It seems that you're using an outdated browser. Some things may not work as they should (or don't work at all).
We suggest you upgrade newer and better browser like: Chrome, Firefox, Internet Explorer or Opera

×
Community
General discussionWARNING! MASSIVE SECURITY RISK ON GOG!(164 posts)(164 posts)
(164 posts)
Pages:
1
2
3
4
5
6
7
8
9
10
11
This is my favourite topic
Posted June 08, 2019
Maybe,you all need to let Gog handle their business and investigate the problem before jumping to conclusions.As it's Gog's number one priority and responsibility to protect accounts and personal details and if they fail then Gog fails as a business and will go down the girgler.
Post edited June 08, 2019 by Tauto
Posted June 08, 2019
If I'm correct, GOG checked their system whether the exploit is caused by GOG. They found nothing which means either the exploit is caused from outside or GOG didn't find it. It may be possible that the wrong session id or something similar was sent to fronzel because the connection wasn't clean.

This is what chandras first sentence wants to tell you.

Btw: I maybe have a similar thing. When I'm not logged in, my browser still shows me whether a game is in my libary or not. I didn't check if the browser maybe stores a cookie somewhere but it would make sense and would also not be a security risk which belongs to GOG.
Post edited June 08, 2019 by Lesser
Posted June 08, 2019
avatar
Lesser: Btw: I maybe have a similar thing. When I'm not logged in, my browser still shows me whether a game is in my libary or not. I didn't check if the browser maybe stores a cookie somewhere but it would make sense and would also not be a security risk which belongs to GOG.
The data is stored locally its actually why they had the issues with owned games not showing as they stopped populating it so new games didn't get added and if you cleared it no games showed as owned.
Posted June 08, 2019
All we have is someone claiming an "account switch/glitch" happened. And instead of reporting it to support, they post in the general forum about it.
Anyone ever heard of a "long con"? Or that people in general just like to lie (a recent study said three? or so dozen a day I believe)? Or that some just like to seed discontent and watch the mayhem unfold? Or that some are just plain ordinary "attention junkies"? Not to forget they could be on someones payroll to spread discontent, although I'm not sure, if gog would qualify as a "prime taget" or whatever that may be called.

Personally, I have no way of verifying if that claim is correct or not and I'm not gonna start running around like a headless chicken just because someone claims I should.
Besides there is no 100 % security/safety (and I'm not just talking about the internet). If I would live by that delusional baseline, I would just be setting myself up for a very rude awakening somewhere down the line.
Post edited June 08, 2019 by FlockeSchnee
Posted June 08, 2019
low rated
A MASSIVE RISK ON GOG:
Attachments:
mrog.jpg (288 Kb)
Posted June 08, 2019
avatar
djoxyk: how Chinese people reach gog? is there any VPN in place or they are allowed to use it directly? I wonder if this thing happened because of VPN.
Gog isn't firewall'd, so no VPN needed. A few games are blocked, but it's the same in other communist dictatorships (like Germany or Australia) and those blocks are from gog's side, they're not a government block.

avatar
FlockeSchnee: All we have is someone claiming an "account switch/glitch" happened. And instead of reporting it to support, they post in the general forum about it.
Anyone ever heard of a "long con"? Or that people in general just like to lie (a recent study said three? or so dozen a day I believe)? Or that some just like to seed discontent and watch the mayhem unfold? Or that some are just plain ordinary "attention junkies"? Not to forget they could be on someones payroll to spread discontent, although I'm not sure, if gog would qualify as a "prime taget" or whatever that may be called.

Personally, I have no way of verifying if that claim is correct or not and I'm not gonna start running around like a headless chicken just because someone claims I should.
I already explained it a couple of pages back, so let's take it extra slow:

You think I'm going to jeopardise my 1500 game account because, lolz, I like to lie? You think I'm that fucking stupid? You think I'm going to stick my head out in such a spectacular fashion? I'm pretty sure if I was lying about this shit, I wouldn't just risk my account, I'd be heading straight into litigable territory, as my claims of safety issues might be considered a defamatory statement - IF they were lies.

And the reason I posted here instead of sending this shit directly to support because I'm aware that die Mühlen des gog Supports mahlen langsam, so it might take days/weeks/months/years/x amount of time until they figure out what's going on - and they almost certainly would NOT go public about this issue out of their own volition. So the other point of this thread - as if it wasn't perfectly obvious - was to inform fools like YOU about this issue, so when you wake up one day and check your account and go "Huh, that's weid! I can't remember that game being in my library yesterday... Oh, and my wallet funds have mysteriously depleted! How perfectly peculiar! Oh, and my credit card statement says that I owe gog a couple of bucks... WHAT ARE THE ODDS?!?" you know what might be behind those strange events.

avatar
FlockeSchnee: Besides there is no 100 % security/safety (and I'm not just talking about the internet). If I would live by that delusional baseline, I would just be setting myself up for a very rude awakening somewhere down the line.
Well, at least there's something I can agree 100% with.

edit:
Oh wow, I hadn't even read that:
avatar
chandra: We’ve completed a thorough analysis and we did not identify any security vulnerability on GOG.COM. According to our logs and the investigation, no such situation has ever happened to date, and we can assure you your accounts are safe.
The situation in question is indeed very strange and we’ll contact fronzelneekburm directly to discuss details, and identify the irregularities that occurred on both accounts.
Given this opportunity let us give you an overall reminder/word of precaution - stay safe people! Have 2-step authentication on your GOG accounts, and use official and updated browsers.
This puts FlockeSchnee's comment into a different light... Sorry if I was being rude.

But as for gog:

Wow, just wow. This is ridiculous. Absolutely preposterous.

Should I post the fucking screenshots I made of Xiaozhuzi's library? I knew some dolt was not going to believe me, but I'm pretty horrified that gog are those dolts.

Please get in touch with me ASAP. I have not received a chat message or a mail from support - kinda shows that this isn't high up the priority list. If you people didn't find anything irregular in your logs, it would've been ace if you messaged me about this first before coming in here, bullshitting everyone with some "Move along! Nothing to see here!" spin and basically calling me a liar.

I wasn't too concerned before. Got randomly logged into someone else's account. Lol, whatever, shit happens. But for gog to not only disregard this issue, but coming out and saying that everything is fine - now I'm straight-up HORRIFIED!

Get in touch with me people, I'm REALLY interested in what those logs say!
Post edited June 08, 2019 by fronzelneekburm
Posted June 08, 2019
The release of Hellfire absolves all sins of GOG's, I believe you Chandra.
Posted June 08, 2019
low rated
avatar
fronzelneekburm: .....
You do realise that it is possible to make multiple accounts on websites?
They wouldn't be able to find irregularities if you just logged into an old/another accout of yours.
There are probably ways to temper with IPs and whatnot for people who know how. (Which I am obviously not one of. I don't even know what exactly VPNs do.)
They probably would have to proof you were spreading lies in order to get you prosecuted for something. I'm not familiar with law, especially not polish ones. Not to mention they would have to have any lead to your person. Like if you used an email address that links to your person (real name address) instead of a thow-away one or bank account instead of paysafecard or something and that thing about IPs I have no knowledge of.
Besides you wouldn't loose your games, unless you didn't save the installers somewhere, which is kind of the whole advantage/point for buying on gog, remember?
Post edited June 08, 2019 by FlockeSchnee
Posted June 08, 2019
high rated
Well, for a "long con", Fronzelneekburn sure fooled me...
What a flair for detail having either the foresight to create a Chinese alt account in Sep 2017 to log into, or actually hacking into one to make that post in the OP.

Such a dedication to showmanship. Great job Fronzelneekburn!
Posted June 08, 2019
high rated
avatar
chandra: We’ve completed a thorough analysis and we did not identify any security vulnerability on GOG.COM. According to our logs and the investigation, no such situation has ever happened to date, and we can assure you your accounts are safe.
The situation in question is indeed very strange and we’ll contact fronzelneekburm directly to discuss details, and identify the irregularities that occurred on both accounts.
Given this opportunity let us give you an overall reminder/word of precaution - stay safe people! Have 2-step authentication on your GOG accounts, and use official and updated browsers.
Considering you guys can't even run a sale without breaking the website somehow, I have very little faith in your ability to track down a security issue. Just because you can't figure out what the problem is does not mean it doesn't exist. Sounds like a cover-up to me.

By saying "no such situation has ever happened to date" I think you owe Fronzelneekburm a public apology for insinuating that he's a liar.
Posted June 08, 2019
avatar
fronzelneekburm: .....
avatar
FlockeSchnee: You do realise that it is possible to make multiple accounts on websites?
They wouldn't be able to find irregularities if you just logged into an old/another accout of yours.
There are probably ways to temper with IPs and whatnot for people who know how. (Which I am obviously not one of. I don't even know what exactly VPNs do.)
They probably would have to proof you were spreading lies in order to get you prosecuted for something. I'm not familiar with law, especially not polish ones. Not to mention they would have to have any lead to your person. Like if you used an email address that links to your person (real name address) instead of a thow-away one or bank account instead of paysafecard or something and that thing about IPs I have no knowledge of.
Besides you wouldn't loose your games, unless you didn't save the installers somewhere, which is kind of the whole advantage/point for buying on gog, remember?
Yeah, but WHY would I do that? Except for a sudden surge of attention-junkiedom?

Gog have my real name, my paypal, my email, my IP adress, whatever credit card information they store in their receipts. Other than maybe straight-up posting my name, adress and phone number on the forum, I don't know how I could have served my head on a silver platter to them any more. Oh yeah, and I put a couple of thousand bucks into this account (which I'd like to keep, even if I HAD downloaded all the offline installers, because it turned out that - whoops! - 1500 games eat up a LOT of space on a hard drive - too much than I'm willing to sacrifice at the moment). And I've been in touch with support on numerous occasions about all sorts of different issues during the past few years (one of these was to help gog improve their download speeds in Mainland China - I barely got 100kb/s before, we're up to multiple MB/s now. No need to thank me!)

chandra is probably aware of all this, which is why she kept the "The situation in question is indeed very strange and we’ll contact fronzelneekburm directly to discuss details" backdoor open.
Posted June 08, 2019
I take chandras post to mean "we couldnt find any irregularities using our own investigative procedures, will be contacting the OP in private to further see what can be done to look into this for hidden security issue we couldnt foresee. in the meantime everyone please remain calm"


for my part i believe the OP,something weird happened. it may be an incredibly rare occurrence. they are working on it.
Posted June 08, 2019
high rated
Let me jump in quickly with a few words of clarification to Chandra's post, as I think she misspoke a bit. We have identified an irregularity between the two accounts from the first post, but taking into account personal nature of this case we will not be commenting publicly with details. We're in the process of gathering all the data and we will reach out to both parties to investigate further.

On the other hand we haven't identified any security issues in our infrastructure, or any other instances of such issues, so we wanted to let everyone concerned know, that your accounts are safe.
Posted June 08, 2019
Hack my acc ~
Posted June 08, 2019
avatar
mk47at: It sounds like they misconfigured their Varnish HTTP Cache. I remember reading some caching related error messages and seen a broken user menu on the store pages around the time fronzel had the session switcheroo.
I haven't heard from gog yet and I'm confident that I won't be hearing from them for the duration of the weekend, so this is as good a place as any to offer my speculation on what happened: Here in China it's perfectly common to use public WiFi. You go into your local Starbucks, they give you a WiFi password along with your order. Pretty much any public place will have a public WiFi. This other dude might have used the same WiFi as I did (probably from a similar handheld device), along comes Fronzel and *boom* I'm in this dude's account. For completion's sake and to avoid confusing the overburdened gog tech staff: post #2 in this thread was made from a different device than post #1. Post #1 was sent from my phone, post #2 was sent from my laptop (after this event, you might understand that I'm hesitant to log into my gog account from my phone via a public WiFi network).

Thing is, even if I DID use the same public WiFi as this other dude, even if my phone IS the same model as the other guy's... this should NOT be happening.

avatar
chandra: no such situation has ever happened to date, and we can assure you your accounts are safe
Have you been in touch with Xiaozhuzi? Have you assured him with a straight face that no such situation has ever happened to date, and have you assures him that his account is safe. Some dude might have rummaged through it a bit, but no bones broken, baby.


edit:
avatar
Venom: Let me jump in quickly with a few words of clarification to Chandra's post, as I think she misspoke a bit. We have identified an irregularity between the two accounts from the first post, but taking into account personal nature of this case we will not be commenting publicly with details. We're in the process of gathering all the data and we will reach out to both parties to investigate further.

On the other hand we haven't identified any security issues in our infrastructure, or any other instances of such issues, so we wanted to let everyone concerned know, that your accounts are safe.
Aaaaaand I was proven wrong about not hearing from gog until Monday as I was typing my long-winded rant (which apparently took me over half an hour to type - scary!)...

avatar
Venom: We have identified an irregularity between the two accounts from the first post
Praise Jesus! Thanks for taking the time to confirm to people that I wasn't bullshitting them. Looking forward to hear from you guys in private! Hopefully, we'll get to the bottom of this!
Post edited June 08, 2019 by fronzelneekburm
Pages:
1
2
3
4
5
6
7
8
9
10
11
This is my favourite topic
Community
General discussionWARNING! MASSIVE SECURITY RISK ON GOG!(164 posts)(164 posts)
(164 posts)