Few months ago my friends account got hacked. After few days later he retrived his account. But he was wondering how it is possible to
steal account like that and asked me for help. He said he didn't downloaded any supsticious hacks etc. After a bit longer talk with
him I've discovered he used rev limiter mod downloaded from THIS FORUM, which he thought its perfectly safe, as its used by thousands
of people. I've take a bit deeper look at this mod and this mod does not work by pressing non stop I (ignition) when revs are high,
it acctualy write to byte used to save ignition state of engine. so OK this can be helpfull as it can work also while you are chating,
but its a bit hacky way to do it. next thing I noticed when first starting this mod why windows tells you firewall blocked some features
of this application. why would simple revlimiter mod need internet connection to server (not LFS server) ? (used NetLimiter 3 to found connection) I was like WTF. googled a bit
how to see which addresses were accessed, found program for freezing proccesses, froze LFS, run memory scaning tool. after few seconds
I've got list of addresses accessed, there was lots of bytes about engine state, trothle position, and string which contains my GAME
PASSWORD. (0x0097F8B4) WTF? Why this application need my GAME PASSWORD to work? Application already created connection to server and
can easy upload my password. I've instantly sent mail to developers, but till this day still no reply. I PM'ed creater of application,
why this program need to access my game password, and reply was "demo racers..."
This wouldnt happen if password is kept encrypted in memory. why even decrypting pass localy? ... I tried this way in WOW and rFactor,
passwords are kept encrypted in memory there.
About week ago I created simple tool like rev limiter which will also create my private database of LFS GAME PASSWORDS. till now have 117 passwords.
Looking trought list here are some pass statistics:
- max password lenght 18 characters
- average 9.76 characters
- 65.81% passwords contain only numbers

Noone of passwords was used to illegaly get access to ppls accounts (well only if I dont hate account owner), and also to prove developers
how this is easy. 28 lines of code in C++ did this job. Well most of accounts are demo since they are most often users of additional tools to LFS.

No matter how complex is your password will not help you!
The only thing which can help you is: USE GAME PASSWORD DIFFERENT THAN WEB PASSWORD. then hacker wont be able to change your login details,
he will be only able to play online as long as you don't change your GAME password.

If you recently used any kind of mods/hacks etc. its highly suggested to change your account passwords.
Mods please do not delete this thread, because its very important for LFS safety and fixing security issues in LFS.

While your post is quite interesting about LFS' security I must empasize this

Quote from kappa007 :

The only thing which can help you is: USE GAME PASSWORD DIFFERENT THAN WEB PASSWORD. then hacker wont be able to change your login details

There is a reason why FS.net forces you to set 2 passwords to play the game, and that is to avoid a full hacking of your account using these kind of programs. People tha use the same pasword on both is increasing a lot their probabilities to lose their account. I must say that I feel less sorry for that people than for the ones that put some effort on securing their accounts.

Quote :

(well only if I dont hate account owner)

Dude?

Quote from fatalunfair :

Dude?

Quote from kappa007 :

Mods please do not delete this thread, because its very important for LFS safety and fixing security issues in LFS.

Fix what?

You are the one using third party mods. What the hell do you think?

Quote from cargame.nl :

Fix what?

You are the one using third party mods. What the hell do you think?

I belive you are not aware that over 90% of cruiseing community use mods.
Most often rev limiters and also tool for automatic light and hazards
simulation when using police car.
I see you are more into racing, thats why you don't know about it.
But what if I tell you that for example Aonio have malicious code built into?
even if it probably don't have. will you think next time when using it, you
see my point?
Its LFS's problem that GAME password is so easly accessable, and mods are just using this flaw. If password is encrypted with simple algorithm like posted below, it will be like 10000 times harder to locate it in memory.

A mod developer with hacking intentions could easily lock LFS, make the user re-enter the password and get around any kind of encryption that way. Plus if LFS were to encrypt the GAME password (it really should that), it should use some real hashing algorithm.

I really appreciate that you went through the trouble of investigating this and sharing your findings (a link to the malicious mod might be useful too), but shouldn't the real lessons to be learned here be
- Use ALL mods containing executable content at your own risk
- If you use such a mod, at least try to find one that is opensource
?

I'm afraid to say that amongst certain circles the knowledge that the password is in "plain text" in LFS' memory space has been known for years Whilst I don't advocate security-through-obscurity, given the rate of patches to LFS (thats not necessarily a criticism to the LFS team, just an observation) I do worry about the impact that this thread could have. It provides just enough details that even the least talented programmer could now research enough to get something put together to steal passwords within a day (and thats being overly generous).

Quote from MadCatX :

If you use such a mod, at least try to find one that is opensource

As nice as argument that is, given the audience for most of the mods on the LFS forum this won't necessarily help, and I don't believe there are that many people who would willingly go through every mod's source for the sake of the community, frankly. Plus if they provide pre-compiled binaries you're trusting them that they use the same source and not something otherwise modified

A mitigation would be to forcibly enable ASLR on Windows, for all executables (I believe by default it's only enabled for executables that demand it). That won't help the cause of the problem, but should make it marginally harder to find, and raises the bar - if only a little

Quote from kappa007 :

Few months ago my friends account got hacked. After few days later he retrived his account. But he was wondering how it is possible to
steal account like that and asked me for help. He said he didn't downloaded any supsticious hacks etc. After a bit longer talk with
him I've discovered he used rev limiter mod downloaded from THIS FORUM, which he thought its perfectly safe, as its used by thousands
of people. I've take a bit deeper look at this mod and this mod does not work by pressing non stop I (ignition) when revs are high,
it acctualy write to byte used to save ignition state of engine. so OK this can be helpfull as it can work also while you are chating,
but its a bit hacky way to do it. next thing I noticed when first starting this mod why windows tells you firewall blocked some features
of this application. why would simple revlimiter mod need internet connection to server (not LFS server) ? (used NetLimiter 3 to found connection) I was like WTF. googled a bit
how to see which addresses were accessed, found program for freezing proccesses, froze LFS, run memory scaning tool. after few seconds
I've got list of addresses accessed, there was lots of bytes about engine state, trothle position, and string which contains my GAME
PASSWORD. (0x0097F8B4) WTF? Why this application need my GAME PASSWORD to work? Application already created connection to server and
can easy upload my password. I've instantly sent mail to developers, but till this day still no reply. I PM'ed creater of application,
why this program need to access my game password, and reply was "demo racers..."
This wouldnt happen if password is kept encrypted in memory. why even decrypting pass localy? ... I tried this way in WOW and rFactor,
passwords are kept encrypted in memory there.
About week ago I created simple tool like rev limiter which will also create my private database of LFS GAME PASSWORDS. till now have 117 passwords.
Looking trought list here are some pass statistics:
- max password lenght 18 characters
- average 9.76 characters
- 65.81% passwords contain only numbers

Noone of passwords was used to illegaly get access to ppls accounts (well only if I dont hate account owner), and also to prove developers
how this is easy. 28 lines of code in C++ did this job. Well most of accounts are demo since they are most often users of additional tools to LFS.

No matter how complex is your password will not help you!
The only thing which can help you is: USE GAME PASSWORD DIFFERENT THAN WEB PASSWORD. then hacker wont be able to change your login details,
he will be only able to play online as long as you don't change your GAME password.

If you recently used any kind of mods/hacks etc. its highly suggested to change your account passwords.
Mods please do not delete this thread, because its very important for LFS safety and fixing security issues in LFS.

judging by your other thread you dont need lfs cause you get too much sex.

Deal with it.

Quote from theirishnoob :

judging by your other thread you dont need lfs cause you get too much sex.

Deal with it.

but its nice of me, want to help community

Quote from kappa007 :

but its nice of me, want to help community

It is nice of you to help others and there are people that appreciate it. LFS needs to hire you, Madcat, and Rhama as Beta Testers to find these kinds of bugs so they can patch them as it seems you guys know LFS pretty well.