Topic
hacking
|
Móose
85 Human Death Knight Ashes of Myrianis 8440 Sadly this week a player in my guild was hacked, he was an officer and as such had a lot of admin rights. A random level 1 player was invited, promoted to rank 3 which has a daily cap of 1000g (to prevent someone taking everything) and 5 stacks. The player took his limit, left the guild and was re invited on the hacked account, and repeated. It seems re inviting to a guild RESETS daily limits, this is huge exploitable. I'm suggesting that the daily limit on a guild vault persists through leaving/rejoining, or even to have a system where new members must be authorized by at least 2 high ranked members of the guild before certain access is allowed, such as guild bank access. Perhaps limit level 1 characters from sending mail/accessing guild banks or similar, or even add a layer of confirmation such as a text receive code or something when making a new account to prevent people using proxy throwaway accounts. Please note this is not a rage or a cry that our guild was targeting, but rather looking at improving the tools we can use to prevent it happening in the future. I welcome any feedback suggestions or blue posts regarding this issue. Currently waiting on a ticket response, asking if anything can be restored. |
|
I was almost stopped from being an officer in a guild because I didnt have one of them authenticator deallies. But thats by the by anyways.
All 'they' need do is to make it, I dunno, about a week, before anyone could be promoted at all upon entering a guild. Problem solved. But like anything messing around with the rules for guild would be a bit of a non starter, as people would handle it all differently. why not just set up your guild so that someone cant promote anyone to an officer type rank where they can get money out? |
|
The fact that reinviting seems to reset daily limits is definitely a big loophole and is surely an unintended effect of the system. Hopefully you'll have no problem getting the gold and items returned since that's obviously circumventing the restrictions you set in place. It's maybe worth submitting a bug report too as it definitely needs to be fixed. Good luck, hope it gets sorted quickly.
|
Móose Ouch! I had no idea that was possible, but that needs to be fixed asap. I think it's a loophole that makes it pretty impossible to protect your gb. |
I was almost stopped from being an officer in a guild because I didnt have one of them authenticator deallies. But thats by the by anyways. That doesnt really solve it tbh. In most guilds (mine included) people get free guildrepairs for a certain amount , lets say 200 or so gold per day. This includes members ofc. In order to have everyone eligible for this you must set up the gb/ guildcontrols so that those people are entitled to withdraw the amount you want them to be able to use for repairs. If this loophole exists it means each normal member in my guild would be able to withdraw 200g over and over again until they can basically empty your gb. |
|
|
Ooh, didnt know that. as i dont do the repairs thing. even in guilds that allow it I pay my own way... Looking at it that way it seems like a bit of a flaw. But surely we would be best off asking how GM's can protect their own guilds first, with the settings available to them. As you dont want your guild bank emptied while someone at blizz reads this, thinks its enough of a problem and 'get round' to implementing some fix or other. |
|
Edited by Dumpey on 24/04/12 22:25 (BST)
That doesnt really solve it tbh. In most guilds (mine included) people get free guildrepairs for a certain amount , lets say 200 or so gold per day. This includes members ofc. Yeah true, the only solution we have atm is to take away the right to promote people, from members and even officers until this is fixed. So: you dont give your initiates the right to withdraw money/ use repairs and for now none but the gm can promote someone to member. That way they can join as initiate as much as they want, but not withdraw anything.;) |
|
|
My guildbank is for storage for me and a few IRL friends, it has no money in. Thats why I didnt know about repairs counting towards 'withdrawls'. :o( |
|
In my guild officers are required to have an authenticator to avoid these problems. Its not like they cost a fortune.
|
|
To combat this and not have to force every officer to get an authenticator (which is still as good idea as mentioned before) I made two seperate officer ranks, one for with and one without an athenticator. Only the higher of the two can withdraw a significant amount, the other only a small number of gold/stacks. Since you cannot promote anyone to the same rank or higher then you are this stops your problem completely.
Btw, about the guild repair. Why does it matter? They can only directly pay repairs in the UI, not withdraw gold as far as I know? No point for a hacker to go and damage/repair gear over and over? Ps: I have read that it is possible, but myself never knew anyone ingame that got hacked with an authenticator. Small investment (if any) for solid security. |
|
Edited by Dumpey on 29/04/12 17:42 (BST)
To combat this and not have to force every officer to get an authenticator (which is still as good idea as mentioned before) I made two seperate officer ranks, one for with and one without an athenticator. Only the higher of the two can withdraw a significant amount, the other only a small number of gold/stacks. Since you cannot promote anyone to the same rank or higher then you are this stops your problem completely. But that doesnt solve the problem for the many guilds that have guildrepairs for members as well.
Yes they can. In order for people being able to use guildrepairs, you have to manually add that they can withdraw that amount. So: If I put it that people can use guildrepairs but not add that they can withdraw that amount they cant use guildrepairs. In the tab "rank permissions" you have to manually add both for people to be able to use repairs. So: If I want people being able to use 200g for guildrepairs every day I also have to add they can withdraw that amount every day or it won't work. Tbh: wow's guildcontrols are sad and limited and silly. But thats been pointed out in many threads before.;) |
|
|
I never realised guildrepairs being equal to withdraw rights, that is very stupid design. And I agree totally, for a game with some much of it's appeal in the social aspect/pve gameplay (I mean how it got big), the tools we have to manage these communities are extremely limited if you ask me.
|
Amen! And then there have been so many good suggestions over the past 3 years or so on this mb.. *sigh* |
