It seems that you're using an outdated browser. Some things may not work as they should (or don't work at all).
We suggest you upgrade newer and better browser like: Chrome, Firefox, Internet Explorer or Opera

×
avatar
fronzelneekburm:
You haven't said the most important thing everyone here needs to know: Did you get to sleep with XiaoZhuzi's wife/girlfriend during the time you were in his shoes?

With that joke out of the way, let's be serious here. This is a major issue, hopefully contained to chinese customers only but scary nonetheless. Just out of curiosity, the second time it happened to you did you find yourself in a chinese account again? Or at least one that "claimed" to be from China?

I will keep an eye on this thread for new developments. Unfortunately erratic errors like these are not only hard to reproduce and debug but also almost impossible to deem solved. Just the absence of new instances of identity swap for weeks or even months would not be enough to declare the bug fixed.
Post edited August 02, 2019 by joppo
low rated
avatar
fronzelneekburm:
avatar
joppo: You haven't said the most important thing everyone here needs to know: Did you get to sleep with XiaoZhuzi's wife/girlfriend during the time you were in his shoes?

With that joke out of the way, let's be serious here. This is a major issue, hopefully contained to chinese customers only but scary nonetheless. Just out of curiosity, the second time it happened to you did you find yourself in a chinese account again? Or at least one that "claimed" to be from China?

I will keep an eye on this thread for new developments. Unfortunately erratic errors like these are not only hard to reproduce and debug but also almost impossible to deem solved. Just the absence of new instances of identity swap for weeks or even months would not be enough to declare the bug fixed.
Joking reply: I would much rather like to gain access to a good looking celeb's private phone files/etc and be able to see their private photos like in the f***ening from years back. Ah, the mammaries.
low rated
avatar
GameRager: Joking reply: I would much rather like to gain access to a good looking celeb's private phone files/etc and be able to see their private photos like in the f***ening from years back. Ah, the mammaries.
If Gog were to mess up in that sense you probably would be subjected to very close faceshots of Cher, Rosie O'Donnel and Sarah Jessica Parker and nudes of Al Pacino, Danny DeVito and Mickey Rourke. More than enough to scar you for life. There is not enough brain bleach in the world.

EDIT: I forgot the wraith that haunts the Palace of Buckingham a.k.a. Camilla Parker-Bowles. She has a horse's face, if you pick the ugliest horse you can think of.

/derailment
Post edited August 02, 2019 by joppo
low rated
avatar
GameRager: Joking reply: I would much rather like to gain access to a good looking celeb's private phone files/etc and be able to see their private photos like in the f***ening from years back. Ah, the mammaries.
avatar
joppo: If Gog were to mess up in that sense you probably would be subjected to very close faceshots of Cher, Rosie O'Donnel and Sarah Jessica Parker and nudes of Al Pacino, Danny DeVito and Mickey Rourke. More than enough to scar you for life. There is not enough brain bleach in the world.

/derailment
To be fair I used to like how Cher used to look years back....oh wells.

/derailmentizement
avatar
joppo: Just out of curiosity, the second time it happened to you did you find yourself in a chinese account again? Or at least one that "claimed" to be from China?
It's kind of implied in the mail I sent to support/chandra. It was definitely a Chinese account since the "Topics I've participated in" tab showed a Chinese-language thread.

avatar
joppo: I will keep an eye on this thread for new developments. Unfortunately erratic errors like these are not only hard to reproduce and debug but also almost impossible to deem solved.
I wouldn't hold my breath for any startling new developments. The chapter is more or less closed (the support ticket is marked as solved, which pretty much makes it official). And credit where credit is due, gog did implement a fix that should prevent anyone from doing any harm. It's still messy, but it's better than nothing.
avatar
fronzelneekburm: … I said it may have been possible that I was at some point using the same public Wifi as the other guy (but that's just my theory).
This really seems to be the culprit, if I read this aright. The previous user/s must have opted to remain logged into Gog, and then when you selected the Universal Resource Location [gog.com] you were automatically given access to the previous credentials.




… Or else there is a huge exploitable hole in the whole Chinese link of the interwebs. :O
avatar
scientiae: This really seems to be the culprit, if I read this aright. The previous user/s must have opted to remain logged into Gog, and then when you selected the Universal Resource Location [gog.com] you were automatically given access to the previous credentials.
This is not at all how it should work though. GOG's servers should never pass your credentials to some other user. Whether you're on a public wifi or not should be of no consequence.
Post edited August 06, 2019 by clarry
avatar
scientiae: This really seems to be the culprit, if I read this aright. The previous user/s must have opted to remain logged into Gog, and then when you selected the Universal Resource Location [gog.com] you were automatically given access to the previous credentials.
avatar
clarry: This is not at all how it should work though. GOG's servers should never pass your credentials to some other user. Whether you're on a public wifi or not should be of no consequence.
Yeah but … if I log off my (home) network, then log back on, without closing the browser/s —— as probably happened here —— then it is quite reasonable for Gog (or whatever server) to re-connect without a lot of credential to-and-fro. It's not the absolute safest method, but … I'd more blame the internet cafe (do they still have those?) or whatever was hosting the public access point. Or am I missing something?
Hack my acc :P
avatar
clarry: This is not at all how it should work though. GOG's servers should never pass your credentials to some other user. Whether you're on a public wifi or not should be of no consequence.
avatar
scientiae: Yeah but … if I log off my (home) network, then log back on, without closing the browser/s —— as probably happened here —— then it is quite reasonable for Gog (or whatever server) to re-connect without a lot of credential to-and-fro.
You logged back on, right? That's all the credential to-and-fro it takes. They should never send any account specific data your way if you're not logged on.

It's not the absolute safest method, but … I'd more blame the internet cafe (do they still have those?) or whatever was hosting the public access point. Or am I missing something?
No web server should ever send any account specific data over to any client that hasn't demonstrated they're the rightful recipient. That's what session cookies are for, and that's why connections are encrypted so that you can do your banking securely over public wifi, cafes, hotels, and the whole unencypted-at-core internet. The cafe is blameless, unless they actively attacked you by MITMing the encypted connection (but that should fire off massive security risk warnings on any half modern browser).

The cafe should be unable to read your session cookie or password. If they have a misconfigured router that somehow sends traffic to the wrong computer, that's still no problem because the wrong computer is unable to decrypt said traffic. This sort of stuff is pretty much the basis of web security.
Post edited August 14, 2019 by clarry
avatar
scientiae: It's not the absolute safest method, but … I'd more blame the internet cafe (do they still have those?) or whatever was hosting the public access point. Or am I missing something?
avatar
clarry: No web server should ever send any account specific data over to any client that hasn't demonstrated they're the rightful recipient. That's what session cookies are for, and that's why connections are encrypted so that you can do your banking securely over public wifi, cafes, hotels, and the whole unencypted-at-core internet. The cafe is blameless, unless they actively attacked you by MITMing the encypted connection (but that should fire off massive security risk warnings on any half modern browser).

The cafe should be unable to read your session cookie or password. If they have a misconfigured router that somehow sends traffic to the wrong computer, that's still no problem because the wrong computer is unable to decrypt said traffic. This sort of stuff is pretty much the basis of web security.
Right, but I was more thinking the first guy, @Xiaozhuzi, didn't sign off, since @fronzelneekburm didn't log in first.
(See the second post, here.)
avatar
scientiae: Right, but I was more thinking the first guy, @Xiaozhuzi, didn't sign off, since @fronzelneekburm didn't log in first.
(See the second post, here.)
It makes no difference. If he does not sign out, then the session cookie sits safe in Xiaozhuzi's computer. When fronzelneekburm sends a request to gog.com, there is no way he can send Xiaozhuzi's session cookie, and thus GOG's servers should have no reason to think that it's Xiaozhuzi. Cafe also makes no difference, again.
Post edited August 14, 2019 by clarry
avatar
scientiae: Right, but I was more thinking the first guy, @Xiaozhuzi, didn't sign off, since @fronzelneekburm didn't log in first.
(See the second post, here.)
avatar
clarry: It makes no difference. If he does not sign out, then the session cookie sits safe in Xiaozhuzi's computer. When fronzelneekburm sends a request to gog.com, there is no way he can send Xiaozhuzi's session cookie, and thus GOG's servers should have no reason to think that it's Xiaozhuzi. Cafe also makes no difference, again.
Yeah, it is weird, I grant you that. I wonder if we'll ever hear the post-mortem conclusion/s …
avatar
scientiae: Yeah, it is weird, I grant you that. I wonder if we'll ever hear the post-mortem conclusion/s …
Probably not, GOG is bad at communication to begin with, and it doesn't help that this is kinda embarrassing. It's easier to just assure that the problem is fixed than to explain the blunder.