Forged Alliance Forever Forged Alliance Forever Forums 2020-10-17T01:35:12+02:00 /feed.php?f=12 2020-10-17T01:35:12+02:00 2020-10-17T01:35:12+02:00 /viewtopic.php?t=19698&p=186416#p186416 <![CDATA[Announcements • Re: Goodbye phpBB]]> Statistics: Posted by Mucko — 17 Oct 2020, 01:35

2020-08-26T22:43:57+02:00 2020-08-26T22:43:57+02:00 /viewtopic.php?t=19698&p=186373#p186373 <![CDATA[Announcements • mod skin]]> mod skin

Statistics: Posted by Mueeidkhatri — 26 Aug 2020, 22:43

2020-08-19T10:23:07+02:00 2020-08-19T10:23:07+02:00 /viewtopic.php?t=12171&p=186345#p186345 <![CDATA[Announcements • Re: An Updated List of Casters]]> Statistics: Posted by nikkinemo95 — 19 Aug 2020, 10:23

2020-08-12T01:36:41+02:00 2020-08-12T01:36:41+02:00 /viewtopic.php?t=19698&p=186302#p186302 <![CDATA[Announcements • Re: Goodbye phpBB]]> I already put the main page as reference. ... /index.php

Statistics: Posted by vongratz — 12 Aug 2020, 01:36

2020-08-11T23:27:06+02:00 2020-08-11T23:27:06+02:00 /viewtopic.php?t=19698&p=186300#p186300 <![CDATA[Announcements • Goodbye phpBB]]> here). Back then phpBB was one of the best bulletin boards you could get for free. Now, 9 years later, the world is a different one, but somehow our forum is still frozen in time. After a lot of issues with spam, security vulnerabilities and most recently severe outages for no ovious reason, the time has come to let go of it.

A few generation of bulletin boards has passed already and we move to NodeBB now (link here).

Goodbye grandfather of FAF. We'll miss you.
And as the administrator I'd like to add: Please burn in hell, where you came from, you shitty piece of software.

We will probably archive this forum, but we don't know how yet. If you have any ideas and also skills and time to help on that please contact me.

Statistics: Posted by Brutus5000 — 11 Aug 2020, 23:27

2020-06-01T02:24:47+02:00 2020-06-01T02:24:47+02:00 /viewtopic.php?t=12171&p=184576#p184576 <![CDATA[Announcements • Re: An Updated List of Casters]]> ... subscriber

Statistics: Posted by Robustness — 01 Jun 2020, 02:24

2020-05-26T20:46:24+02:00 2020-05-26T20:46:24+02:00 /viewtopic.php?t=12171&p=184447#p184447 <![CDATA[Announcements • Re: An Updated List of Casters]]> Statistics: Posted by sunnywilson09 — 26 May 2020, 20:46

2020-04-09T22:52:52+02:00 2020-04-09T22:52:52+02:00 /viewtopic.php?t=18913&p=183220#p183220 <![CDATA[Announcements • Re: Temporary disruption on services]]> Insights on the incident

For a few years now FAF is running an open api, offering player and game data for free use to build cool features for which the core FAF developers don’t have time. As part of that it has always been possible to query the list of players and filter on them.

Example: the API call ... tus5000%22 returns my user.

If you look closely you will see that there are only very basic fields to see (in the “attributes” block): create date (of the account), update date (which is the equivalent to “last seen”) and the username.

In the database this is querying data from this table here and as you can see there are other very sensitive information like your email or your password hash.

This fields were also available in the api, but only after login and only for a limited set of people. Basically moderators are allowed to see all the sensitive fields (for support cases with lost email, steam id etc. and for detecting of fake accounts, duplicate accounts etc.) and every player was able to see it’s own fields. A whole bunch of tests in our application ensured the correct hiding of these fields for unauthorized people.

And so we thought we were safe. Until silenceluke launched his new service . For some users fafscore asks for their username. Other users were magically detected. So people asked us how that was possible. When we investigated the website, we noticed that fafscore was calling the player list as above, but instead of filtering on the user name it first tried to filter on the users ip-address and checked for a match with the last login ip address.

But the ip address was supposed to be hidden away from non-authorized access. Alarm bells started ringing. As it turns out it was possible to filter on every field even if it was hidden from viewing. Even with wildcards!! And that is a huge vector of attacks:

Now imagine you want to know my last ip address. You could just use a filter query that you know to return a result and then start appending wildcard queries. If there is a match, your partial guess is correct, if there is no match, your guess is wrong.
So you could take any player query and append &ipAddress==”1*”. If it gives a match, you check for the next character: &ipAddress==”11*”. If there is no match you test the next allowed value for the character: &ipAddress==”12*”, &ipAddress==”13*”, &ipAddress==”14*”.

You do this until you found the whole value. Using this attack it was possible to resolve an ip address with a maximum of 120 http calls. Or an email with roundabout 1000 calls.

When we are able to confirm the criticality of the isse, we contact the authors of the library responsible for this (some very nice people at Yahoo) who after some explanation gave us a workaround and fixed the issue within the next week.

Statistics: Posted by Brutus5000 — 09 Apr 2020, 22:52

2020-03-29T15:25:38+02:00 2020-03-29T15:25:38+02:00 /viewtopic.php?t=18913&p=182928#p182928 <![CDATA[Announcements • Re: Temporary disruption on services]]>
Going to unpin/lock this topic.

Statistics: Posted by PhilipJFry — 29 Mar 2020, 15:25

2020-03-20T18:26:30+02:00 2020-03-20T18:26:30+02:00 /viewtopic.php?t=18913&p=182701#p182701 <![CDATA[Announcements • Re: Temporary disruption on services]]> Statistics: Posted by RedX — 20 Mar 2020, 18:26

2020-03-20T15:35:37+02:00 2020-03-20T15:35:37+02:00 /viewtopic.php?t=18913&p=182691#p182691 <![CDATA[Announcements • Temporary disruption on services]]>
tonight we found a security vulnerability in our API. After some evaluation today we decided that we immediately need to hotfix this issue regardless of the impact it will have on our other services.

As a result of that a lot of errors will occur around FAF will break, especially in the are of statistics., The website is the most prominent example right now :(

We are in contact with the developers of the library where the problem occurs and are searching for a solution. However the current situation might last for a week or longer.

We apologize for the inconvenience, but the protection of your personal data has the highest priority.

Statistics: Posted by Brutus5000 — 20 Mar 2020, 15:35

2020-01-17T01:31:20+02:00 2020-01-17T01:31:20+02:00 /viewtopic.php?t=12171&p=181324#p181324 <![CDATA[Announcements • Re: An Updated List of Casters]]>

Statistics: Posted by BLITZ_Molloy — 17 Jan 2020, 01:31

2019-05-09T01:52:17+02:00 2019-05-09T01:52:17+02:00 /viewtopic.php?t=17526&p=174467#p174467 <![CDATA[Announcements • Councillor Voting]]> The Player Councillor vote and the Map/Mod Councillor vote are live!

Voting Link :

The voting page has links to show you the applications the Candidates made!

Player Councillor thread /viewtopic.php?f=2&t=17393

Map/Mod Councillor thread /viewtopic.php?f=2&t=17394

Vote ends June 8th, 23:00 UTC

Statistics: Posted by Gorton — 09 May 2019, 01:52

2019-03-20T19:20:18+02:00 2019-03-20T19:20:18+02:00 /viewtopic.php?t=12171&p=172851#p172851 <![CDATA[Announcements • Re: An Updated List of Casters]]>
Farms- ,
Paraplegic Sloth- ... DB61ZM3mnw

Would like to see the list of people who cast to twitch also

Statistics: Posted by F-odin — 20 Mar 2019, 19:20

2019-02-22T04:40:35+02:00 2019-02-22T04:40:35+02:00 /viewtopic.php?t=12171&p=172118#p172118 <![CDATA[Announcements • Re: An Updated List of Casters]]> Statistics: Posted by Farmsletje — 22 Feb 2019, 04:40