rev6 is *******

[Sylhana]

well remeber the expliot alll u needed is the ID and SQ right... so if u knew the ID and u find out the SQ and if ur SQ is easy then ur .....?

Before joymax.com, you needed to know the account's email before you could input a secret answer. But still, getting this wasnt always impossible.

Same here, everyone in going crazy for no reason. Any website reveals the Secret Question...how else would you know what to answer to obtain your password you forgot?

Exactly .

Unless this is exploitable, I wouldnt worry much. Hopefully JM would get their act together to prevent future exploits on they site.

[h33r0yuy]

oh yeah, another thing. rev6 just links to the same java function on jm's site that fetches the secret question. they didnt even use their own method/code. the point of that link in rev6 completely escapes me.


edit:

so they added some text to it. whoever that guy is says that he doesnt like that you can now get the question with only the id, instead of needing both id and email.

i somewhat agree, it'd be nice to need the email address to see the question, just as an added layer of security, but i dont see at all why its necessary.

i think im just gonna shut up now.

[sama98b]

I think you all missing the point here.

Does rev6 do the account name/secret question in real time from jm website.

Code: Select all

<p>
<form method="post" action="https://portalcp.joymax.com/member/getSecretQuestion.jmx">
  <font color=red><b>Silkroad Account name</b></font> <input type="text" name="userID" value="morningdew">

  <input type="submit" value="Find This Account Secret Question">
</form>
</p>

OR
Already had a database with all the account names.

If it has all the account names then it has a database Account Name -> Character name, linked to them.

They got a big database there and a lot of time on their hands.
Since it updating automatically, no work to do with it most time.

My best guess:

Rev6 staff = JoymaxFanClub

ps.:
Rev6 is hosted in the usa.

United States Orem Bluehost Inc
RAbuseHandle: NOC2320-ARIN
RAbuseName: Network Operations Center
RAbusePhone: +1-801-765-9400
RAbuseEmail: abuse@bluehost.com

Rev6 should read up on the new patriot act b4 setting up server and locating in the usa ...

So if you get pissed on rev6 you know where to mail ^^

[h33r0yuy]

if you use something to view the page info, you'll see that the button simply links to joymax's retrieval function. rev6 has no database of acct names.

[sama98b]

Yes but are they hiding something else with that ?

[h33r0yuy]

no, you showed the code yourself, its just a link. goes straight to jm's site.

if it linked to some rev6 or other url id say it wasnt safe. im still not going to use it....

but still. all he did was link to the function on jm's site.

[phulshof]

well remeber the expliot alll u needed is the ID and SQ right... so if u knew the ID and u find out the SQ and if ur SQ is easy then ur .....?

a. the exploit doesnt work anymore.

b. you need the ANSWER, not the question. youve been able to know a SQ for years if you knew the id...

Actually, no.. you needed the id AND the account's email before you would get the secret question. It may not be exploitable at this moment, but people can start to gather a rather large database of information that may be used with the next exploit.

[h33r0yuy]

ur right, i remember now. i wouldnt say theres much if any risk here though. it'd be nice if they hid the answer till the email addy was put in though.

[MrBow]

lol i entered just a random asnwer when i created my acc, i don't even know my secret answer [size=0]yes i know i'm farked when i forget my pw [/size]

[dizzie38]

lol morning dues secret question is ur birthplace

[iGod]

https://www.joymax.com/portal/Joymax_Front.jmx?workURL=https://portalcp.joymax.com/member/member_find_idpw.jmx&returnURL=http://www.joymax.com/portal/Joymax_Front.jmx?workURL=http://portalcp.joymax.com/

go here. type any id you want, click ok!, and it shows the question.



rev6 isnt providing any info that you cant find from jm's site with that feature.

however, i dont get why that exists if you can do the same thing from jm's site.

You type in your id just to try it out...they get your id :/

[DrWicked]

Now you need secret answer and email so dont worry guys no more hacking i think.

[Casey613]

Rev is now being retarded..

[NuclearSilo]

https://www.joymax.com/portal/Joymax_Front.jmx?workURL=https://portalcp.joymax.com/member/member_find_idpw.jmx&returnURL=http://www.joymax.com/portal/Joymax_Front.jmx?workURL=http://portalcp.joymax.com/

go here. type any id you want, click ok!, and it shows the question.



rev6 isnt providing any info that you cant find from jm's site with that feature.

however, i dont get why that exists if you can do the same thing from jm's site.

You type in your id just to try it out...they get your id :/

Type your ID there, then it will be secretly stored in their website :S

Oh shit ~ i typed my ID

Dont blame anyone if u get hacked that way.

[shoto]

what?

i don't see how this compromises your account. At the point where they know your secret question, you're already f*ked (i.e. they must know your username)

[darkmaster21]

https://www.joymax.com/portal/Joymax_Front.jmx?workURL=https://portalcp.joymax.com/member/member_find_idpw.jmx&returnURL=http://www.joymax.com/portal/Joymax_Front.jmx?workURL=http://portalcp.joymax.com/

go here. type any id you want, click ok!, and it shows the question.



rev6 isnt providing any info that you cant find from jm's site with that feature.

however, i dont get why that exists if you can do the same thing from jm's site.

You type in your id just to try it out...they get your id :/

Type your ID there, then it will be secretly stored in their website :S

Oh shit ~ i typed my ID

Dont blame anyone if u get hacked that way.

Look what I posted on the first page:

I'm not entering my ID in there, they might have a log of all the ID's entered. Then bruteforce the account.

[ScZz]

joymax is looking more retarded from day to day.. no wait , they already are overretarded

[Blasjr]

Actually, no.. you needed the id AND the account's email before you would get the secret question. It may not be exploitable at this moment, but people can start to gather a rather large database of information that may be used with the next exploit.

phulshof, you're the only one that got it right!

U guys dont get it, Do you? Hackers have the exploits cause they're either disgrunteled employees, or JM entrusted their Website Code to ppl who need to work for them (out sourcing), to upgrade, add, delete functions, etc etc. I for one (and think the rest of you should as well), feel a bit uncorfortable, knowing that any site REV6 particularly, can have access and post my gear, wep. etc. Its meant to be secret, why else would they do it, unless is to set you up? Exploits are not done, look at Microsoft and their constant patchings to XP (all of them!), you cant stop it.

Right now hackers are looking for the next exploit, to wipe you out. Make a mule account transfer your shit to it every night. Remember REV6 only shows you the gear, wep. you wear. A mule account cant wear it! Its safe

Peace

[heroo]

don't blame rev6.

blame JOYMAX

[ArchYourFace]

Um ok, you remember the method rev6 said was used to aquire usernames in the first place, in order that they may be hacked?

If not ill reittereate: go to the forum and type anything in, and any random password. Then it would say one of 2 things. It would say, not an account, would you like to make one(and buy silk please), or wrong password try again douche.

Same concept here. If you type in a random user name, it can be confirmed that it IS infact a valid user name via this method. Its exactly the same. The email addy SHOULD be required. Wrap your head around that for a minute.


thats why whats his face up there was like "i think i know your id, can i guess?" cuase he found a valid username via this method.

[BalkanFanaticS]

ie why i didnt stick my id into rev6, lol

Type your ID there, then it will be secretly stored in their website :S

Oh shit ~ i typed my ID

Dont blame anyone if u get hacked that way.

too bad nymble(rev6) already has a copy of the full id database back from a year due to an old forum bug(blame joymax) .

sure he rly needs YOUR id

[/Pi]

You guys are retarded. Hundreds of websites do this - even the popular ones like Gmail.

Chillax. Just follow the best instruction here: don't even bother going to Rev6.

[F-22]

if you guys really want to make your account safer then make an email address that does not exist. That way no one can trace your email address, if something do no exist then it can not be found. Most of the people who got hacked are people who share accounts and give out their email addresses to friends, and people who buy other people's character online.

[PileOfMush]

if you guys really want to make your account safer then make an email address that does not exist. That way no one can trace your email address, if something do no exist then it can not be found. Most of the people who got hacked are people who share accounts and give out their email addresses to friends, and people who buy other people's character online.

Before this new joymax.com/portal site came to be, I'd have agreed with you, but now this ISN'T the best way. Joymax keeps changing things, and one day you're going to be locked out of your own account because they suddenly decide you can ONLY change your password if you have access to the email account you gave them.

They should have just taken the time to get this whole account security thing right from the beginning and it wouldn't be such a big mess. Designing secure web forms and pages that provide secure dynamic content is not exactly simple and obvious, but that's why e-commerce companies (which I'd say JMax is because they take e-payments for a product) hire experienced developers and don't just throw something together that barely works.

[Genocide]

i got my account hacked before and i know the id and secret question and answer but not the email is there anyway i can get my account back??????

[thAi]

We Are Doomed

[magisuns]

MAUHAAHAHAHAHAHAH MUHAAHAHAHAHAHAH I'M NOT DOOMED xD AHAHAHAHAAAHAH ^^ I LOVE U JM SOOOO MUCH =)
THEY PUT MY ID UNDER A DIFFERENT NAME xD ie if my id wuz... idk.. citrus.. jm is showing ctiirus xD gotta love their oddness cuz now apparently thats my id evenn though u cant log in with it... hackers are pwn from my acc (^^)V ... did this happen 2 n e one else?

[Braka]

Stop being paranoid and go play the game jeez , its like ur preying for someone to hack ur account so u can leave the game

[Blasjr]

Lets go https: JM.COM goes https in order to protect your info plus paypal acc. Incorporates safety, by doing all checks: Verification Code to your email address, your secret answer (to your not so secret Question), and entering your Current PW. Im surprised no 1 has thought about hacking paypal thru the JM website...ummmm maybe they're working on it! Possibly cause paypal is encrypted, they cant get in? Move to have JM do same!

Be honest w you, I think they want ppl to get hacked so you can buy more silk in rebuilding! I did the opposite, I'm hurting them. Just remember, 1 day Blizzard/'Activision, releases a new supped up MMORP game (Starcraft II), or WoW IV (for free w/Credit buy system like Trickster), you know what happens to JM? Goes belly up, lost all your Pixels. Think about this, each server is maxed out daily by GOLD BOTS not real players, its their busines right? Well JM is in business to make KRW's frnds, never has nor will take care of the Legit players. No Corporate responsibility to the real guys. What for? To lose money? Ha...
I saw it first hand. I don't respect Company that doesn't respect my privacy as a player and my security of what I'm paying for.

Peace

[Swindler]

never trusted rev6...