Posted October 09, 2015
When the last big GOG update happened, you couldn't change your account's email address. There were some weird dumb reasons for this and it was eventually fixed so you could.
However in (re)implementing account email changes, GOG forgot to implement a further simple function to ensure that the email address being changed on the account actually belonged to the person who was changing it. The result is in order to compromise a GOG account and steal it forever you just have to know its password, you can then login and change its email address to ensure the original owner of the account can't get it back.
The way to fix this is just to send an email to the ORIGINAL email address asking whether the change was intended, rather than informing the user that someone in the United States of Somewhereistan changed it for you.
Because of this, [url=https://www.reddit.com/r/gog/comments/3o4k9n/account_hacked/]keep getting stolen.
Two things: First of all, if your password is easy enough for someone to guess then it is actually your fault if your account gets stolen. In some of the above linked cases I am sure the password was something simple and stupid. However this does not mean that anti-hacking measures shouldn't be in place, because the one day GOG itself gets hacked and a segment of user passwords gets leaked is the day which GOG start wishing they paid more attention to security.
Secondly, GOG have responded to most of these instances and the accounts have been recovered. Kudos for that but it's an unnecessary step and intervention should be something done in exceptional cases rather than the norm. Following on from that we all know how slow GOG support is, and when an account from which purchases can be made it's absolutely vital that it's recovered immediately. You are also going to get times when a user decides not to approach support because they either don't know how support works, they have no confidence that support will help or they simply give up.
What GOG fundamentally has wrong I think is that they assume that an email address change is made in most cases when access to the incumbent email has been lost. This is the exceptional case. This is when I should be contacting support and asking for assistance in changing the email on my account, not after I've been hacked and had it changed for me.
Further considerations to make:
Once GOG is done implementing a verification system (which they're going to move to the top of the to-do list because it's really important), they should work on implementing a two-factor auth system. This can be done in a few ways and in every way it should be optional. TOTP is the preferred form, whereby a mobile app generated a one time code to be entered at log in time (Google/Github/Linode/Twitter do this) or it can be sent by SMS to the user. Another options is FIDO U2F which can be augmented by a physical key (like Yubikey) but support for this isn't available in Firefox yet.
So can we just get a "Yes we are going to fix email verification really soon" from a blue person? If it's never going to happen can we also just get the "No and this is why" instead so we all know not to have any confidence in GOG in the future?
GOG is trying really hard to be taken seriously as a store. That's not going to happen until they learn the value of security. Let's not have another account stolen, please.
I still love you, GOG.
However in (re)implementing account email changes, GOG forgot to implement a further simple function to ensure that the email address being changed on the account actually belonged to the person who was changing it. The result is in order to compromise a GOG account and steal it forever you just have to know its password, you can then login and change its email address to ensure the original owner of the account can't get it back.
The way to fix this is just to send an email to the ORIGINAL email address asking whether the change was intended, rather than informing the user that someone in the United States of Somewhereistan changed it for you.
Because of this, [url=https://www.reddit.com/r/gog/comments/3o4k9n/account_hacked/]keep getting stolen.
Two things: First of all, if your password is easy enough for someone to guess then it is actually your fault if your account gets stolen. In some of the above linked cases I am sure the password was something simple and stupid. However this does not mean that anti-hacking measures shouldn't be in place, because the one day GOG itself gets hacked and a segment of user passwords gets leaked is the day which GOG start wishing they paid more attention to security.
Secondly, GOG have responded to most of these instances and the accounts have been recovered. Kudos for that but it's an unnecessary step and intervention should be something done in exceptional cases rather than the norm. Following on from that we all know how slow GOG support is, and when an account from which purchases can be made it's absolutely vital that it's recovered immediately. You are also going to get times when a user decides not to approach support because they either don't know how support works, they have no confidence that support will help or they simply give up.
What GOG fundamentally has wrong I think is that they assume that an email address change is made in most cases when access to the incumbent email has been lost. This is the exceptional case. This is when I should be contacting support and asking for assistance in changing the email on my account, not after I've been hacked and had it changed for me.
Further considerations to make:
Once GOG is done implementing a verification system (which they're going to move to the top of the to-do list because it's really important), they should work on implementing a two-factor auth system. This can be done in a few ways and in every way it should be optional. TOTP is the preferred form, whereby a mobile app generated a one time code to be entered at log in time (Google/Github/Linode/Twitter do this) or it can be sent by SMS to the user. Another options is FIDO U2F which can be augmented by a physical key (like Yubikey) but support for this isn't available in Firefox yet.
So can we just get a "Yes we are going to fix email verification really soon" from a blue person? If it's never going to happen can we also just get the "No and this is why" instead so we all know not to have any confidence in GOG in the future?
GOG is trying really hard to be taken seriously as a store. That's not going to happen until they learn the value of security. Let's not have another account stolen, please.
I still love you, GOG.
Post edited October 09, 2015 by TheJoe