Important Your TCF account and Security

Discussion in 'Forum Help & Feedback' started by Tunnel King, Feb 24, 2017.

  1. Sigma90

    Sigma90 Brain of Cthulhu

    The thing with saving a password is in the name itself: "saving". If it can be saved, it can be retrieved. Encryption is, by definition, reversible. Hashing is not (within the bounds of a collision). Any program that saves your password is saving it in such a way that it can be retrieved later. And if a program can retrieve it, so too can other malicious programs.
  2. ManaUser

    ManaUser Brain of Cthulhu

    That's true in some sense, but if you've got a malicious program running on your computer you're pwned anyway. It could also grab your password directly when you type it into a website. There's always some tradeoff between security and easy of use, but to my mind, a password manager is pretty sensible. It greatly reduces the difficulty of using a unique password for every site, which is a much bigger concern in my book.
  3. Sigma90

    Sigma90 Brain of Cthulhu

    I wasn't referring to a password manager or any other program specifically; just a note on encryption vs. hashing. If you're at the point someone can retrieve the encrypted passwords off your computer, it's game over anyway. They've probably got everything else too: contacts, emails, personal details, whatever else you saved...
    Password managers are definitely useful for producing complex passwords that will take longer to crack. (Assuming the site stores passwords correctly.) A good password buys you time to change your password before someone malicious cracks it and hijacks the account, and/or accounts on other sites. Which ties into what you mentioned, also very useful for a unique password across each site. :)
  4. Tunnel King

    Tunnel King Administrator Staff Member Administrator

    For users of the popular (and well-reviewed) LastPass password manager - there has been a major client-side vulnerability revealed.

    Aside from the click-bait-y title, the salient points here are:
    • This affects the browser extensions used to access LastPass and retrieve/insert information into your browser. LastPass is currently recommending that users stop using this feature and instead manually copy/paste information, until they are able to patch this.
    • There is no indication that LastPass servers themselves are at risk from this vulnerability.
    • You are more vulnerable to this if you are in the habit of clicking unknown phishing links or email attachments. In other news, water is wet.
    The first point is a potential vulnerability with any password manager/ease-of-use extension - e.g., the KeeFox/ChromePass extensions for KeePass have a similar potential for exploit, although I'm not aware of any reports of that for KeePass (which I use). If it's convenient for you, it's likely that it's more convenient to exploit.

    eta: I notice that the same Google Project Zero person who uncovered this (Tavis Ormandy) is also the person who found the CloudFlare issue at the top of this thread. He's a busy man, to our great benefit.
    Last edited: Mar 29, 2017
    ManaUser and Jeckel like this.
  5. Tunnel King

    Tunnel King Administrator Staff Member Administrator

    There is a new, convincing phishing scam making its rounds through emails.

    This is in the form of a Google Docs document that you are invited to look at. The advice being given is to delete the email without opening the document.

    It's always good practice to be wary of opening attachments/links that you are not familiar with or expecting, but this is one you should really look to avoid.
  6. Miku Hatsune

    Miku Hatsune Pixel Privateer

  7. Khaelis

    Khaelis Plantera

    Good thing I have no reason to click these, since I don't even use Google Documents myself.
    Wolf kin likes this.
  8. Hie the Badger

    Hie the Badger The Destroyer

    That's not convincing. That's :red:e. What is this, AOL?

    1. I didn't ask for a google docs file nor did I receive a text message saying one is coming(I refuse to look at google or gmail otherwise). 2. I'm signed in to google proper. I don't need to sign in again. 3.Literally no one on my mail list uses a real name for their email (typical furries :naughty:).

    1996 called they want their :red:ty scam tactics back. They stole it. Shame on them.
  9. Kola17_97

    Kola17_97 Spazmatism

    The alert I just got almost gave me a heart attack.
    Wolf kin likes this.
  10. Wolf kin

    Wolf kin Skeletron Prime

    For a second I thought @Tunnel King was giving us the link to get a virus. :dryadgrin:
  11. Jeckel

    Jeckel Moderator Staff Member Moderator

    To expand a little bit, this isn't a phishing scam that impersonates Google, Google Docs, or the sign in process, it is an actual Google Docs app that is using the legit Google system to request various permissions to your account, such as access to your contacts list and to the content of your email box. If you got caught by it, then the normal stuff, like changing your password, will have no effect. You have to revoke the app's permissions, assuming Google hasn't simply done that across the board already (reading around, it sounds like they might have, but better safe than sorry). To do so, go to, make sure you are on the account you authorized the app under (or just check all your accounts to be safe), find any apps that you have given permissions to on the day you got caught by the scam (the app seems to be going under the name 'Google Doc' or 'Google Docs'), and revoke their permissions.
  12. Alamandra Vonn Pravus

    Alamandra Vonn Pravus Dungeon Spirit

    I got an email that's part of the phishing scam.
    I deleted it.
    TheWorfer27 and Dark Wiz like this.
  13. Tunnel King

    Tunnel King Administrator Staff Member Administrator

    It's been a while since this thread was active, but I ran across some information that could be important, especially at this time of year when use of e-commerce sites is greatly increased.

    You may have heard that you should always "look for the lock icon" in your address bar, or to always "use HTTPS" to ensure a secure connection. Sadly, these easy checks are no longer reliable for indicating that you are browsing and conducting business safely. Recent research indicates that half of all phishing scams are now hosted on Web sites whose Internet address includes the padlock and begins with “https://”. (<-- article contains very good explanations)

    Phishing information from unsuspecting users is a big business, and more and more the perpetrators are using conventional means to lure people into a false sense of security. They register their sites and purchase SSL certificates in an effort to appear like a legitimate site. While "https://" does indicate that your connection with a site is encrypted and secured from outside snooping, it says nothing at all about the true identity of who is on the other end (and never did).

    They also take advantage of internationalized domain names (use of Unicode in URLs designed to allow legitimate local language display of addresses) to make URLs look familiar, while directing you elsewhere. The article indicates which browsers will warn you of this, and which need some modification to do so (Firefox users - like me - should really read the article).

    The bottom line is: always be wary and alert when browsing, and don't ever let your guard down.
    ppowersteef, FlyKip, hamstar and 9 others like this.
  14. Jofairden

    Jofairden Golem

    TK is totally right. Secure says nothing about the actual intent of a website. ALWAYS look at the domain itself and ask yourself it that is trustworthy or not. In fact, these days you can just register your domain with unicode emoji so phishing sites have been registering their site with the unicode padlock emoji to fool you.
  15. Sigma90

    Sigma90 Brain of Cthulhu

    In a nutshell, the problem comes about from people misunderstanding (and misrepresenting) the purpose of the lock and HTTPS. The purpose of HTTPS is to ensure no-one else can read what is sent/received to/from the server you're talking to (an encrypted connection). The padlock (and by extension, the site certificate) confirms the site is who it says it is. Neither of these confirm the site is actually legitimate.

    Note the HTTPS, so no-one else can see what is sent to/from the server.
    In your browser, you probably have a padlock, indicating that this site really is, as it claims to be.
    But there's one outstanding question the browser can't answer for you: Is this site actually an official Terraria site? Was 'o' in "forums" the Latin 'o' or the Greek lowercase omicron 'ο''? Is this site run by Re-Logic or a third party? If I enter my user name and password, is it going to redirect to me to the real TCF site with a generic 'wrong password' message so I'm none the wiser?

    Anyway - just an example. As Tunnel King said, never let your guard down.
    Last edited: Nov 28, 2018
    Daikonradish and Aurora3500 like this.
  16. Sockmonkey367

    Sockmonkey367 Official Terrarian

    Hey, thanks Tunnel King, im a fellow firefox user and i never knew of this! Though, just remember. Get avast if you fall for one of the traps it saves u i swear it has saved me from a phish when i didn't know about the phish
  17. Grumpy Squid

    Grumpy Squid Plantera

    Someone said that this should be mentioned in the security thread. Not sure how TCF specific the requirements need be to be mentioned here.

    All Chrome versions prior to v72.0.3626.121 have a Zero-Day Vulnerability, and in order to protect yourself you need to update to the latest version of Chrome. From what I understand the vulnerability allows sites to use the Chrome FileReader API to read files on your machine and potentially execute malicious code. The newest version patches out the memory mismanagement of the FileReader API.

    Below are some sources.



    Another Zero-day exploit was found for google chrome affecting Windows 7 users. For various reasons, instead of patching it they asked that all Windows 7 Chrome users switch to Windows 10. Google claims that it can not be patched on their end and must be done by Microsoft. Microsoft has already ended support for Windows 7 and will end Extended Support by the end of this year. Whether this will factor in their decision to patch it is beyond me.

    Microsoft believes that the exploit can only be performed on the 32 bit variant of Windows 7, but security engineers recommend upgrading to Windows 10 anyways.

    If you'd rather use Windows 7 for the time being I recommend you switch to Firefox which has better privacy and security controls than Chrome and now with the unpatched exploit it is the only safe and secure browser on Windows 7.

    Below are some sources:

    Last edited: Mar 9, 2019