I'd call that a pretty serious bug :/

Yeah, that's because your Galaxy client doesn't use the cookies that your browser does. Same happens if you log in from the same PC with two different browsers.


I was talking about if GOG had two-step verification separately for changing email and/or password, which is the common way on all other web sites I know. Then they couldn't change your email nor your password, even if they were logged in as you on e.g. that university lab PC where you forgot to log out. They would need still to get another verification code from your email before they got changed.

Currently GOG doesn't require any verification for changing email or the password, which is silly.

Yup. A function to "log out all sessions" should do just that, regardless of which client the session belongs to, otherwise the function is entirely useless.

That option is only made for browsers. Definitely not for Galaxy. You have to log out manually out of Galaxy.

Keeping your (GOG) cookies is not enough, at least not on Firefox. Using the same browser, the same PC, the same IP, and keeping my (GOG) cookies, it still asks for a 4 digits authentication code at every log in.



I wonder what those two Galaxy related cookies I can see in my browser are about.

I was actually wondering:

It looks like GOG is storing our IP address. (not bothered with it)

Why is the 2 step system not working different?

You create an account, tie it to an email and IP-address.

Like as Treasure mentioned, people use different PC's for this. BUT why not making sure, via verification through the first one, that this is a legit attempt? More or less, what you shall do on your WAN network as well?

So you log onto a new device, the original will get an email asking for verification and if not answered, the device will NOT be authorised?

This way, nobody would be able to hack anything.

For comparison, if you do on your home network MAC as well, it makes it rather hard for anyone to get onto the network.....even without password ;)

Ah ok. Yes, they should probably implement something like that, as I'm not the kind of person that regularly changes emails or passwords, so if I saw such an email I'd be certain that somebody else tried to do so. I also already clarified that I personally always log out of stuff - I'm not even logged in my google profile on Chrome, as I don't see the need for that -but since you were talking about an hypothetical situation where I could hypothetically forget to logout both out of gog and out of the computer session, well, in such a case of absentmindedness, an implentation of such a policy would certainly be helpful.

That's useful to know. Gog always seemed to be implemented better for Chrome rather than Firefox, but I still wouldn't want the possibility to be asked for the 4digit code every time, even if nothing had changed in regard to IP and cookies...

Do you mean that gog should detect if the new device is connected to the same wireless network (WLAN) and if yes, not make a fuss about it? Well, that would work on computers used in the same space (e.g. a house) -I thus wonder what would happen if someone took a device with a given IP, already tested on his home's WLAN, somewhere else (e.g. a coffee shop) - would gog detect a different wifi network and ask for 2step authentification again?

And when you say "the original will get an email", you mean the original device? If yes, firstly webmail services (as are Gmail and Outlook.com) are independent of devices and they generally do not throw a fuss if someone logs in from a different device, and secondly one would need to bring with him several devices when he goes out -e.g. if he went to the computer lab of his university, he would also need his laptop -a desktop would certainly be impossible to carry, so it's obvious that if the original device was a desktop there would be a serious problem- which would totally be at the very least an inconvenience. I'm pretty certain there's a lost in translation issue here though...

No, I meant if GOG would be using the same principle ;)

And different devices? If you have access to the original email on the new device?

OK, I try to rephrase:

You use PCA and Email A (EMA, the abbreviation I wanted to use before, I didn't liked ;) )
You move to PCB and still having access to EMA, you try to log in in PCB, GOG would send a EMA an email, yes or no. If EMA says yes, PCB would be added to the list and so on.

If you would have no access (within a certain time frame) the request would be discarded. Similar as with MAC address on LAN/WLAN. You always need a trusted source to confirm, hence my analogy ;)

And getting both EMA AND/OR PCA being hacked at the same time is not so likely for the normal hacking......

Not translation issue ;) just assuming too much ;)

EDIT: ok, if somebody would hack EMA, he would have a free go, but that is also the case in the moment, or?

Well, if I understood correctly, what you say is (probably) what is already happening with 2step. I only have experience with Humble Bundle's method, so I'll use that as an example -let's say I login to Humble from a different device. Upon my login Humble says something like "We detected you logged in from a different device. Paste the 5digit code we'll send to your email here -below is a space to fill in and confirm so that we know everything's fine" (well, they don't say this, but that's the gist of it). I then go to the login screen of my email provider, type in my email/username and password, login and see their email in my inbox. I copy said code and paste it and then click confirm, and only after all that I'll able to access my Humble Bundle account. Gog probably uses something similar, but anyways, this is quite a long winded method, and I end up getting annoyed every time Humble does this (in order to not get too annoyed I see where they think I am geographically in their email and I'm usually like "Hah! They thought I'm the wrong city!" and feel all smart and stuff). In short, your thinking is already being applied, at least by some services, but it ends up being annoying for people that semi-regularly login from other devices...

I only use this one device, so no idea ;)

But yes that is my idea, again as I said, I never logged in from another device, so no idea if this happening.

You said: annoying for people: Their could be an option do disable it, but if you decide you want to use, you shall not be annoyed ;) Hey you have looks on your doors, or? ;)

But with this method your GOG-account shall be save.

So could somebody confirm if this described method is being used by GOG?

It is as usual a question of balance. Security against 'annoyance (?)' . Couldn't think of a better word, laziness is too harsh ;). If you are for security, that's what you have to live with. The underlying problem is, from a user perspective, too many different layers and passwords involved.

First password to get onto the device, maybe even with username
second to get into the Internet (maybe)
third to access GO
4th to access email
5th humble or whatever.....

And the list goes on and on.....

In real world, you just have ONE key to get into your house/flat/whatever. Imagine having to use 5 keys for your home ;) The worst I ever had was three, front door and 2 for the door of the flat.

Odd, maybe I need to test it too. At least in Internet Explorer 11 it was enough that I didn't tell it to delete "cookies and website data". All others are checked (history, temporary internet files and website files etc.) and deleted when closing the browser, and the 2-step authentication is not triggered when I want to log into GOG again.

GOG should really take this serious and issue statements to Russian Internal Affairs on every such case via its Russian staff. Because these f**ckers can be legally dealt with, if you have logs and solid proof.

Checked my email today within the span of 5 hours 6 different attempts from various places in Russia have tried to log into my account.

Changed my password as well.

My guess is these hackers are brute forcing passwords using GoG downloader. It doesn't require two factor authentication and doesn't utilize captcha regardless of how many times you enter a password. I also suspect GoG's solution to this is to remove the downloader completely as soon as Galaxy comes out of beta.

Does this mean gogrepo.py will also be affected? I hope not, because without that updating manually will be Sisyphean work. :(( But if what you think is true, they can add the grace period between each download attempt, can't they? Like 5-10 seconds should suffice.

I think this is somehow connected to GOG wallet, because most of victims are from USA. Account is useless, GOG easily restores original owner so the scumbags are not actually after the account me thinks.