Browse forums 
Ankama Trackers

Authentication system needs fixing

By -Nekojita-#5427 - MEMBER - June 21, 2021, 05:47:15

It's strange no one brought this this topic up yet, at least not in the EN forums.
The new authentication system has a major flaw and needs to be fixed, since it doesn't give any more protection than when it wasn't here.
Here's how the gaping loophole works. 

You log to the launcher with your own account, get your email code and enter it.
You launch the game window, play or not, log off it.
After this, by using the game window, you can log to any of previously not confirmed accounts without the need to verify your device or anything, be it friend's account or yours or somebody totally unfamiliar. Tested it with my 4 not yet verified alt accounts (out of 9).
Since the game window never ever had a cooldown or suspension for incorrect login+password combo, you can freely bruteforce it with a bot for as long as you want, even less hassle if you know at least the account's login.

tl;dr: The new authentication barrier only prevents you from logging to the launcher with someone else's login+password, which has an easy workaround in a form of using the game window to use someone else's login+password without any security measures. Basically the new authentication system changed nothing.

I'm quite baffled this was overlooked (in a game where it's natural to have 2 and more accounts), it makes the whole new authentication measure absolutely pointless and useless. Everything basically stayed the same.
I looked forward to the new security measure, but wasn't expecting it to be executed in such a way it's basically huge waste of Ankama's time in the end. I mean, what was the point to even try or bother if it changes nothing?

0 0
Reactions 3
Score : 4515

The launcher just allows you to automatically enter your username and password when you launch the game, it's not some sort of security measure

If you want actual protection, use the 2 factor authentication system with the ankama authenticator app

0 0
Score : 8424

What he is talking about is regarding a flaw which circumvents the newly deployed security measures for the launcher and site.

It has nothing to do with how the launcher behaves or logs in automatically.
But rather about the game allowing to bypass it entirely.
It is quite something which needs looking into in this case.

The reading comprehension could use some work.

1 0
Respond to this thread