If you've logged onto UN in the past couple of months, might wanna change your PW password, Just a word of Caution.  

Changed.  

Where did he post this?  

Posted by Yami

If you've logged onto UN in the past couple of months, might wanna change your PW password, Just a word of Caution.

What do you think I am, some kind of a pleb that doesn't ID-lock their account? Get on my level nub.  

This is an exploit he found out. It's done via GS2 (from what he told me), and is currently only local to the servers he had access to. The server I know he had access to are Atrius and Unholy Nation. There could be more, but I definitely hope I hear back from a Global soon on this topic. It sure needs to be patched up, as it can cause quite a bit of damage.  

Is he still staff on UN?  

He is no longer staff. He attempted to delete the server, and has been globally banned for life by Unixmad himself.  

Posted by HeadJoker

Where did he post this?

on the forum news, aka /forums on UN  

So...anybody with NPC Server access can access the accounts/passwords of anybody who has logged into that server?...  

If they know the exploit, yes. NaS did not tell me how exactly he did it, all he told me was that it was simple GS2 with some undocumented built-in functions. Hopefully this issue will raise awareness to PWA, and other Global staff. It needs to be fixed.  

oh wow, NaS finally found something himself rather than relying on people like Ruxxter and I to do it and then taking credit for it in the UN announcements after we quit

such as:

- MEDIUM-HIGH?: Hammer: UNSAFE STRING PASS allows a player to just go around setting ANY tiles of ANY level to whatever they want, on the serverside (it'll be saved inside the level file).

- LOW: -System/ActionsServerside UNSAFE STRING PASS:
-- Search: "repentap" = Free AP

- SEVERE: un_blacksmith.nw: MODIFIED NEGATIVE allows a player to create negative steel (and other items), thus creating gralats.

- LOW: Instruments/Flute: UNSAFE STRING PASS allows a player to warp to any level.

- LOW: -udpchecker: UNSAFE STRING PASS allows a player to set any other player's chat.

- SEVERE: Throwing Knife: UNSAFE STRING PASS, in combination with MODIFIED NEGATIVE allows a player to set any player variable, such as gralat, to any desired value.

- SEVERE: Rare Items/Flamethrower: UNSAFE STRING PASS, in combination with MODIFIED NEGATIVE allows a player to set any player variable, such as gralat, to any desired value.

- LOW-MEDIUM: -System/ActionsServerside UNSAFE STRING PASSES:
-- Search: "setchat" = Set other player's chat
-- Search: "dropcarry" = Can apparently spam the ground with putnpc2's of various animations
-- Search: "jailtenex" = Fun time spamming RC chat with anti-Thallen messages

 

Hmm, interesting.  

I think I'm aware of this function set lol. It was used for when Stefan was developing scripts for iServer. Alot of people probably know about it I bet. So actually... everyone's password is at danger of being discovered. But you can trust honest admins right!?  

I know we take compromised accounts very seriously, although we do not have any sort of economy or anything that can be abused... other than reputation and trust, I suppose!  

When I read UN security breach I thought of the United Nations. Was not what I was expecting.