It seems that you're using an outdated browser. Some things may not work as they should (or don't work at all).
We suggest you upgrade newer and better browser like: Chrome, Firefox, Internet Explorer or Opera

×
Community
General discussionWARNING! MASSIVE SECURITY RISK ON GOG!(164 posts)(164 posts)
(164 posts)
Pages:
1
2
3
4
5
6
7
8
9
10
11
This is my favourite topic
Posted June 04, 2019
avatar
StarChan: Remember that time I said that thing. It wasn't really me.
avatar
Dray2k: Sure thing StarChan IF THAT IS REALLY YOUR REAL NAME.
Of course it is. It's in my passport.
Posted June 04, 2019
Hm, so this happens only when one uses an android phone? Hm, now I´m curious, shall I try to go to GoG with my phone?
Nah, I guess I would end up as Tiny E. Hm....
But to be serious: This is really a bit scary.
Posted June 04, 2019
Does two-factor login even help against this?

That this has been going on for years is ridiculous and reason enough to consider closing down the account. If this is the security breach that is painfully visible to us, I don't wanna know what's going on under the hood without our knowledge.
Posted June 04, 2019
avatar
DreamedArtist: It's interesting the problem is still going on and has not been fixed for ages lol.
Well, there's a comforting thought! At least they didn't manage to break it further.

avatar
Maxvorstadt: Hm, so this happens only when one uses an android phone? Hm, now I´m curious, shall I try to go to GoG with my phone?
Nah, I guess I would end up as Tiny E. Hm....
1000+ games + a license to shitpost sounds like a pretty sweet deal TBH.
Posted June 04, 2019
If someone has access to your account, is that mean your saved card details also exposed?
Posted June 04, 2019
avatar
chandra: Thanks for reaching out about this. This situation is currently being investigated.
It might be worth investigating if the affected accounts didn't have two-step login activated. It's worrisome if it was active and somehow didn't trigger.
Post edited June 04, 2019 by Fortuk
Posted June 04, 2019
avatar
RickyAndersen: If someone has access to your account, is that mean your saved card details also exposed?
Never saved my card to my account but I'm not sure if they blob out the numbers or have it pure visible or half like Amazon does.
Posted June 04, 2019
avatar
DadJoke007: Does two-factor login even help against this?
I don't see how. Like I said, I didn't even have to log in, gog just gave me immediate access.

avatar
RickyAndersen: If someone has access to your account, is that mean your saved card details also exposed?
I dunno, since I never saved any payment details here. You can check it out yourself: Check what you can do on your own account once logged in without entering any further details. If you can just add games to our cart, select your credit card and hit pay and it actually works, then ANYONE who gets access to your account via this bug could do that.
Posted June 04, 2019
avatar
fronzelneekburm: I don't see how. Like I said, I didn't even have to log in, gog just gave me immediate access.
I'm assuming the bug is that it misattributes the session of the account somehow and that's how you log in. The two-step check should trigger somewhere along the line of that process and if it doesn't that makes for even bigger security hole.
Posted June 04, 2019
avatar
RickyAndersen: If someone has access to your account, is that mean your saved card details also exposed?
GOG does not save your card details.
see here

When making any purchase with a credit or debit card, you can now select the option to save your card for later use.If your payment is successful, that card will be remembered for later use. You'll be able to select it during your next checkout without retyping the info every time. Simple, straightforward, and probably very familiar.

We're taking advantage of tried and tested industry-standard solutions used across the world today. Among other things, this means your entered payment data isn't actually kept anywhere on GOG.com. Once your bank approves the purchase, your entered card number is replaced with a unique, encrypted token that can be used only by us to process your future payments, and which cannot be reverse engineered to resolve your card number and data. From time to time, we'll also ask you to verify your information based on a number of security factors, like if you haven't used that card in a long time
so, if someone takes over your account they can charge your card to buy games here on GOG on your account, but they can not get the card details to use the card to buy somewhere else.
might still be worth a thought to remove that for the time being.
Post edited June 04, 2019 by immi101
Posted June 04, 2019
low rated
avatar
fronzelneekburm: Feel free to ask me anything.

PS: I'd like some sort of explanation from gog how such an issue is even possible. How am I just in random person's account when all I did was visit gog from my phone's browser? It would also be nice if gog were to get in touch with Xiaozhuzi and let him know about this issue and issue an apology for this mess.
I always look from all angles and err on the side of caution, so I will ask(and please don't take this the wrong way/as an accusation, but....) this: How do we know you didn't make another account long ago and log into it to enact a ruse?

I only ask as it'd seem far more easier to do than being logged into someone else's account.

Though if you are genuine(and I don't see why you wouldn't be) this is a problem.

avatar
DadJoke007: This would explain why the GOG-community is so passionate about giveaways compared to other communities.
Yes, many giveaways are us giving gifts to ourselves to get praise also from ourselves....it;s a vicious loop. :D
Post edited June 04, 2019 by GameRager
Posted June 04, 2019
Hope the 2FA will protect my account.
Posted June 04, 2019
low rated
avatar
RickyAndersen: If someone has access to your account, is that mean your saved card details also exposed?
avatar
fronzelneekburm: I dunno, since I never saved any payment details here. You can check it out yourself: Check what you can do on your own account once logged in without entering any further details. If you can just add games to our cart, select your credit card and hit pay and it actually works, then ANYONE who gets access to your account via this bug could do that.
And this is why I keep an eye on my bank statement every day and tell others to do the same.
Posted June 04, 2019
avatar
tinyE: 你所有的基地都屬於我們
有人給我們炸彈
avatar
RickyAndersen: If someone has access to your account, is that mean your saved card details also exposed?
GOG does'nt store pay info on their end. You're good.
Post edited June 04, 2019 by paladin181
Posted June 04, 2019
low rated
quick, someone write like me
Pages:
1
2
3
4
5
6
7
8
9
10
11
This is my favourite topic
Community
General discussionWARNING! MASSIVE SECURITY RISK ON GOG!(164 posts)(164 posts)
(164 posts)