Security Updates

A Blog Post for GameBanana

Greetings! We are one of the oldest mod sites on the Interwebs. Sign up and maximize your browsing experience.

  • Subscribe: Get notified of new submissions like this.
  • Say Thanks: Show your appreciation by sending tom points.
  • Post: Give tom your thoughts on this Blog.
  • Vote: Help tom win the Monthly Awards.
  • Flag: Alert moderators and warn members of a problem with this Blog.
  • Watch: Get notified when this Blog is updated.
Mascot

Resistance is futile...

Sign up

Already a Bananite? Login

In the wake of the December attacks on GameBanana I have been working closely with GameBanana's Chief Security Analyst (Mini) to patch up exploits in our account platform. 

Previously our login form was exposed to what is known as "credential stuffing", whereby an attacker uses user data leaked from other sites (check if your data as been leaked) to attempt to log into a user's other accounts on other websites. This was briefly happening on a large scale on GameBanana due to two shortcomings of our login form:

  1. No blockout for repeated login failures, allowing automated scripts to make unlimited login attempts (called a "brute force attack").
  2. No unrecognized location checking or blacklist checking of IP's logging in.

We've resolved these shortcomings but there are still other security holes, such as changing emails, making BananaExchange purchases, etc. 

New Security Procedures

We now have 3 different security procedures, of varying strength and convenience, which will be deployed when Potential Attack Vectors (PAVs) are interacted with:

  1. The Security Advisory - account holder is notified that a PAV interaction occurred.
  2. The Verification Email - account holder must verify via email the PAV interaction was initiated by them.
  3. The Wait Period - account holder must wait X number of hours before a PAV interaction is automatically accepted.

Known PAVs

We have identified six Potential Attack Vectors:
  1. Logging in from an unrecognized IP
  2. Logging in from a blacklisted IP
  3. Multiple failed login attempts
  4. Changing emails
  5. Changing passwords
  6. BeX purchasing

Each one must be addressed with a security procedure. Determining which security procedure to use is the tricky part and where all the potential inconvenience comes in.

Unfortunately we live in an age where your data is leaking everywhere, as new sites are breached every day. Enhanced security comes at the price of convenience, but we will try to make the inconvenience as minor as possible.

Posts

  • 15d
    JMXremix avatar
    JMXremix username pic Joined 7mo ago
    There
    UnreaLaws Flag Affiliation: UnreaLaws
    761 points Ranked 6267th
    12 medals 1 rare
    • Returned 1000 times Medal icon
    • Became a Club Leader Medal icon
    • Submitted 5 Maps Medal icon
    • Returned 100 times Medal icon
    • One month a member Medal icon
    • Became a Studio Leader Medal icon
    JMXremix avatar
    JMXremix
    UnreaLaws Flag
    Affiliation
    UnreaLaws
    I was logging in in the very same location everytime and using the similar computer, but it still says logged in in a new location. Why ? :(
    Not a serious guy avatar
    Mantra
    Not a serious guy
  • 15d
    D-Wanderer avatar
    D-Wanderer username pic Joined 3y ago
    Back tomorrow?
    706 points Ranked 6741st
    23 medals 2 legendary 7 rare
    • 15+ Entries! GameBanana’s Christmas Giveaway 2015 Medal icon
    • 15+ Entries! GameBanana’s Christmas Giveaway 2016 Medal icon
    • GameBanana’s Christmas Giveaway 2015 Day Twelve Winner! Medal icon
    • GameBanana’s Christmas Giveaway 2015 Day Fourteen Winner! Medal icon
    • Returned 1000 times Medal icon
    • Returned 1000 times Medal icon
    I log in from the same IP every day and it still says it has detected unknown IP.

    Also turns out I got pwned as the site in the link refers to it. But they showed me a website I've never visited in my life. What is going on here?
    I don't know what I'm doing avatar
    Mantra
    I don't know what I'm doing
  • 15d
    Royalist avatar
    Royalist username pic Joined 3y ago
    Scene Failed
    Complicated Inc. Flag Affiliation: Complicated Inc.
    764 points Ranked 6224th
    20 medals 1 legendary 1 rare
    • Returned 5000 times Medal icon
    • Returned 1000 times Medal icon
    • One month a member Medal icon
    • 6 months a member Medal icon
    • Reached 1,000 Points Medal icon
    • Received thanks 5 times Medal icon
    Royalist avatar
    Royalist
    Complicated Inc. Flag
    Affiliation
    Complicated Inc.
    So this explains the reason why I keep receiving the "Log in from an unidentified IP address" notification, I guess
    My mentor once said... avatar
    Mantra
    My mentor once said...

Embed

Share banner
Image URL:
HTML embed code:
BB embed code:
Markdown embed code:

Blogger


tom avatar
tom username pic Joined 16y ago
Super Admin
Present
Homepage
8,643 points Ranked 528th
49 medals 11 legendary 9 rare
  • Achieved Super Admin clearance Medal icon
  • 10 years a member Medal icon
  • Thanked 500 submitters Medal icon
  • Submitted 200 Blogs Medal icon
  • Submitted 200 Threads Medal icon
  • Submitted 60 Polls Medal icon
Sign up to access this!
Sign up to access this!
Sign up to access this!
Sign up to access this!

Category

Details

Initiative
None

Stats

Posts
6
Views
157
Date Added
15d
Date Modified
13d

Share

  • Share on Reddit
  • Share on Twitter
  • Share on Facebook
  • Share on Google+

More from Submitter

WiPs by Submitter

bcp.crwdcntrl.net tracking pixel