Silkroad Online Forums

I just read globals from our server official helper saying that all people in game need change their pw,and to not trader with exchange syste cuz theres some global hack that can make u send ur info to other people even if u dont want to.


Any one got any clue whats going on ???

Im going to change my pw but this is so strange!

A polish web-site is hosting 47 pages of login/name/character/servers/e-mail/country etc... that were obtained using the trade hack.

So yea... change your PW if you traded a Pol in the last month.

..... im scared now,i clicked on the link =((((

This is bad. Another flaw once again. Good going Joymax!

So you mean, if you have done trades using the Exchange, you can get hacked?

Whatever happend i changed my pass.

whaaaa?!? are you serious? But i havent traded in the last month.

Bullshit.
There is one golden rule for programmers in any given MMO out there: Create as few internet traffic as possible as it costs the company money. So why give out account information during an intertoon trade?

Second Bullshit.
People get alarmed when there seems to be something called a security breach. They suddenly want to change their password, get a cookie, anything just to be safe.
On second thought, they want to talk about it, discuss it, and by making their fears public, they make themselves vulnerable.

Third Bullshit.
If you really believe SRO has been hacked to such an extent, think about the consequences. There would be no chance the servers would be up and working tomorrow, as it would throw the whole game system into disarray. Just wait and see.

Last Bullshit for tonight:
Yeah, server helpers, Silkies, whatever. Just compare the amount of authority and regulation in the SRO chat channels - let's say only global chat which could be monitored by one person easily for all our servers - to any other major MMORPG out there.

G'night pals from Tibet.

Bullshit of all time:
Your post. It makes no sense.

If thats true Silkroad is Screwed.

Just as i predicted....The SRO apocolypse....

lolz this is GunZ all over again.

wow....gunz....never knew u guys heard of that game

SHOORE BUDDAY..

i knew about GunZ before i started SRO. i gotz to like 10-20(cant remember maybe 21) then the haX0rz wiped my account.

Prevention:
1. dun accept random trades and parties
-no proof yet (theoretically possible if gameguard is not present, since GG are so easy to by-pass, i will advice to believe it to prevent account theft)
2. dun buy stuff using trades
-still on testing
3. dun simply use the silkroadonline.net official site
-proven, but temporary solved by joymax. It was first hack by indonesian hacker who hack for fun. He inform joymax and joymax reply him kindly.

original post (no link provided to avoid any further problems)
Kelemahan pada http://www.silkroadonline.net
(The weakness of silkroadonline.net)

Dear all friends and enemies,

Selain meniliti sedikit mengenai friendster, saya juga sempat meneliti mengenai http://www.silkroadonline.net website yang meruapakan official site untuk game online sRO (SilkRoadOnline) milik korea yang dapat dimainkan secara International. Kalau saya perhatikan game ini, juga sudah mulai mendapat cukup banyak perhatian dari para gamer Indonesia.
(After analyzing more detail on friendster, i have my chance to know more about silkroadonline.net. An official website for SRO, korean international online game. I realise this game have a lot of attention from indonesian gamers.)

Pada kesempatan kali ini, saya kembali ingin memberikan video tutorial berkenaan dengan celah keamanan berupa Cross-site Scripting pada situs game tersebut. Dan hal ini memungkinkan adanya Semi-Offensive Phising Attack yang mengatas namakan website tersebut.
(I would like to take this chance to show a tutorial by using cross site scripting on the official site. It will probably launch an Semi-offensive phising attack on the official site itself.)

Berikut adalah video-nya:.
(this is the video)
http://www.hellgeeks.org/SilkRoadOnline.rar (down link : dun worry)

Mungkin tidak terlalu penting dikarenakan data yang dapat di-gain hanyalah berupa data online pada website dan game tersebut saja, akan tetapi kita tidak bisa hanya melihat dari sebelah mata dikarenakan gamingpun sekarang ini sudah benar benar menjadi salah satu Industry besar di dunia IT, dan kemungkinan bahwa game bisa menghasilkan uang juga merupakan suatu hal yang perlu digaris bawahi berkenaan dengan kelemahan pada situs situs gaming international.
(May be it is not that important because the data obtain is an online data for the game and website only, but from the other point of view, gaming industry is becoming overwhelm in the global world of IT and may be it is important to raise awareness on the weaknesses of all international gaming site.)

Terima kasih~
(Thank you)

Shout to: KidChameleon, 8th-Heaven, Creepy, and Super_Babi
And also special words for Her

Salam,
(regards)
Th0R

Note: I'm not indonesian but i understand (a little bit of) their language.

ummmm.......yeah...

Sory but i didnt get the "Mungkin tidak" part(along with the rest of the post)

I don't believe a word of it. There's no sense to sending account information within the system during a trade, so I can't imagine why the GMs would have programmed something like that. More likely that some people with easy to guess passwords or perhaps a brute force password attempt got hacked. I don't think people like Athena_vn would still have their full SOS 8th degree SOS sets if it was that easy to hack the SRO database.

i did try my best to translate... =) cos i'm not that familiar with some of the words..

[quote="phulshof"]
I don't believe a word of it. quote]

not directly from the database. GameGuard suppose to do their job but a lot of elite out there know how to by pass it can release to public resulted a lot of hacking tool can be used which lead to the problem u mention.

This thread was started in response to the Globals i sent out on Babel today. I have asked other SA's on the other servers to do the same thing. I have received reports, over the last two weeks, very slowly at first, of a trade hack.

This type of hack was present in the last mmo that I played in - we were expecting it to arrive on SRO, and in fact it took longer than I would have thought. The "big talkers" above may say all they please. The fact is, there is a hack, and it began 2 weeks ago when the opportunity in the coding presented itself. (hopefully the little grey cells will start to stimulate here lolz)

The best defense to this is yes, change your password. Unless you can remember if you accepted a random invite to a party from a stranger or not, and are sure you haven't purchased anything via trading another character...then just err on the side of caution. Do not trade with another character, and do not accept those spammed party invites that we are receiving in Hotan atm.

I presented all of the information that I have to Gargamel the moment he rolled on to MSN today lol. I think it was 6 a.m in Korea - nice wake up call xD. They are investigating, but sadly are a little doubtful atm. If you have been hacked via this method, or know more about it please leave me a message here or pm me ingame on Babel. IF you have been hacked by this manner you *must* fill out a bug report, it's imperative. Hope this helps.

Edit: BTW we found some of the hacks on the internet - forgot to mention that :p - so if you still doubt it exists...go trade a noob or accept a party invite ^^

dam betta n0t d3lay "maconha hunt"

JM policy has always been to ignore any complaints about hacked character. Will they revise their position if the problem comes from a security breach due to them ?

Second question : is there a risk with stall ?

BTW Suta, thanks for information. please do come back if you know more

There isn't a risk with stalling. Suta learned the info from someone else.

I changed my pw now, and can log in to them game. Says the id or pw are wrong. I can log in on site, but not on game.


edit: i loged in, guess i made pw to long

Your claims are full of shit, no such info gets sent in any type of exchange, party invite, stall, etc, etc. I play on Athens, i have 80m banked and 52 SoS Message me privately in this forum we will set up a time and place on Athens server i'll do any type of exchange, party you want, if you can hack my account you can have the damn thing. Until then shut up or put up. False claims like this need to be a bannable offense.

You realize this is an SA. Suta isnt going to try/doubtful that they know how to do it. The trade hack is where the 48 pages of logins came from. Every time you go to hotan in the past few days there is trade / pt spam.

Come back when you have proof it doesnt exist.

yeh you see i kinda doubt the silk road assistant is gonna hack your account even for kicks..

EDIT: ahh chaud i didnt see your post when i made mine

Aaigt ! Can sum1 plz post or PM me the site with all the logins ? Cuz I don't belive this BS until I've seen it. Ppl just talk about stuff and don't show any proof of sum sort

And like sum1 said, if Joymax would've known/knows (cut the "SAs" already know ) the problem don't u think they would do sumthing against it like do another inspection or sumthing ?

They haven't even mentioned it on the official site --> these assumptions = shit

48 pages of logins came from a keylogger. Thats not hard to figure out =). Like i said before, i'm willing to put my account on the line. If you or anyone else think they can hack it over a trade or party invite let me know i'll meet you in game.

Well as utterly "valiant" as your ignoramousnosity appears, your lack of attention to the printed word is stunning. Let's go through a couple of things. A) Yes, it took us less than two minutes searching to find both a list, and the information on how the hack works and is being used. B) only an utter MORON would install anything from a hack site on their computer C) i am not an utter moron D) henceforth, the hack is not installed on my computer E) I found the final proof of this hack and an absolutely new one out at 5 a.m. KST and waited for Gargamel to wake up (which was approximately 6:15 AM KST) and immediately reported and E) SRO has *never* once posted one of the scams, hacks and issues we have found. They have always been just quietly corrected.

While everyone absolutely has the right to be wary of things they read, bear in mind what this post is asking you to do. Is it asking you to share your user/pass? Or email your pass to Bulgaria? Or drink Iced Tea upside down on a rollercoaster? No? The failsafe from this point is to do 3 things: change your pwd, disable trade/party requests, and stop accepting random party/trade requests.

You may and should do whatever you please. That is absolutely your right. But resist flaming just so that you can be party to the post, should you have nothing of real substance to ask. And as a final note, one of your SA's on Troy is naked atm. If you think it can't happen to you... ask your SA. He's a great, helpful, hard working guy who has been absolutely cleaned out. Nuff said yah?

Honestly, i'm not flamming or trying to argue. All i am saying is no type of account info is sent while your in game. By that i mean account ID or password.

If someone downloads a 3rd party program then yes their info can be stolen by the 3rd party program. People cannot hack your character while your in game by any type of action.