The Game Modding Community - Since 2001

Security Updates

A Blog Post for GameBanana

In the wake of the December attacks on GameBanana I have been working closely with GameBanana's Chief Security Analyst (Mini) to patch up exploits in our account platform. 

Previously our login form was exposed to what is known as "credential stuffing", whereby an attacker uses user data leaked from other sites (check if your data as been leaked) to attempt to log into a user's other accounts on other websites. This was briefly happening on a large scale on GameBanana due to two shortcomings of our login form:

  1. No blockout for repeated login failures, allowing automated scripts to make unlimited login attempts (called a "brute force attack").
  2. No unrecognized location checking or blacklist checking of IP's logging in.

We've resolved these shortcomings but there are still other security holes, such as changing emails, making BananaExchange purchases, etc. 

New Security Procedures

We now have 3 different security procedures, of varying strength and convenience, which will be deployed when Potential Attack Vectors (PAVs) are interacted with:

  1. The Security Advisory - account holder is notified that a PAV interaction occurred.
  2. The Verification Email - account holder must verify via email the PAV interaction was initiated by them.
  3. The Wait Period - account holder must wait X number of hours before a PAV interaction is automatically accepted.

Known PAVs

We have identified six Potential Attack Vectors:
  1. Logging in from an unrecognized IP
  2. Logging in from a blacklisted IP
  3. Multiple failed login attempts
  4. Changing emails
  5. Changing passwords
  6. BeX purchasing

Each one must be addressed with a security procedure. Determining which security procedure to use is the tricky part and where all the potential inconvenience comes in.

Unfortunately we live in an age where your data is leaking everywhere, as new sites are breached every day. Enhanced security comes at the price of convenience, but we will try to make the inconvenience as minor as possible.
Promotional Content

Posts

  • 4mo
    JMXremix avatar
    JMXremix username pic Joined 10mo ago
    There
    UnreaLaws Flag Affiliation: UnreaLaws
    2,625 points Ranked 1849th
    16 medals 2 rare
    • Returned 1000 times Medal icon
    • Submitted 20 Maps Medal icon
    • Became a Club Leader Medal icon
    • Submitted 5 Maps Medal icon
    • Returned 100 times Medal icon
    • One month a member Medal icon
    JMXremix avatar
    JMXremix
    UnreaLaws Flag
    Affiliation
    UnreaLaws
    I was logging in in the very same location everytime and using the similar computer, but it still says logged in in a new location. Why ? :(
    Mapping wizard avatar
    Mantra
    Mapping wizard
  • 4mo
    D-Wanderer avatar
    D-Wanderer username pic Joined 4y ago
    Back tomorrow?
    460 points Ranked 10011th
    23 medals 2 legendary 7 rare
    • 15+ Entries! GameBanana’s Christmas Giveaway 2015 Medal icon
    • 15+ Entries! GameBanana’s Christmas Giveaway 2016 Medal icon
    • GameBanana’s Christmas Giveaway 2015 Day Twelve Winner! Medal icon
    • GameBanana’s Christmas Giveaway 2015 Day Fourteen Winner! Medal icon
    • Returned 1000 times Medal icon
    • Returned 1000 times Medal icon
    I log in from the same IP every day and it still says it has detected unknown IP.

    Also turns out I got pwned as the site in the link refers to it. But they showed me a website I've never visited in my life. What is going on here?
    I don't know what I'm doing avatar
    Mantra
    I don't know what I'm doing
  • 4mo
    Royalist avatar
    Royalist username pic Joined 3y ago
    Devourin' Memes
    Complicated Inc. Flag Affiliation: Complicated Inc.
    977 points Ranked 5134th
    20 medals 1 legendary 1 rare
    • Returned 5000 times Medal icon
    • Returned 1000 times Medal icon
    • One month a member Medal icon
    • 6 months a member Medal icon
    • Reached 1,000 Points Medal icon
    • Received thanks 5 times Medal icon
    Royalist avatar
    Royalist
    Complicated Inc. Flag
    Affiliation
    Complicated Inc.
    So this explains the reason why I keep receiving the "Log in from an unidentified IP address" notification, I guess
    WHERES THE LAMB SAUCE avatar
    Mantra
    WHERES THE LAMB SAUCE

Embed

Share banner
Image URL:
HTML embed code:
BB embed code:
Markdown embed code:

Blogger


tom avatar
tom username pic Joined 17y ago
Ripe Supporter TBS2 Manager Super Admin
Offline
43,338 points Ranked 92nd
54 medals 12 legendary 10 rare
  • Achieved Super Admin clearance Medal icon
  • 10 years a member Medal icon
  • Thanked 500 submitters Medal icon
  • Submitted 200 Blogs Medal icon
  • Submitted 200 Threads Medal icon
  • Submitted 60 Polls Medal icon
Sign up to access this!
Sign up to access this!
Sign up to access this!
Sign up to access this!

Details

Initiative
None

Share

  • Share on Reddit
  • Share on Twitter
  • Share on Facebook
  • Share on Google+

Stats

  • 299 Views
  • 6 Posts
  • 4mo Submitted
  • 24d Modified

SEX! Ok, we got your attention. Mascot

GameBanana is one of the oldest mod sites on the net. Sign up and maximize your browsing experience.

  • Subscribe: Get notified of new submissions like this.
  • Say Thanks: Show your appreciation - send modders points.
  • Post: Give modders your thoughts on their work.
  • Vote: Help your favorite modders win monthly awards.
  • Flag: Alert moderators and warn members of problems with mods.
  • Watch: Get notified when mods are updated.

Stop Lurking! Sign up now!

Already a Bananite? Login

More from Submitter

WiPs by Submitter

bcp.crwdcntrl.net tracking pixel