the future preorders for Cyperbunk 2077. Thus you have ot look at the threat landscape as "scammers are wanting to steal copies of Cyberpun 2077 to sell on shady websites, what are viable mitigation tactics"
is it still a thing? Does it affect people who use two-factor auth?
Im kinda afraid to login to my non-forum account :v
What a spooky story, I do hope it will be fix as soon as possible.
avatar
fronzelneekburm: I didn't use it to artificially boost the number of votes for Grimoire on the community wishlist.
avatar
LootSeeker: Your restraint is to be commended. This would have been my first order of business. :P
While I'm glad to see you have your priorities right, but I'm certain no underhanded trickery is needed! I believe in Cleve, for he has overcome much more adverse conditions - from fighting rioting gangbangers armed with nothing but a jar of baby food to Max Phipps' bathroom. The world's last living neanderthal will crack those 1000 wishlist votes with ease. Surely, this will show gog the error of their ways and glorious incline will finally come here! (and maybe gog will fix some rather severe website issues along the way, who knows...)
high rated
We’ve completed a thorough analysis and we did not identify any security vulnerability on GOG.COM. According to our logs and the investigation, no such situation has ever happened to date, and we can assure you your accounts are safe.
The situation in question is indeed very strange and we’ll contact fronzelneekburm directly to discuss details, and identify the irregularities that occurred on both accounts.
Given this opportunity let us give you an overall reminder/word of precaution - stay safe people! Have 2-step authentication on your GOG accounts, and use official and updated browsers.
avatar
chandra: We’ve completed a thorough analysis and we did not identify any security vulnerability on GOG.COM. According to our logs and the investigation, no such situation has ever happened to date, and we can assure you your accounts are safe.
The situation in question is indeed very strange and we’ll contact fronzelneekburm directly to discuss details, and identify the irregularities that occurred on both accounts.
Given this opportunity let us give you an overall reminder/word of precaution - stay safe people! Have 2-step authentication on your GOG accounts, and use official and updated browsers.
Mealy mouth corporate speak if ever I read it. You have PROOF that such a situation has happened and acknowledge it later in the post. So did "no such situation ... ever [happen] to date" or are you going to "contact fronzelneekburm directly to discuss details" of the situation.
how Chinese people reach gog? is there any VPN in place or they are allowed to use it directly? I wonder if this thing happened because of VPN.
It sounds like they misconfigured their Varnish HTTP Cache. I remember reading some caching related error messages and seen a broken user menu on the store pages around the time fronzel had the session switcheroo.
avatar
chandra: We’ve completed a thorough analysis and we did not identify any security vulnerability on GOG.COM. According to our logs and the investigation, no such situation has ever happened to date, and we can assure you your accounts are safe.
The situation in question is indeed very strange and we’ll contact fronzelneekburm directly to discuss details, and identify the irregularities that occurred on both accounts.
Given this opportunity let us give you an overall reminder/word of precaution - stay safe people! Have 2-step authentication on your GOG accounts, and use official and updated browsers.
If someone did it/had it happen then how did it never happen? *DOES NOT COMPUTE*

avatar
chandra: We’ve completed a thorough analysis and we did not identify any security vulnerability on GOG.COM. According to our logs and the investigation, no such situation has ever happened to date, and we can assure you your accounts are safe.
The situation in question is indeed very strange and we’ll contact fronzelneekburm directly to discuss details, and identify the irregularities that occurred on both accounts.
Given this opportunity let us give you an overall reminder/word of precaution - stay safe people! Have 2-step authentication on your GOG accounts, and use official and updated browsers.
avatar
paladin181: Mealy mouth corporate speak if ever I read it. You have PROOF that such a situation has happened and acknowledge it later in the post. So did "no such situation ... ever [happen] to date" or are you going to "contact fronzelneekburm directly to discuss details" of the situation.
This....if it never happened this is basically calling frozen a liar/wrong and why would they contact someone such happened to if they claim it never happened? :\
Post edited June 07, 2019 by GameRager