HTTPS on NationStates
Posted: Sat Jun 16, 2012 8:34 pm
I was looking through the source code of an autotelegramer program the other day and noticed it sent the nation name and nation password as clear text in the login. At first I thought they were just a shitty programmer and didn't know better. So I fired up wireshark, logged out, then started capturing packets. Then I logged back in and ended the capture. When I analyzed my login packet, I saw this:
Don't bother with that password, I hope you get the reference though
Point is, logging into the game sends the password in clear text. This means you shouldn't log in anywhere where you don't have complete control of the entire connection up until it reaches your ISP. This means public wifi, universities, libraries, internet cafes, airports, etc could easily have sniffers ready to rob your account.
Is there a reason NS doesn't use SSL or some other encryption/salt for the password? I feel a lot edgier logging into a service with my password in clear text, especially with how easy network sniffing is. I could teach a 12 year old to hack a NS account with McDonalds wifi.
- Code: Select all
ny^M"CqE7$@P1LX1PPOST / HTTP/1.1
Host: www.nationstates.net
Connection: keep-alive
Content-Length: 66
Cache-Control: max-age=0
Origin: http://www.nationstates.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.nationstates.net/page=login
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: [REMOVED SO YOU JOKERS CAN'T LOG IN AS ME]
logging_in=1&nation=Afforess&password=hunter2&autologin=yes
Don't bother with that password, I hope you get the reference though
Point is, logging into the game sends the password in clear text. This means you shouldn't log in anywhere where you don't have complete control of the entire connection up until it reaches your ISP. This means public wifi, universities, libraries, internet cafes, airports, etc could easily have sniffers ready to rob your account.
Is there a reason NS doesn't use SSL or some other encryption/salt for the password? I feel a lot edgier logging into a service with my password in clear text, especially with how easy network sniffing is. I could teach a 12 year old to hack a NS account with McDonalds wifi.