An old account used to make the Habboween Public Theatredrome account has been hacked.
The hacker has now put public theatredrome furniture in the market place at a pretty low price so people are snapping at the opportunity to buy it.
Only a month or so ago, an actual staff account with staff powers was hacked also, picking up rares from peoples rooms.
They should have a whitelist for staff and building accounts.
We did it #4thelulz
You would have thought Habbo of all things would be double checking little possibilities like this all the time right.. But then again, looking at there latest "updated" they seem to be getting slack. I wonder what's next..
Why don't the idiots just put a pin code or IP authentication for logging into their staff accounts lol. Unless the staff members themselves are actually getting infected, then they're still idiotic.
I think they should use a pin code into client, but really, not would've been too hard to get it down, if a big password of an admin can be easily broken, imagine an small 4 letters pin?Originally Posted by PR0
The problem of IP Authentication is because they can access from their houses (you can access your habbo from your home, or from sulake office, but it is recommended you to go to the sulake office, and work there).
There was an admin explaining that a few years back, when sulake decided to fire them, one of the managers of Habbo Hotel (BR) decided to show his face on his official twitter ( https://twitter.com/DiscoLee -> now it's his own ). That's why I don't think they can use IP address whitelist... Because here on Brazil, most of ISP companies use randomic ip address, and it normally changes each month, it would give a lot of headache.
If you want to see his official Twitcam (it is in Portuguese, btw):
There is a thing called VPN
Yes, maybe they could use VPN indeed. But if another people can actually access Staff Account, so it's not vpn.
Remind that the housekeeping need certificates, so that would be enough for major damage.
It seems like your reasoning for not having the pin code is the concern of brute force. I know the methods used, and they were not brute force as far as I know.
The pin code would be a drop down selection anyhow, it's harder to set up a brute for that plus to use a brute during that time, you'd need to already have a session which should be alerted somewhere or other that a staff has been given a session.
There's tons of methods they could use.
They do use a VPN thoughOne of the staff on Habbo confirmed it and Mr Jonty also confirmed it via his own knowledge. They have to log into it before they can do anything so ya know.. http://prntscr.com/3sb1om And I would assume, that there VPN and account details are different, so you can't just pick one and unlock them all.
But hopefully they'll learn from little mistakes like these and manage to keep everything safe in the future.
For sure! Even the login mail should be an costumised one (abcdef@fakedomain.net), because for the user find the login's email is also hard, if you think, this is a company, for god's sake! Sometimes, they don't act like one, like the greatest mute, it is a social game, not a mute game. The fault is from the staff (considering IF they choose the passwords/email), but they think its just a game.
For safety, I would give for staffs (if I was sulake):
- Custom mails (better if fake, so it would be harder to find);
- PIN code, or a second password inside the client, or simply you sms sulake everytime you want a new pin, which expires each 12 hours;
- Housekeeping is already unaccessfull, but... Extends security is always good. If they got to first base, they also can get to the second.
One thing I wish to try a bit more (I maded an private server of Pocket Habbo someday, so I know I'm talking about) if I had my some cellphone again (yes, this is one of my theories, don't suppose to work, but hell, someone could try haha)
This is for PocketHabbo + [iOS / Android]
- Download fiddler2 and config to my iphone's proxy;
- Grab the packets from login;
- There's a kind of rewrite-rule on it, via if data contains, or if url contains, w.e, if we make by the url requested which is pretty much the request to localhost...;
- Create an personal SSL certificate on IIS or Apache for habbo;
- Modify responses for Staff's username, and data, so you must be able to login on it (the smartphone would think you entered the informations correctly, so it would give you the account informations)
Let me know if somebody does something about that.
The great mute was because they were in the midst of being sued for sexual harassment, links and a lack of safety and moderation.
I know. But they still such cryers. Is the same thing you stop all ragezone because somebody got banned. I know the case was big, but still, do it outside the hotel, act like man, not like kids.
It makes me feel nostagic. :>
Reply With Quote