the bloxcity predicament - gamefandan's & darkhawk accounts compromised??

[McZealot]

are you even reading this thread

uhh, not really? is that list inaccurate

[Ad Bot]

[TableSalt]

bloxcity is so awesome
hello mr. thinksimserious

[Xalos]

I don't think can be phishing like Badspot says. why would it exclusively affect old users? Why would inactive users even be inputting their acc info to begin with?

My best guess currently - and bear in mind that I am by no means a security professional - is that the attack was to assume that people used the "Stay Logged In" checkbox, and then to generate the session ID hash based on that.  Assuming someone logs in within a day of creating their account, and never gets logged out, then an attacker could get their session ID by enumerating through 86400 seconds on a single account, which is by no means infeasible.  I don't know if SMF uses any form of randomness to generate the session IDs or if it's a plain hash; if the former is true, then this type of attack wouldn't be possible on the scale that we saw.

[Meta_KnightX]

bloxcity is so awesome
[color= transparent]hello mr. thinksimserious[/color]

Please don't even kid around

[Kyuande]

Whoever started this, needs to stop:

[Akio-]

That's exactly what the guy wants people to do, lol. Way to get baited and over-obsess about this.

[EcstaticEggplant]

Whoever started this, needs to stop:

It was Mr Queeba who boasted on this thread about him sending it to everyone on his steam friends list. It's loving handicapped.

[Marios]

That's exactly what the guy wants people to do, lol. Way to get baited and over-obsess about this.

Here's two reasons why that won't ever help spammers:

1) So, you have provided clear evidence which states that visiting ShadySalon.com is going to have your computer compromised. You have also made sure everything that exists
knows about this. Wouldn'tvthis make people stay away from ShadySalon, then?

2) So, you are the creator of ShadySalon and you induce panic to people about it, telling them they must not, under any circumstances, approach ShadySalon. This will get infamy but not many visitors, will it?

[Marios]

Noedit

Wouldn't this make people stay away from ShadySalon, then?

[Trymos]

How can you tell?

another thing for badspot: if it's phishing, i haven't visited the drama board for 3 minutes while it's going on and that was while i was on the last poster on there.

so i visited the board again, it said another guy was the last poster (remember i clearly saw that i was the last poster before) and there was no "new" button. my first instinct was to log out and nothing seemed to happen to my account.
it might be phishing still but that's my 2 cents.

[The Mechanic]

After reading the entire thing and looking into blockcity. I can say that this stuff is somewhat creepy. Mostly because we don't know this guy's identity, the random stuff that happened on teamspeak, and along with the hijacked accounts.

[startacker]

It was Mr Queeba who boasted on this thread about him sending it to everyone on his steam friends list. It's loving handicapped.

He never sent me one

[WaterOre]

He never sent me one

I never got one either.

[Kohoutek]

this just happened

[Nickpb 3.0]

some little loser name Spode(?) was trying to join both my server and Tezs under the name bloxcity
I assume he thinks he's funny or something