The Game Modding Community - Since 2001

Security Updates

A Blog Post for GameBanana

In the wake of the December attacks on GameBanana I have been working closely with GameBanana's Chief Security Analyst (Mini) to patch up exploits in our account platform. 

Previously our login form was exposed to what is known as "credential stuffing", whereby an attacker uses user data leaked from other sites (check if your data as been leaked) to attempt to log into a user's other accounts on other websites. This was briefly happening on a large scale on GameBanana due to two shortcomings of our login form:

  1. No blockout for repeated login failures, allowing automated scripts to make unlimited login attempts (called a "brute force attack").
  2. No unrecognized location checking or blacklist checking of IP's logging in.

We've resolved these shortcomings but there are still other security holes, such as changing emails, making BananaExchange purchases, etc. 

New Security Procedures

We now have 3 different security procedures, of varying strength and convenience, which will be deployed when Potential Attack Vectors (PAVs) are interacted with:

  1. The Security Advisory - account holder is notified that a PAV interaction occurred.
  2. The Verification Email - account holder must verify via email the PAV interaction was initiated by them.
  3. The Wait Period - account holder must wait X number of hours before a PAV interaction is automatically accepted.

Known PAVs

We have identified six Potential Attack Vectors:
  1. Logging in from an unrecognized IP
  2. Logging in from a blacklisted IP
  3. Multiple failed login attempts
  4. Changing emails
  5. Changing passwords
  6. BeX purchasing

Each one must be addressed with a security procedure. Determining which security procedure to use is the tricky part and where all the potential inconvenience comes in.

Unfortunately we live in an age where your data is leaking everywhere, as new sites are breached every day. Enhanced security comes at the price of convenience, but we will try to make the inconvenience as minor as possible.

Posts

  • 6mo
    JMXremix avatar
    JMXremix username pic Joined 1y ago
    Here
    Home > Members > tom
    UnreaLaws Flag Affiliation: UnreaLaws
    3,247 points Ranked 1537th
    18 medals 2 rare
    • Returned 1000 times Medal icon
    • Submitted 20 Maps Medal icon
    • Became a Club Leader Medal icon
    • Submitted 5 Maps Medal icon
    • Returned 100 times Medal icon
    • One month a member Medal icon
    JMXremix avatar
    JMXremix
    UnreaLaws Flag
    Affiliation
    UnreaLaws
    I was logging in in the very same location everytime and using the similar computer, but it still says logged in in a new location. Why ? :(
    Mapping wizard
  • 6mo
    D-Wanderer avatar
    D-Wanderer username pic Joined 4y ago
    Gone playing..
    712 points Ranked 6956th
    23 medals 2 legendary 7 rare
    • 15+ Entries! GameBanana’s Christmas Giveaway 2015 Medal icon
    • 15+ Entries! GameBanana’s Christmas Giveaway 2016 Medal icon
    • GameBanana’s Christmas Giveaway 2015 Day Twelve Winner! Medal icon
    • GameBanana’s Christmas Giveaway 2015 Day Fourteen Winner! Medal icon
    • Returned 1000 times Medal icon
    • Returned 1000 times Medal icon
    I log in from the same IP every day and it still says it has detected unknown IP.

    Also turns out I got pwned as the site in the link refers to it. But they showed me a website I've never visited in my life. What is going on here?
    If only I wasn't so lazy.. avatar
    Mantra
    If only I wasn't so lazy..
  • 6mo
    Royalist avatar
    Royalist username pic Joined 3y ago
    Exist?
    1,191 points Ranked 4336th
    20 medals 1 legendary 1 rare
    • Returned 5000 times Medal icon
    • Returned 1000 times Medal icon
    • One month a member Medal icon
    • 6 months a member Medal icon
    • Reached 1,000 Points Medal icon
    • Received thanks 5 times Medal icon
    So this explains the reason why I keep receiving the "Log in from an unidentified IP address" notification, I guess
    Who knows? avatar
    Mantra
    Who knows?

Embed

Share banner
Image URL:
HTML embed code:
BB embed code:
Markdown embed code:

Blogger


tom avatar
tom username pic Joined 17y ago
TBS2 Manager Super Admin
Present
Home > Games > Sonic Mania
53,140 points Ranked 69th
55 medals 12 legendary 10 rare
  • Achieved Super Admin clearance Medal icon
  • 10 years a member Medal icon
  • Thanked 500 submitters Medal icon
  • Submitted 200 Blogs Medal icon
  • Submitted 200 Threads Medal icon
  • Submitted 60 Polls Medal icon
Sign up to access this!
Sign up to access this!
Sign up to access this!
Sign up to access this!

Details

Initiative
None

Share

  • Share on Reddit
  • Share on Twitter
  • Share on Facebook
  • Share on Google+

Stats

  • 404 Views
  • 6 Posts
  • 6mo Submitted
  • 4mo Modified

Yo, buddy. Mascot

GameBanana is one of the oldest mod sites on the net. Sign up and maximize your browsing experience.

  • Subscribe: Get notified of new submissions like this.
  • Say Thanks: Show your appreciation - send modders points.
  • Post: Give modders your thoughts on their work.
  • Vote: Help your favorite modders win monthly awards.
  • Flag: Alert moderators and warn members of problems with mods.
  • Watch: Get notified when mods are updated.

Resistance is futile... Sign up now!

Already a Bananite? Login

More from Submitter

WiPs by Submitter

bcp.crwdcntrl.net tracking pixel