View User's Journal

Notes From Gaia

Random thoughts from inside Gaia

Report This Entry Subscribe to this Journal



Development Update 5/4 Notes On Security Lots of confusion over security issues, and we had some excitement in towns, so wanted to talk about it a bit. The simple message: If you do these three simple things, the odds are 99.9% that you will never get hacked. - have a secure password - use a different password for each web site you use - always check the address bar before you log in There are number of possible security attacks that you'll read about (XSS, SQL injection), but for the most part we're pretty safe from those; we're immune to SQL injection and fairly well guarded against XSS at this point. Some companies have had XSS flaws for years that they haven't fixed, but we take it pretty seriously here: even theoretical XSS holes are fixed immediately. But that does leave us with the really big issue, and is the key issue facing Gaia users, and that is the phish. It takes a variety of different forms -- e-mails from "Gaia Oficial Administrator" to fake eggs in the forums. Basically, the hackers tries to trick the user into clicking on a link, and the link takes you to page that looks exactly like Gaia except, oh, you automatically got logged out, so just re-enter your password! That's when you find your account wiped out a week or so later, and you fill out a hacking report, and some poor mod has to pore through transaction logs and try to figure out where your stuff went, and it takes hours and hours of effort. So, really, check the address bar in your browser before you log in, please. The controversy in towns was exactly this same thing: users were redirected to a fake towns authentication, didn't see that the address bar had changed, and ended up giving their name and password to someone else. We ended up putting a temp ban on everyone that had gotten phished, and are going through the logs right now; I've spent probably 10 hours on this already, and I know that some of the mods are going to spend a lot more. It should be resolved pretty quickly, though, but hopefully you aren't using the same password for your e-mail as for Gaia. Which is 10 hours that I could spend working on features, or cleaning whiteboards, or improving our synergetic business vision to accelerate customer satisfaction, or whatever, so, I beg you: check the address bar in your browser when you log in. Also as protection, we are going to make available soon an optional account feature that will ask you to re-verify yourself if you're coming from a drastically different location; this will make it much harder for someone to get into your account without you knowing about it, as long as you keep your e-mail secure. Can Someone Steal My Password From Gaia / Towns No. I have a journal entry about it in the archives (which I unfortunately cannot find at the moment, curse our search thanks, DN), but basically: we don't store your password, so it's impossible for us to divulge it. You entering your password into a screen that looks a lot like Gaia? That divulges it. Bugs Fixed - MP watchlist only shows items from page 1 - adding a trash feature - on firefox can't change quantity in the old fishing hole - GIM making Daily Chance slow - Performance enhancement for Aquarium - Aquarium category in phing phang - When you click on the shop Price & joy from marketplace, buy with tickets button is missing - Marketplace Wishlist module links don't query the correct item ids - prize and joy no longer displays how many tickets you have - IE layering bug - when npc has a quest no dialogue appears - Bid fields should be disabled upon selling an item - Fix placement of numerals in the counter

Posted by: Panagrammic Fri May 08, 2009 @ 07:43pm

Read my journal!

User Comments: [30] [add]

Domain Name
Community Member

Offline

Commented on: Fri May 08, 2009 @ 08:02pm


	The journal entry where you talk about Gaia's password encoding is here. I am a little concerned that you say that you are "immune to SQL injection." All it takes is a careless line in a PHP file or misuse of a PreparedStatement object - and it's very easy to overlook! In general it's something that developers should always be looking for, just in case. "Performance enhancement for Aquarium" - praise Eris. Signature tanks are horribly draining on computer resources. Any progress here is deeply appreciated. Note: Something's odd with the url tag in comments. It seems to be converting &'s into &'s, which breaks some links. Replacing the & with %26 works, but that's just unpleasant. whee

Commented on: Fri May 08, 2009 @ 08:17pm


	@DN: all database access is done by one class, all queries are built from columns and not by string concatenation, and all quoting is isolated into one class. I'm not saying it's 100% impossible, but am pretty sure that it's 99.99% impossible.

Panagrammic
Community Member

Offline

Chocobo Princess
Global Moderator

Offline

Commented on: Fri May 08, 2009 @ 08:24pm


	As always, thanks for the great work, devs. And thanks for posting at length about phishing; the Q&A is all too often full of newer Gaians who aren't sure if the PM asking for their password is legitimate. I upgraded to Firefox 3 (finally!) because I had heard that the "blurry avatar" syndrome caused by the autozoom of its image rendering engine (Cairo) had been fixed. It doesn't seem blurry in the Dress Up screen, but the preview screen in shops still is. Can that be fixed? The thumbnail in shops that comes up when I click on an item is blurry, too. I'd love to see everything crispy, as before. Thanks for fixing that Location glitch in the forums, too; a quick fix that was much appreciated. Keep up the great work~!

Commented on: Fri May 08, 2009 @ 08:34pm


	I was wondering if you knew that in rallies there are red boxes around some users.Is that going to be fix?Thank you for the hard work.

MrsrachaelSnape
Community Member

Offline

Kunai Jones
Community Member

Offline

Commented on: Fri May 08, 2009 @ 08:45pm


	Couple of quick questions: - I can get to the marketplace listing from my Wishlist if I ctrl+click the link, but if I just click it in the regular way the screen grays out like with Daily Chance, the little java script window opens up, and it says undefined. Attempting to click through the undefined link from there leads to an error page in the vend. It may be that you've already fixed this and I'm just waiting for the live site to catch up, though. Oh, and every time I try to change the status of the Elegant Lord's Black Wig (from the new update) in my Wishlist it deletes itself. Do you think you could make the default Add-to-Wishlist status from the Shops into Wanted instead of Questing? It disappears every time I try to change it from Questing to Wanted. I don't think most people embark on Quests for shop items, unless they're questing for all of them. Poor souls. - Are there plans to add multi-pose previews to the shops? Some items like the Six Pack and Tents are unpreviewable in the shops because our avatars can't hold them in the default hands-at-side positions. There are many items like this. It's a real pain to be interested in a new item from an update but have to wait for somebody to list it in the Vend to see what it looks like. - Will the Avatar Arena entry fee be upped to 5k or something higher or will it stay the same? Thanks as always for the glitch fixes and the info update. I'm really glad that you've been closing the loopholes in the flash environments. My password was somehow lifted by a scriptor when I logged in via Rally last year, and I got hacked as a result. So there were instances in which an account could be compromised without leaving Gaia or giving away private info. I'm glad to see that those gaps have been sealed up. And thanks as always for the reminders on account security. Too many people take it too lightly.

Commented on: Fri May 08, 2009 @ 09:23pm


	As always thanks for the updates! heart

ErinsChaos
Community Member

Offline

snufflypoo
Community Member

Offline

Commented on: Fri May 08, 2009 @ 09:55pm


	i'm so jazzed about the trash feature that i think i may need to build a shrine in your honor. thank you! 3nodding

Commented on: Fri May 08, 2009 @ 10:02pm


	Thanks for the info about phishing, I'll pass it on to people 3nodding

Necromacide
Community Member

Offline

iChris v2
Community Member

Offline

Commented on: Fri May 08, 2009 @ 10:19pm


	Thanks for the information! And it's very nice to know you guys put so much time and effort into solving problems like these. To think there are thousands of people here and seeing as to how one account takes that long, I personally appreciate all that hard work a lot 3nodding

Commented on: Fri May 08, 2009 @ 10:24pm


	Oh good, you got the not showing the tickets bug in P&J. I had actually forgotten to inform someone about it, so I'm glad to see that it was fixed.

Shrimp_Man
Community Member

Offline

Calico Tiger
Community Member

Offline

Commented on: Fri May 08, 2009 @ 10:26pm


	Thank you for the information smile Unfortunately, the people who should be reading this likely aren't gonk It's easier to blame Gaia instead of paying attention xd And thank you for all the bug fixes and updates! heart That trash feature should come in handy. Soooooo handy...

Commented on: Fri May 08, 2009 @ 10:31pm


	Thanks so much for the new Trash Buttons! I'm so glad that we have that option now. I appreciate all the hard work that you do for us. My question is: Why does Gaiaonline have an http address rather than an https address?

GrannyD
Community Member

Offline

Sailor_Celestial
Community Member

Offline

Commented on: Fri May 08, 2009 @ 10:34pm


	Thank you for keeping us updated on everything. hug I'm sorry you've had to spend 10 hours on something that could have been easily avoided. I must admit to being curious about this trash feature and can't wait to here more about it. Hopefully there will not be an explosion in the Site Feedback forum about how it could exploited by hackers. shrug Great job and I am an extremely happy Gaia who appreciates your hard work, and the hard work of everyone else on the Gaian team. hugs for all

Commented on: Fri May 08, 2009 @ 10:51pm


	I just tried out the trash feature and I absolutely love it! Finally able to clear space out xp Thank you thank you thank you thank you heart heart heart notices the captcha HEY! No making digs at me D: (326 sagging) I'm not that old ninja

Calico Tiger
Community Member

Offline

Elegana
Community Member

Offline

Commented on: Sat May 09, 2009 @ 12:26am


	I really appreciate this, Pan. The users who had their accounts compromised are waiting for ANY updates on this issue, and I'm sure they'll be happy to know the true reason of this. Not sure if they will say they never re-logged into Towns by the fake redirection, but I'm sure those who were have been detected by you guys and that's why they were compromised. Wish I could learn more.

Commented on: Sat May 09, 2009 @ 01:03am


	Thank you soooo much for getting the tickets pit in P&J sorted... it was driving me bananas! And thank you for the rest of the loffly updates. ^^

Morteana
Community Member

Offline

Absol - Ruler of Chaos
Community Member

Offline

Commented on: Sat May 09, 2009 @ 01:05am


	"Also as protection, we are going to make available soon an optional account feature that will ask you to re-verify yourself if you're coming from a drastically different location; this will make it much harder for someone to get into your account without you knowing about it, as long as you keep your e-mail secure." How is it possible to tell if a user was on another site (allow us to disable this feature don't forget about tabbed browsing) if auto complete fails it is fake wink also the hacker/scammer may use a popup.

Commented on: Sat May 09, 2009 @ 01:10am


	Yes finally! You got the Watchlist bug finally fixed. That's so awesome that you mentioned it twice. Thank you. heart All this hacking stuff reminds me of the two hacked announcements we were presented with. Is Gaia going to be hush hush about it or admit publicly that they also get distracted with the password issues at time, and that would only reinforce the need to be careful?

Divinegon
Community Member

Offline

Sensation Ari
Community Member

Offline

Commented on: Sat May 09, 2009 @ 01:58am


	thank you guys soo much for the trash item option!!! it's very very useful! <3

Commented on: Sat May 09, 2009 @ 02:04am


	@Absol - Ruler of Chaos: It's based on geography -- so if you are in California and we suddenly see a login from Texas, we're going to ask to validate yourself more than usual. Also, it's opt in, not opt out, so is available for people that want to make their account more secure. @Divinegon: unfortunately Gaia staff get phished too sad . The security measures I mentioned above might be mandatory for Gaia staff -- we're taking a look at it.

Panagrammic
Community Member

Offline

Cosmic Remnant
Community Member

Offline

Commented on: Sat May 09, 2009 @ 02:26am


	We need a 'floor' catogory for the Faktori. The rugs and vases don't show up under furniture. And... I already knew about phishing. I still read the whole post anyways. xd

Commented on: Sat May 09, 2009 @ 02:29am


	I appreciate the update and hard work that goes into security. I've already suggested some small ideas that could help with security, or at least peace of mind, such as an "export item list" of all items on your account and their location as well as the ability to "lock"/password protect items (similar to binding) so that you don't accidentally sell, trade, or trash them. How possible do those suggestions sound in the near future? (say end of summer) Self-Proclaimed Master of Guilds Galv's 1st Quest! Warmth of Apollo x5 Golden Laurels Cottontail Silk Rose Three quests down, two to go! Need a CS Supplier PLEASE! Current Quest: Mercury's Moon! Help me get it? Please send a trade!

Galvatron
Community Member

Offline

Mezo
Community Member

Offline

Commented on: Sat May 09, 2009 @ 03:43am


	Thanks so much for this new entry, Pan! I was just ranting to my boyfriend because of some people whining about getting hacked in Towns. I remembered your previous entry about the matter and was actually just about to look for it so I could show it to my boyfriend (because I wasn't explaining it right and we were both just confusing ourselves). Thanks for linking to it and going over it again! <3333

Commented on: Sat May 09, 2009 @ 04:11am


	ILU. heart

pirhan
Community Member

Offline

Darien S.
Global Moderator

Offline

Commented on: Sat May 09, 2009 @ 07:28am


	Oh wow, the new security feature you're advertising is awesome! Here's hoping it hits the Site soon ^____^

Commented on: Sat May 09, 2009 @ 01:26pm


	Its times like these that I really wish I was a mod. I hate that they have so much work to do right now so users can get their accounts back. I wish I could help.

sickSYRINGE
Community Member

Offline

Metalic_Noodles
Community Member

Offline

Commented on: Sat May 09, 2009 @ 06:29pm


	I appreciate the MP fix a lot! But why fix it twice? xp

Commented on: Thu May 14, 2009 @ 09:27pm


	just throwing out a random thought The redirect.php script ought to download the page and scan over it using some regular expressions or something similar. That way it can detect tell-tale signs in the HTML if the page is in fact a phishing page or not. Since these fake log in pages are meant to look exactly like Gaia, then that's easy: just seach for a particular sub-string and if it exists, then there's a good chance that it is part of a phishing page. Also: Gaia should make the redirect warning MANDATORY for all users, or, all users who have not been a member for more than 6 months, 1 year, or some other satisfactory period of time.

DogCow
Community Member

Offline

dreamsk
Community Member

Offline

Commented on: Sun May 17, 2009 @ 09:08am


	Thumbs up for the invo arranger, trashable items, ext ext ext heart

Commented on: Tue May 19, 2009 @ 10:37am


	Thanks for the work you do! I saw some things of interest a few posts back, but thought it'd be better to comment here. Guilds: If you seriously can allow us to send a newsletter that would be AWESOME!!!!! Random idea, maybe you should limit it to only once a week to prevent over spamming? Anything needing saying more than once a week goes in the forums of the guild chat. But I send a monthly newsletter to a clan of 350 and it's a huuuuge hassle to keep the friends list updated and do to the sending. If I could send em easier I would probably start sending reminders out when we have a clan party or a contest ending. I may have commented before, but can we get any features that we can spend guild gold on? ANYTHING. Make us pay to send the newsletters! XD let us buy a calendar or a guild house. Let us change color scheme. It'd be a gold sink! Inventory: the arranger is SLOW. I signed a petition today for an auto sort button. I'd love to be able to sell back multiple items to the shops at the same time. And I'd like to be able to trash from the arranger too (preferably several at a time!). GIM: It's broken, seriously. Is work going into fixing it? I really can't use it when not in zOMG because it spams me with too many windows and even then those windows usually show the same message multiple times and then crash and stop working. All that IF it even loads. And when it does work right I see it blinking that I have 8 messages to I click on the blinking to see what's going on and GIM opens, but only my very last message ever shows, if that much.

elffromspace
Community Member

Offline

User Comments: [30] [add]

Welcome to Gaia! :: View User's Journal | Gaia Journals

View User's Journal

More Information