It's a miracle it doesn't happen earlier btw, non sanitized input = ownage, leaving your Postgre unpatched and most likely opened to the world = pure ownage ... In the end do not get mad at the hacker / scriptkiddie /, especially when we talk about site where payed services are available leaving such blatant security holes is totally unacceptable. Now for the serious part : A simple 'sorry' from GOM is not enough, because people may loose important data if using the same mail/pass combo on other sites. As paying customers we have the right to demand something in return, like Sony did without ppl asking for it, but i doubt if GOM will. I guess at least a free season / HQ + VODs / is in order - for all users, and we must demand for that ! Anyway it would be in their benefit, more viewers and they can stream the HQ with ads version so it won't be a total loss.
The 'sorry' just sounds like sarcasm to me considering the gross negligence of their mistake.
Bye gomtv! I won't continue to trust your mediaplayer either since my firewall/av didn't like it anyway. Maybe this is an unreasonable reaction from my side .. but someone who lacks that much sense for customer security certainly won't become a chance to have a program run on my computer.
Sloppy move GOM. I am reluctant to do business with companies who cannot protect personal data. Clear text passwords? You may as well make your luggage combination '12345'. Thanks for the heads up, R1CH.
I had the same passwords in BNET and GOMTV. Today I cant log in to neither of them, I've just changed my password in both using password reset..
I don't know if my BNET account was compromised... because I didn't receive a mail informing a password change.. but I tried mine and it said it was wrong.
I fixed it using password recover and change to a new one.. but I'm not really sure if they accessed my acount.
I contacted blizzard suport and they answer me in 15 minutes at this hour! Fantastic.
Well, my bnet account wasn't accessed for anybody except me :D. So, it was not compromised.
But I will keep changin all my passwords (BECAUSE I DONT REMEMBER WHAT PASSWORD I WAS USING ON GOM! THE ONE I HAD STORED IN FIREFOX WAS OLD and I kept logged in by cookies... This is really anoying).
Really Gom? Require us to use 8+ character alphanumeric passwords and you don't even hash/salt them? What's the point of a secure password if you're gonna store them in plain text. Require us to use the player and also require us to register just to take our passwords, that's probably the reason for storing them in plaintext in the first place, what the fuck >:O
Damn, I used my secondary password on GOM so its not that of a big deal but still I have to change my backup email account and my China Bnet account password. Thanks for the head up R1CH!!
Trying to log into gomtv.net right now brings up a change password screen, with the caption "Protect Your Valuable Personal Information. Information that hasn’t been modified for a long period of time could be exposed to and abused by others."
Considering they don't mention the exploit at all, this is very disingenuous. I mean, "oh, we didn't make a mistake. It's just that you haven't changed your password in a long time..."
On August 14 2011 14:42 ABCSFirebird wrote: The 'sorry' just sounds like sarcasm to me considering the gross negligence of their mistake.
Bye gomtv! I won't continue to trust your mediaplayer either since my firewall/av didn't like it anyway. Maybe this is an unreasonable reaction from my side .. but someone who lacks that much sense for customer security certainly won't become a chance to have a program run on my computer.
Considering that there media player is a rip-off of ffmpeg, you can pretty assume that as a rule they aren't too competent on the technical side of things.
On August 14 2011 12:27 Rylaji wrote: So technically the only accounts on sites or such that are compromised are those where I use my email and that particular password both at the same time?
Wow I am so glad I used Twitter to sign up for this...one good thing about this whole "unified" log-in thing FB and Twitter are starting to do, I guess. Though I do have to ask...why did the OpenID initiative start losing ground? After I got one I started to see it pop up everywhere. I guess Facebook's log-in started to take over and seem more appealing. Bummer.
On August 14 2011 18:40 TheShadowZero wrote: Wow I am so glad I used Twitter to sign up for this...one good thing about this whole "unified" log-in thing FB and Twitter are starting to do, I guess. Though I do have to ask...why did the OpenID initiative start losing ground? After I got one I started to see it pop up everywhere. I guess Facebook's log-in started to take over and seem more appealing. Bummer.
The problem with this is that if facebook gets compromised, it's insta-access to all other websites. If you have one login per site, if it gets compromised, in theory only this site is compromised - though using one password for everything kind of defeats it again.
EPT
