Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[GendoIkari]

I can confirm that the password is written in the log in plain text:

WebSocketConnector: Starting receiving controller messages
 
(Filename: C:/buildslave/unity/build/artifacts/generated/common/runtime/UnityEngineDebugBindings.gen.cpp Line: 65)

Autologin method: login
 
(Filename: C:/buildslave/unity/build/artifacts/generated/common/runtime/UnityEngineDebugBindings.gen.cpp Line: 65)

LogWeb: Send Controller: {"message":"login", "clientVersion":"2.0.29", "name":"SheCantSayNo", "password":"#GokoWasBetter"}

Where is this log?

C:\Program Files (x86)\Dominion\Dominion_Data\output_log.txt

If it doesn't show up for everyone, it could be that it only shows if you have the "remember my password" and/or auto-login functionality enabled.

Thanks, found it. I guess pubby is right that this by itself isn't quite the same as having the password shown in plain-text somewhere on the server side. But just seeing it in the log makes me strongly suspect that it IS somewhere on the server side. The log message itself looks like a recording of the data that was sent to the server.

[GendoIkari]

http://forum.makingfun.com/showthread.php?6931-We-haven-t-forgotten-you!&p=35310#post35310

I'll be willing to ride this one out and wait before denouncing anything, even if the closed beta didn't do anything.

I mean, we can't play Dominion anywhere else.

For this link and at least one other to their forum, I'm getting this message:

GendoIkari, you do not have permission to access this page. This could be due to one of several reasons:

1. Your user account may not have sufficient privileges to access this page. Are you trying to edit someone else's post, access administrative features or some other privileged system?

2. If you are trying to post, the administrator may have disabled your account, or it may be awaiting activation.

Anyone know anything about this? I obviously have an account there; pretty sure I've posted before.

[werothegreat]

http://forum.makingfun.com/showthread.php?6931-We-haven-t-forgotten-you!&p=35310#post35310

I'll be willing to ride this one out and wait before denouncing anything, even if the closed beta didn't do anything.

I mean, we can't play Dominion anywhere else.

For this link and at least one other to their forum, I'm getting this message:

GendoIkari, you do not have permission to access this page. This could be due to one of several reasons:

1. Your user account may not have sufficient privileges to access this page. Are you trying to edit someone else's post, access administrative features or some other privileged system?

2. If you are trying to post, the administrator may have disabled your account, or it may be awaiting activation.

Anyone know anything about this? I obviously have an account there; pretty sure I've posted before.

It's from the Closed Beta forums, which you would only have access to if you were invited to the Closed Beta.

[Seprix]

Basically, a mod is saying he hasn't forgotten us, and that they're all busy.

Attached is a screenshot of his post.

[Kirian]

Ugh, I hate to spend any amount of time defending MakingFun during this debacle, but having the plaintext password stored on your computer isn't a huge deal.  If someone already has access to your computer, they can get all your passwords saved by Chrome/FF/IE anyway.  Unless you're master-password protecting those, too, in which case, OK, I get paranoia I suppose, but xkcd exposed that insecurity years ago.

If they're sending the password plaintext insecure, that's a different problem altogether.

[SCSN]

Ugh, I hate to spend any amount of time defending MakingFun during this debacle, but having the plaintext password stored on your computer isn't a huge deal.  If someone already has access to your computer, they can get all your passwords saved by Chrome/FF/IE anyway.  Unless you're master-password protecting those, too, in which case, OK, I get paranoia I suppose, but xkcd exposed that insecurity years ago.

If they're sending the password plaintext insecure, that's a different problem altogether.

That sounds reasonable until you realise that the file in which your password is stored in plain text is the same one you would send to MF to report a crash.

And while we all know that it's thoroughly retarded to re-use login details between different services, the reality is that people are lazy and that I just changed my PayPal password.

[Chris is me]

When I played the beta yesterday morning, it seemed... okay. It was a fair bit slower than Salvager, but I never found the deck size bug, the high resolution interface was a big improvement, and I could largely play Dominion in the same manner I could before. Sidebar would be nice, but I could make do. I was beginning to think the complaints were overstated. I was upset with how much they seemed to be rushing to close the old Dominion app, but if they fixed things then whatever I guess.

Then I tried to play again yesterday evening, and every move had a good 10-15 seconds of delay between the click and the action. I know this wasn't just me either; others playing at the same time, against bots no less, had the same problem. And now this morning I can't even complete a log in sequence (it doesn't say I can't log in, it just doesn't DO anything when I hit the button except crash sometimes).

On top of this, storing a password in plain text anywhere is completely indefensible. It's not, there's no argument here. That's appallingly insecure. I don't have anything to add, honestly - it's that simple.

I wanted to give them so much slack. It's a beta, things aren't going to work right for awhile at all. I really wanted to be patient and give them time to get everything right... but with the password thing, with how the closed beta testers were treated, I just don't really know what to think anymore. The thing that gets me is that we had a very simple and robust simulator in Isotropic years ago. We had Goko, with all of its flaws, but they had gotten it to a reasonably stable place. And now somehow we're worse off now than we were years ago. I really like this game a lot. I'm putting up with all of this shit because I'm obsessed and I love Dominion and all that. But it's really starting to not look so worth it anymore. Why is this so hard?

[Elanchana]

I'm probably not going to contribute anything to the password discussion that hasn't already been said. Right now all I can take comfort in is that every time the login lockout happens, it means they're doing something for us.

(I have trouble not comparing this to Pottermore. Their beta went down every ten minutes or so, but a few months later they were up and running really smoothly.)

[Triumph44]

When I played the beta yesterday morning, it seemed... okay. It was a fair bit slower than Salvager, but I never found the deck size bug, the high resolution interface was a big improvement, and I could largely play Dominion in the same manner I could before. Sidebar would be nice, but I could make do. I was beginning to think the complaints were overstated. I was upset with how much they seemed to be rushing to close the old Dominion app, but if they fixed things then whatever I guess.

Then I tried to play again yesterday evening, and every move had a good 10-15 seconds of delay between the click and the action. I know this wasn't just me either; others playing at the same time, against bots no less, had the same problem. And now this morning I can't even complete a log in sequence (it doesn't say I can't log in, it just doesn't DO anything when I hit the button except crash sometimes).

On top of this, storing a password in plain text anywhere is completely indefensible. It's not, there's no argument here. That's appallingly insecure. I don't have anything to add, honestly - it's that simple.

I wanted to give them so much slack. It's a beta, things aren't going to work right for awhile at all. I really wanted to be patient and give them time to get everything right... but with the password thing, with how the closed beta testers were treated, I just don't really know what to think anymore. The thing that gets me is that we had a very simple and robust simulator in Isotropic years ago. We had Goko, with all of its flaws, but they had gotten it to a reasonably stable place. And now somehow we're worse off now than we were years ago. I really like this game a lot. I'm putting up with all of this shit because I'm obsessed and I love Dominion and all that. But it's really starting to not look so worth it anymore. Why is this so hard?

What's most confusing is that Goko looked to be growing, even though until Adventures came out the last expansion happened in 2013.  It seemed like more people were on and playing more - at peak times the first 6 rooms were full.  And that's despite the fact that the Goko interface is clunky and dumb (the gameplay on Goko was terrific and I have very few complaints about it, everything else about the site was, IME, awful).  Now they have to silly up the graphics to pretend like we're playing Hearthstone and make you install something on your computer when people are moving away from computers.  I don't get the economic model of the online game either - if you buy all the expansions, then the site has wrung every last dollar from you, and now what incentive do they have to provide a good service?  There should be a nominal yearly fee for people who play over 100 games or something like that.

Anyway I understand it's a Beta, but good god, what a disaster this is so far.

[rspeer]

On top of this, storing a password in plain text anywhere is completely indefensible. It's not, there's no argument here. That's appallingly insecure. I don't have anything to add, honestly - it's that simple.

I would caution against overreacting here. Have you ever saved a password in your web browser? That's plain text.

[jsh357]

When I played the beta yesterday morning, it seemed... okay. It was a fair bit slower than Salvager, but I never found the deck size bug, the high resolution interface was a big improvement, and I could largely play Dominion in the same manner I could before. Sidebar would be nice, but I could make do. I was beginning to think the complaints were overstated. I was upset with how much they seemed to be rushing to close the old Dominion app, but if they fixed things then whatever I guess.

Then I tried to play again yesterday evening, and every move had a good 10-15 seconds of delay between the click and the action. I know this wasn't just me either; others playing at the same time, against bots no less, had the same problem. And now this morning I can't even complete a log in sequence (it doesn't say I can't log in, it just doesn't DO anything when I hit the button except crash sometimes).

On top of this, storing a password in plain text anywhere is completely indefensible. It's not, there's no argument here. That's appallingly insecure. I don't have anything to add, honestly - it's that simple.

I wanted to give them so much slack. It's a beta, things aren't going to work right for awhile at all. I really wanted to be patient and give them time to get everything right... but with the password thing, with how the closed beta testers were treated, I just don't really know what to think anymore. The thing that gets me is that we had a very simple and robust simulator in Isotropic years ago. We had Goko, with all of its flaws, but they had gotten it to a reasonably stable place. And now somehow we're worse off now than we were years ago. I really like this game a lot. I'm putting up with all of this shit because I'm obsessed and I love Dominion and all that. But it's really starting to not look so worth it anymore. Why is this so hard?

What's most confusing is that Goko looked to be growing, even though until Adventures came out the last expansion happened in 2013.  It seemed like more people were on and playing more - at peak times the first 6 rooms were full.  And that's despite the fact that the Goko interface is clunky and dumb (the gameplay on Goko was terrific and I have very few complaints about it, everything else about the site was, IME, awful).  Now they have to silly up the graphics to pretend like we're playing Hearthstone and make you install something on your computer when people are moving away from computers.  I don't get the economic model of the online game either - if you buy all the expansions, then the site has wrung every last dollar from you, and now what incentive do they have to provide a good service? There should be a nominal yearly fee for people who play over 100 games or something like that.

Anyway I understand it's a Beta, but good god, what a disaster this is so far.

The second bolded part answers the first bolded part... they probably weren't making more money even though there were more people playing.  A lot of the same users who bought years ago are still playing now.

I personally think MF is between a rock and a hard place on this.  The business model Goko started is clearly unsustainable without the microtransactions they first pushed for with Zaps etc, but now to be fair to us older users MF can't really change the model and fix it.  Their only way to profit is to get a ton of people to buy sets now and increase the price. (which they've apparently done?) 

[Awaclus]

I personally think MF is between a rock and a hard place on this.  The business model Goko started is clearly unsustainable without the microtransactions they first pushed for with Zaps etc, but now to be fair to us older users MF can't really change the model and fix it.  Their only way to profit is to get a ton of people to buy sets now and increase the price. (which they've apparently done?)

Well, they could start selling other stuff, like skins or different card backs or extra avatars or something. Or they could show ads for base-only players.

[Triumph44]

What's most confusing is that Goko looked to be growing, even though until Adventures came out the last expansion happened in 2013.  It seemed like more people were on and playing more - at peak times the first 6 rooms were full.  And that's despite the fact that the Goko interface is clunky and dumb (the gameplay on Goko was terrific and I have very few complaints about it, everything else about the site was, IME, awful).  Now they have to silly up the graphics to pretend like we're playing Hearthstone and make you install something on your computer when people are moving away from computers.  I don't get the economic model of the online game either - if you buy all the expansions, then the site has wrung every last dollar from you, and now what incentive do they have to provide a good service? There should be a nominal yearly fee for people who play over 100 games or something like that.

Anyway I understand it's a Beta, but good god, what a disaster this is so far.

The second bolded part answers the first bolded part... they probably weren't making more money even though there were more people playing.  A lot of the same users who bought years ago are still playing now.

I personally think MF is between a rock and a hard place on this.  The business model Goko started is clearly unsustainable without the microtransactions they first pushed for with Zaps etc, but now to be fair to us older users MF can't really change the model and fix it.  Their only way to profit is to get a ton of people to buy sets now and increase the price. (which they've apparently done?)

Their business model doesn't work, so now they are just going to double down on it?  It makes zero sense.  Their way to sustain themselves is to charge people who often use the site, people like me who are willing to pay.  I understand that microtransactions have worked on other games, but this is a card game that exists independent of the online site.  I just don't see how raising prices on sets will make the site profitable long-term; if there are people who've used the site for a while but who haven't bought expansions, they're now less likely to buy them, and is there really going to be a large influx of new players?  I guess that's the idea by building it like Hearthstone, but it doesn't seem like a good plan - it's almost like a pyramid scheme, where new users pay for the old ones.  Doesn't usually work out well.

[jsh357]

I didn't say it was a good way to profit, just one of their only options.

Sure, they could add microtransactions like Awaclus mentions.  However, I don't think most users would pay for virtual hats or the pretty base cards.  Some hardcore fans, but not many.  I know I wouldn't.

[Seprix]

I'd pay about 30 a year for Dominion Online. And I would pay money for the exclusive right to customize your avatar, change your text color in chat, and the ability to create private rooms.

[mameluke]

Of course, I would also pay money for Isotropic.

[markusin]

Ugh, I hate to spend any amount of time defending MakingFun during this debacle, but having the plaintext password stored on your computer isn't a huge deal.  If someone already has access to your computer, they can get all your passwords saved by Chrome/FF/IE anyway.  Unless you're master-password protecting those, too, in which case, OK, I get paranoia I suppose, but xkcd exposed that insecurity years ago.

If they're sending the password plaintext insecure, that's a different problem altogether.

That sounds reasonable until you realise that the file in which your password is stored in plain text is the same one you would send to MF to report a crash.

And while we all know that it's thoroughly retarded to re-use login details between different services, the reality is that people are lazy and that I just changed my PayPal password.

For this reason, I use different passwords for all my major web activities, which includes anything with money on the line or information about my identity. I know people who use a password management application with a master password, but I never got around to trying that.

On top of this, storing a password in plain text anywhere is completely indefensible. It's not, there's no argument here. That's appallingly insecure. I don't have anything to add, honestly - it's that simple.

I would caution against overreacting here. Have you ever saved a password in your web browser? That's plain text.

Yeah browser saved passwords are plain text last I heard. That's kind of appalling in itself, and so I don't have my browsers remember any of my passwords. But even there, at least none of the browser saved passwords ever get sent across the server. They just populate your password fields before you submit forms, right? The major danger with browser saved passwords is people using your physical machine while you're not looking.

Now I'm no security expert either, but I'm interested in the topic and may even pursue a master in information security in the near future. Does anyone know how Unity apps communicate with the server? If it's some sort of SSH connection then sending unencrypted information like passwords is bad but not a catastrophe, so long as password information is still hashed server-side.

Normal web apps use TCP/UDP protocols or whatever, whose packets can be observed quite easily by outsiders. For this reason, it's extremely important that all sensitive information be encrypted or hashed before even being sent to the server. Given the need to obfuscation the password at some point client side anyway, a normal web app (like Dominion Online V1.0) has no business to not perform the obfuscation step of the sensitive information being sent to the server before doing anything else with that information.

So it all comes down to whether or not the password is sent to the server in plain text. We can't conclusively say it does just from the log. It it doesn't, then one possibility is that the client side log is being completely generated client side with only client side input (which would mean the log is limited to non-server side issues). Another possibility is that the client receives the errors from the server and then the client side finishes writing the log. This second possibility is quite nonsensical to me as the client application can just save the obfuscated password to the log at that point and cannot send the log report back to the client with the plain text password without resulting in a security breach.

Like SCSN, I'm very skeptical about this plain text password revelation as it appears in a log file. It even logs errors, right? That's something of value to the server-side administration.

You know, I was out of the loop on the whole open beta thing, only finding out about it about 2 hours ago. Man, I was even having trouble downloading the thing. It seemed like it was freezing up my network connection on my computer, and failed to download anyway. Now I read through this thread and well these failings of Dominion Online are amusing at this point.

[Cave-o-sapien]

After playing few games, the login screen started freezing for me. So I decided to investigate a little. Apparently the program tries to write into C:\Program Files (x86)\Dominion\Dominion_Data. Great. Let's run it as administrator. Probably the first program launch after the instalation was done with the administrator privileges. Now the screen doesn't freeze, just nothing happens after clicking the "Sign in" button.
What's in the logs?

WebSocketException: A timeout has occurred while reading an HTTP request/response

Nothing new. Just like with 1.0, the servers can't handle the traffic.

What's more interesting is that in the logs I can find password in plain text. The whole network communication is also logged.

LogWeb: Send Controller: {"message":"login", "clientVersion":"2.0.29", "name":"matste", "password":"********"}

Goko was better.

As someone who often wears a Sys Admin hat, I reserve a special kind of disdain for developers who ignore OS best practices when it comes to file locations and permissions. There's just no excuse in 2015 for an end-user Windows application that writes to C:\Program Files.

The password stuff doesn't look good but I'll reserve judgment on that until someone shows that they are being transmitted in plain text.

I finally got the app to work last night and played through a bit of the campaign. I must say it was much better than the last iteration of Goko that I used. It was nice to be able to install it tonight on a different machine and pick up where I left off, but then it started getting really laggy until it crashed altogether 30 or so minutes ago. Is this regular periodic downtime?

I seriously doubt I'll ever pay for this. On the other hand the price I'd be willing to pay to have Isotropic back just keeps going up.

[pubby]

Now I'm no security expert either, but I'm interested in the topic and may even pursue a master in information security in the near future. Does anyone know how Unity apps communicate with the server?  If it's some sort of SSH connection then sending unencrypted information like passwords is bad but not a catastrophe, so long as password information is still hashed server-side.

Looking at strace output: everything is being sent through SSL, just as expected. This is good and correct.

If it's some sort of SSH connection then sending unencrypted information like passwords is bad but not a catastrophe, so long as password information is still hashed server-side.

If it's sent through SSH (or SSL) then it wouldn't be "unencrypted information"...

Again, so we don't have MF's word on anything yet, so can we please stop spreading all this FUD?

[Seprix]

Now I'm no security expert either, but I'm interested in the topic and may even pursue a master in information security in the near future. Does anyone know how Unity apps communicate with the server?  If it's some sort of SSH connection then sending unencrypted information like passwords is bad but not a catastrophe, so long as password information is still hashed server-side.

Looking at strace output: everything is being sent through SSL, just as expected. This is good and correct.

If it's some sort of SSH connection then sending unencrypted information like passwords is bad but not a catastrophe, so long as password information is still hashed server-side.

If it's sent through SSH (or SSL) then it wouldn't be "unencrypted information"...

Again, so we don't have MF's word on anything yet, so can we please stop spreading all this FUD?

I know I'm guilty of this, and I'm trying not to be. I want to give these guys a fair shot.

[Moneymodel]

I'm able to download and open it, but I can't sign in. And the taskbar doesn't jump right out when I linger my cursor at the bottom of the screen, so I have to do Ctrl Alt Del. It's unfortunate, but I still look forward to downloading a functional one.

[rspeer]

In a fit of masochism, I decided to try it, and encountered the same thing. I had to ctrl-alt-del multiple times because somehow, while completely crashed, it still managed to repeatedly pop itself to the front when I tried to use Task Manager.

[matste]

It seems that what I found in the logs generated a lot of mistrust in MF abilities. I want to clarify that I also don't think it's a big deal. It can only be harmful if: a) You reuse your sensitive passwords for small places like Goko and b) A bad guy (investigating you individually) gains acces to your  computer. However, if you are in a habit of reusing sensitive passwords, then the bad guys probably have easier ways to access them, like your browser data. From what I see, the application verifies passwords like 99.99% of websites do: it sends them to the server in plain text, over an encrypted connection. So there's no fundametal flaw in the architecture.

When you decide to switch from a web-based application to a standalone program, you need to rethink some security issues. Unfortunatelly, sensitive data leaking into local logs is only one of many things that can go wrong. Your program can do more harm to your clients' machines than your website can.

I wonder how the application is going to update itself. How did you, betatesters, switch between releases?

[jsh357]

They released new installers for each update.  No clue if the game auto-updates now.  I wouldn't count on it?

[cactus]

O.M.G.

Just read the whole thread. So depressing.

Can't ... believe ... we're back here ...