Welcome!

Join our community of MMO enthusiasts and game developers! By registering, you'll gain access to discussions on the latest developments in MMO server files and collaborate with like-minded individuals. Join us today and unlock the potential of MMO server development!

Join Today!

Official COM staff hacked... again.

Junior Spellweaver
Joined
Jun 1, 2010
Messages
152
Reaction score
27
An old account used to make the Habboween Public Theatredrome account has been hacked.
The hacker has now put public theatredrome furniture in the market place at a pretty low price so people are snapping at the opportunity to buy it.

4HnIIix - COM staff hacked... again. - RaGEZONE Forums

TZw9xZN - COM staff hacked... again. - RaGEZONE Forums


Only a month or so ago, an actual staff account with staff powers was hacked also, picking up rares from peoples rooms.
 

Attachments

You must be registered for see attachments list
Joined
Nov 6, 2012
Messages
2,230
Reaction score
314
You would have thought Habbo of all things would be double checking little possibilities like this all the time right.. But then again, looking at there latest "updated" they seem to be getting slack. I wonder what's next..
 

PR0

Legendary Battlemage
Joined
Mar 3, 2007
Messages
690
Reaction score
85
Why don't the idiots just put a pin code or IP authentication for logging into their staff accounts lol. Unless the staff members themselves are actually getting infected, then they're still idiotic.
 
Joined
Feb 22, 2012
Messages
2,099
Reaction score
1,271
Why don't the idiots just put a pin code or IP authentication for logging into their staff accounts lol. Unless the staff members themselves are actually getting infected, then they're still idiotic.

I think they should use a pin code into client, but really, not would've been too hard to get it down, if a big password of an admin can be easily broken, imagine an small 4 letters pin?
The problem of IP Authentication is because they can access from their houses (you can access your habbo from your home, or from sulake office, but it is recommended you to go to the sulake office, and work there).

There was an admin explaining that a few years back, when sulake decided to fire them, one of the managers of Habbo Hotel (BR) decided to show his face on his official twitter ( -> now it's his own ). That's why I don't think they can use IP address whitelist... Because here on Brazil, most of ISP companies use randomic ip address, and it normally changes each month, it would give a lot of headache.

If you want to see his official Twitcam (it is in Portuguese, btw):
 
Joined
Apr 27, 2008
Messages
446
Reaction score
168
I think they should use a pin code into client, but really, not would've been too hard to get it down, if a big password of an admin can be easily broken, imagine an small 4 letters pin?
The problem of IP Authentication is because they can access from their houses (you can access your habbo from your home, or from sulake office, but it is recommended you to go to the sulake office, and work there).

There was an admin explaining that a few years back, when sulake decided to fire them, one of the managers of Habbo Hotel (BR) decided to show his face on his official twitter ( -> now it's his own ). That's why I don't think they can use IP address whitelist... Because here on Brazil, most of ISP companies use randomic ip address, and it normally changes each month, it would give a lot of headache.

If you want to see his official Twitcam (it is in Portuguese, btw):

There is a thing called VPN
 

PR0

Legendary Battlemage
Joined
Mar 3, 2007
Messages
690
Reaction score
85
I think they should use a pin code into client, but really, not would've been too hard to get it down, if a big password of an admin can be easily broken, imagine an small 4 letters pin?
The problem of IP Authentication is because they can access from their houses (you can access your habbo from your home, or from sulake office, but it is recommended you to go to the sulake office, and work there).

There was an admin explaining that a few years back, when sulake decided to fire them, one of the managers of Habbo Hotel (BR) decided to show his face on his official twitter ( -> now it's his own ). That's why I don't think they can use IP address whitelist... Because here on Brazil, most of ISP companies use randomic ip address, and it normally changes each month, it would give a lot of headache.

If you want to see his official Twitcam (it is in Portuguese, btw):


It seems like your reasoning for not having the pin code is the concern of brute force. I know the methods used, and they were not brute force as far as I know.

The pin code would be a drop down selection anyhow, it's harder to set up a brute for that plus to use a brute during that time, you'd need to already have a session which should be alerted somewhere or other that a staff has been given a session.

There's tons of methods they could use.
 
Joined
Nov 6, 2012
Messages
2,230
Reaction score
314
Yes, maybe they could use VPN indeed. But if another people can actually access Staff Account, so it's not vpn.
Remind that the housekeeping need certificates, so that would be enough for major damage.

They do use a VPN though :p: One of the staff on Habbo confirmed it and Mr Jonty also confirmed it via his own knowledge. They have to log into it before they can do anything so ya know.. And I would assume, that there VPN and account details are different, so you can't just pick one and unlock them all.

But hopefully they'll learn from little mistakes like these and manage to keep everything safe in the future.
 
Joined
Feb 22, 2012
Messages
2,099
Reaction score
1,271
It seems like your reasoning for not having the pin code is the concern of brute force. I know the methods used, and they were not brute force as far as I know.

The pin code would be a drop down selection anyhow, it's harder to set up a brute for that plus to use a brute during that time, you'd need to already have a session which should be alerted somewhere or other that a staff has been given a session.

There's tons of methods they could use.

For sure! Even the login mail should be an costumised one (abcdef@fakedomain.net), because for the user find the login's email is also hard, if you think, this is a company, for god's sake! Sometimes, they don't act like one, like the greatest mute, it is a social game, not a mute game. The fault is from the staff (considering IF they choose the passwords/email), but they think its just a game.

For safety, I would give for staffs (if I was sulake):
- Custom mails (better if fake, so it would be harder to find);
- PIN code, or a second password inside the client, or simply you sms sulake everytime you want a new pin, which expires each 12 hours;
- Housekeeping is already unaccessfull, but... Extends security is always good. If they got to first base, they also can get to the second.

One thing I wish to try a bit more (I maded an private server of Pocket Habbo someday, so I know I'm talking about) if I had my some cellphone again (yes, this is one of my theories, don't suppose to work, but hell, someone could try haha)
This is for PocketHabbo + [iOS / Android]
- Download fiddler2 and config to my iphone's proxy;
- Grab the packets from login;
- There's a kind of rewrite-rule on it, via if data contains, or if url contains, w.e, if we make by the url requested which is pretty much the request to localhost...;
- Create an personal SSL certificate on IIS or Apache for habbo;
- Modify responses for Staff's username, and data, so you must be able to login on it (the smartphone would think you entered the informations correctly, so it would give you the account informations)

Let me know if somebody does something about that.
 

PR0

Legendary Battlemage
Joined
Mar 3, 2007
Messages
690
Reaction score
85
For sure! Even the login mail should be an costumised one (abcdef@fakedomain.net), because for the user find the login's email is also hard, if you think, this is a company, for god's sake! Sometimes, they don't act like one, like the greatest mute, it is a social game, not a mute game. The fault is from the staff (considering IF they choose the passwords/email), but they think its just a game.

For safety, I would give for staffs (if I was sulake):
- Custom mails (better if fake, so it would be harder to find);
- PIN code, or a second password inside the client, or simply you sms sulake everytime you want a new pin, which expires each 12 hours;
- Housekeeping is already unaccessfull, but... Extends security is always good. If they got to first base, they also can get to the second.

One thing I wish to try a bit more (I maded an private server of Pocket Habbo someday, so I know I'm talking about) if I had my some cellphone again (yes, this is one of my theories, don't suppose to work, but hell, someone could try haha)
This is for PocketHabbo + [iOS / Android]
- Download fiddler2 and config to my iphone's proxy;
- Grab the packets from login;
- There's a kind of rewrite-rule on it, via if data contains, or if url contains, w.e, if we make by the url requested which is pretty much the request to localhost...;
- Create an personal SSL certificate on IIS or Apache for habbo;
- Modify responses for Staff's username, and data, so you must be able to login on it (the smartphone would think you entered the informations correctly, so it would give you the account informations)

Let me know if somebody does something about that.

The great mute was because they were in the midst of being sued for sexual harassment, links and a lack of safety and moderation.
 
Joined
Feb 22, 2012
Messages
2,099
Reaction score
1,271
The great mute was because they were in the midst of being sued for sexual harassment, links and a lack of safety and moderation.

I know. But they still such cryers. Is the same thing you stop all ragezone because somebody got banned. I know the case was big, but still, do it outside the hotel, act like man, not like kids.
 
Back
Top