Jump to content
  • Sign Up

Forum Update: Images!!

Gaile Gray.6029

By Gaile Gray.6029
in Guild Wars 2 Discussion

 Share

Recommended Posts

  • Replies 100
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

Popular Posts

TheQuickFox.3826
TheQuickFox.3826

I can't get this working since the new forum software. I am using imgur, which is an allowed host.

Danikat.8537
Danikat.8537

It's not working on the new forum, it's currently impossible to post new images but ones that were posted before will still show up unless the post is edited.

Ashantara.8731

Ashantara.8731

Posted
Posted

@"Gaile Gray.6029" said:We’re happy to announce that you may now embed images or videos on our forums through four major hosts: Tumblr, Imgur, YouTube, and Instagram.

To embed an image, click the small landscape icon to the far right of the editing options bar and input the URL into the indicated field. Your image then will be shared on the forums in thumbnail form, allowing member to click through to the larger photograph, screenshot, or piece of art. Please be sure to restrict image size to 2 MB or less.

It is not working. You do get the "thumbnail", but it does not automatically work as a link to the full size image.

Edit: Okay, it does work when you reload the page including the thumbnail. Very weird.

Link to comment
Share on other sites
Faux Play.6104

Faux Play.6104

Posted
Posted

@Shikigami.4013 said:What is the reason for letting people include images in their actual post but being scared of allowing people to use images for their avatars? I cannot find any justification for keeping the "no image upload allowed" policy for your avatar when you can include any image into any of your posts.

Security issue. Is possible to use images to extract information from the system they are hosted on. Pretty easy to get passwords off of any fan site if they allow uploads of photos. https://null-byte.wonderhowto.com/how-to/hack-forum-accounts-with-password-stealing-pictures-0179953/

Link to comment
Share on other sites
Inculpatus cedo.9234

Inculpatus cedo.9234

Posted
Posted

@Faux Play.6104 said:

@Shikigami.4013 said:What is the reason for letting people include images in their actual post but being scared of allowing people to use images for their avatars? I cannot find any justification for keeping the "no image upload allowed" policy for your avatar when you can include any image into any of your posts.

Security issue. Is possible to use images to extract information from the system they are hosted on. Pretty easy to get passwords off of any fan site if they allow uploads of photos.

Then, can someone go get our passwords off the old forums? If not, why would this one be different? If so, why wasn't there a rash of stolen passwords, and why would the same password be used for game accounts and the forum?

Link to comment
Share on other sites
Faux Play.6104

Faux Play.6104

Posted
Posted

@Inculpatus cedo.9234 said:

@Shikigami.4013 said:What is the reason for letting people include images in their actual post but being scared of allowing people to use images for their avatars? I cannot find any justification for keeping the "no image upload allowed" policy for your avatar when you can include any image into any of your posts.

Security issue. Is possible to use images to extract information from the system they are hosted on. Pretty easy to get passwords off of any fan site if they allow uploads of photos.

Then, can someone go get our passwords off the old forums? If not, why would this one be different? If so, why wasn't there a rash of stolen passwords, and why would the same password be used for game accounts and the forum?

Most gold sellers are stolen accounts. Why do you think they pushed two factor authentication. Most hacked accounts are likely from bad passwords or harvesting from third party sites, but anet likely doesn't want to assume the liability for verifying images are clean. Also, an avatar gets loaded a lot more than a single post in a thread. Personally I turn off all signatures and avatars if I can and stick to the official sites.

Link to comment
Share on other sites
Inculpatus cedo.9234

Inculpatus cedo.9234

Posted
Posted

@Faux Play.6104 said:

@Shikigami.4013 said:What is the reason for letting people include images in their actual post but being scared of allowing people to use images for their avatars? I cannot find any justification for keeping the "no image upload allowed" policy for your avatar when you can include any image into any of your posts.

Security issue. Is possible to use images to extract information from the system they are hosted on. Pretty easy to get passwords off of any fan site if they allow uploads of photos.

Then, can someone go get our passwords off the old forums? If not, why would this one be different? If so, why wasn't there a rash of stolen passwords, and why would the same password be used for game accounts and the forum?

Most gold sellers are stolen accounts. Why do you think they pushed two factor authentication. Most hacked accounts are likely from bad passwords or harvesting from third party sites, but anet likely doesn't want to assume the liability for verifying images are clean. Also, an avatar gets loaded a lot more than a single post in a thread. Personally I turn off all signatures and avatars if I can and stick to the official sites.

Again, why was it ok for 5 years, and not now?

Link to comment
Share on other sites
Faux Play.6104

Faux Play.6104

Posted
Posted

@Inculpatus cedo.9234 said:

@Shikigami.4013 said:What is the reason for letting people include images in their actual post but being scared of allowing people to use images for their avatars? I cannot find any justification for keeping the "no image upload allowed" policy for your avatar when you can include any image into any of your posts.

Security issue. Is possible to use images to extract information from the system they are hosted on. Pretty easy to get passwords off of any fan site if they allow uploads of photos.

Then, can someone go get our passwords off the old forums? If not, why would this one be different? If so, why wasn't there a rash of stolen passwords, and why would the same password be used for game accounts and the forum?

Most gold sellers are stolen accounts. Why do you think they pushed two factor authentication. Most hacked accounts are likely from bad passwords or harvesting from third party sites, but anet likely doesn't want to assume the liability for verifying images are clean. Also, an avatar gets loaded a lot more than a single post in a thread. Personally I turn off all signatures and avatars if I can and stick to the official sites.

Again, why was it ok for 5 years, and not now?

Is that ever a good rational for doing something? I'm stating why I don't think it is a good idea, and never was a good idea. I doubt they will give you the real reason, but security and the effort it takes to ensure it if you allow images is likely one of the major reasons.

Link to comment
Share on other sites
Just a flesh wound.3589

Just a flesh wound.3589

Posted
Posted

@Faux Play.6104 said:

@"Inculpatus cedo.9234" said:Strange that there weren't massive account compromises during that whole 5-year period if security was such an issue. Or, even now, since the old forums are still accessible, and thousands of posts/pictures will be...forever.

From Sept 2012...

"Hackers have lists of email addresses and passwords stolen from other games and websites, and collected through spyware, and are systematically testing 'Guild Wars 2' looking for matching accounts," ArenaNet staff wrote on this wiki page tracking the issue.....And they warn players to make sure they are using a unique password that has never been used anywhere else.

and collected through spyware” in other words, the user’s computer was infected with a virus that collected login information. That’s not about pictures on a forum. It’s about people reusing the same password over many sites, some of which are not secure. People reusing passwords on multiple sites is why all old passwords were blocked back then and everyone was required to make a new and unique password.

Link to comment
Share on other sites
Faux Play.6104

Faux Play.6104

Posted
Posted

@Just a flesh wound.3589 said:

@"Inculpatus cedo.9234" said:Strange that there weren't massive account compromises during that whole 5-year period if security was such an issue. Or, even now, since the old forums are still accessible, and thousands of posts/pictures will be...forever.

From Sept 2012...

"Hackers have lists of email addresses and passwords stolen from other games and websites, and collected through spyware, and are systematically testing 'Guild Wars 2' looking for matching accounts," ArenaNet staff wrote on this wiki page tracking the issue.....And they warn players to make sure they are using a unique password that has never been used anywhere else.

and collected through spyware
” in other words, the user’s computer was infected with a virus that collected login information. That’s not about pictures on a forum. It’s about people reusing the same password over many sites, some of which are not secure. People reusing passwords on multiple sites is why all old passwords were blocked back then and everyone was required to make a new and unique password.

@"Inculpatus cedo.9234" said:Strange that there weren't massive account compromises during that whole 5-year period if security was such an issue. Or, even now, since the old forums are still accessible, and thousands of posts/pictures will be...forever.

From Sept 2012...

"Hackers have lists of email addresses and passwords stolen from other games and websites, and collected through spyware, and are systematically testing 'Guild Wars 2' looking for matching accounts," ArenaNet staff wrote on this wiki page tracking the issue.....And they warn players to make sure they are using a unique password that has never been used anywhere else.

and collected through spyware
” in other words, the user’s computer was infected with a virus that collected login information. That’s not about pictures on a forum. It’s about people reusing the same password over many sites, some of which are not secure. People reusing passwords on multiple sites is why all old passwords were blocked back then and everyone was required to make a new and unique password.

Regardless of what you may think, allowing people to post files to your webserver is a risk. I think it is smart for them to have that done on a site that specializes in it vs. accepting the files on their server. Not long ago Gaile Grey's account was hacked. Do you really think they make public announcements every time a normal player's account gets hacked?

Link to comment
Share on other sites
Just a flesh wound.3589

Just a flesh wound.3589

Posted
Posted

@Faux Play.6104 said:

@"Inculpatus cedo.9234" said:Strange that there weren't massive account compromises during that whole 5-year period if security was such an issue. Or, even now, since the old forums are still accessible, and thousands of posts/pictures will be...forever.

From Sept 2012...

"Hackers have lists of email addresses and passwords stolen from other games and websites, and collected through spyware, and are systematically testing 'Guild Wars 2' looking for matching accounts," ArenaNet staff wrote on this wiki page tracking the issue.....And they warn players to make sure they are using a unique password that has never been used anywhere else.

and collected through spyware
” in other words, the user’s computer was infected with a virus that collected login information. That’s not about pictures on a forum. It’s about people reusing the same password over many sites, some of which are not secure. People reusing passwords on multiple sites is why all old passwords were blocked back then and everyone was required to make a new and unique password.

@"Inculpatus cedo.9234" said:Strange that there weren't massive account compromises during that whole 5-year period if security was such an issue. Or, even now, since the old forums are still accessible, and thousands of posts/pictures will be...forever.

From Sept 2012...

"Hackers have lists of email addresses and passwords stolen from other games and websites, and collected through spyware, and are systematically testing 'Guild Wars 2' looking for matching accounts," ArenaNet staff wrote on this wiki page tracking the issue.....And they warn players to make sure they are using a unique password that has never been used anywhere else.

and collected through spyware
” in other words, the user’s computer was infected with a virus that collected login information. That’s not about pictures on a forum. It’s about people reusing the same password over many sites, some of which are not secure. People reusing passwords on multiple sites is why all old passwords were blocked back then and everyone was required to make a new and unique password.

Regardless of what you may think, allowing people to post files to your webserver is a risk. I think it is smart for them to have that done on a site that specializes in it vs. accepting the files on their server. Not long ago Gaile Grey's account was hacked. Do you really think they make public announcements every time a normal player's account gets hacked?

Gaile Gray’s GW1 account was hacked because someone in support gave out account information without properly verifying ownership. That has nothing to do with posting files on an web server, and thus is irrelevant to a discussion of whether or not files have login information attached.

Mike O Brien President -- ArenaNetLast night a hacker socially engineered one of our CS agents to gain control of Gaile’s account, and accessed GW1 using it. Gaile of course has two-factor auth on her account, and despite the social engineering, the two-factor auth worked and protected her, so the hacker had no access to her forum or GW2 accounts. Only GW1 pre-dates our 2FA/SMS system.

Social Engineering: (in the context of information security) the use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes.

To socially engineer the CS agent, the hacker provided a variety of personal details about Gaile. But we don’t accept personal details as primary proof of account ownership. We require things like verifying billing info, two-factor auth, access to the account’s primary phone number, or access to its primary IP address in cases where IP address ownership is clearly established. When we can’t verify, we decline access, knowing that incorrectly declining is an unfortunate but better outcome than incorrectly granting access. These are all established and documented policies. We have a great team of customer support agents who follow these policies, and the hacker tried a bunch of times and found one agent who didn’t.

We want to protect all accounts as much as we want to protect our own. Some of you were particularly concerned about the impact to the game of hacking a GM account. You should know that we don’t give GM accounts or any accounts the ability to cheat progress, synthesize items, or manipulate the game’s economy. We play the game the same way you play the game. The hacker was able to use Gaile’s GM access to manipulate guild trims, but mostly he handed out Gaile’s personal items that she had collected from years of playing GW1.

We take your account security seriously and will continue to do everything we can to ensure that our support team consistently applies this security policy and prioritizes protecting you from account hackers.

Link to comment
Share on other sites
Faux Play.6104

Faux Play.6104

Posted
Posted

@Just a flesh wound.3589 said:

@"Inculpatus cedo.9234" said:Strange that there weren't massive account compromises during that whole 5-year period if security was such an issue. Or, even now, since the old forums are still accessible, and thousands of posts/pictures will be...forever.

From Sept 2012...

"Hackers have lists of email addresses and passwords stolen from other games and websites, and collected through spyware, and are systematically testing 'Guild Wars 2' looking for matching accounts," ArenaNet staff wrote on this wiki page tracking the issue.....And they warn players to make sure they are using a unique password that has never been used anywhere else.

and collected through spyware
” in other words, the user’s computer was infected with a virus that collected login information. That’s not about pictures on a forum. It’s about people reusing the same password over many sites, some of which are not secure. People reusing passwords on multiple sites is why all old passwords were blocked back then and everyone was required to make a new and unique password.

@"Inculpatus cedo.9234" said:Strange that there weren't massive account compromises during that whole 5-year period if security was such an issue. Or, even now, since the old forums are still accessible, and thousands of posts/pictures will be...forever.

From Sept 2012...

"Hackers have lists of email addresses and passwords stolen from other games and websites, and collected through spyware, and are systematically testing 'Guild Wars 2' looking for matching accounts," ArenaNet staff wrote on this wiki page tracking the issue.....And they warn players to make sure they are using a unique password that has never been used anywhere else.

and collected through spyware
” in other words, the user’s computer was infected with a virus that collected login information. That’s not about pictures on a forum. It’s about people reusing the same password over many sites, some of which are not secure. People reusing passwords on multiple sites is why all old passwords were blocked back then and everyone was required to make a new and unique password.

Regardless of what you may think, allowing people to post files to your webserver is a risk. I think it is smart for them to have that done on a site that specializes in it vs. accepting the files on their server. Not long ago Gaile Grey's account was hacked. Do you really think they make public announcements every time a normal player's account gets hacked?

Gaile Gray’s GW1 account was hacked because someone in support gave out account information without properly verifying ownership. That has nothing to do with posting files on an web server, and thus is irrelevant to a discussion of whether or not files have login information attached.

Last night a hacker socially engineered one of our CS agents to gain control of Gaile’s account
, and accessed GW1 using it. Gaile of course has two-factor auth on her account, and despite the social engineering, the two-factor auth worked and protected her, so the hacker had no access to her forum or GW2 accounts. Only GW1 pre-dates our 2FA/SMS system.

Social Engineering: (in the context of information security) the use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes.

To socially engineer the CS agent, the hacker provided a variety of personal details about Gaile. But we don’t accept personal details as primary proof of account ownership. We require things like verifying billing info, two-factor auth, access to the account’s primary phone number, or access to its primary IP address in cases where IP address ownership is clearly established. When we can’t verify, we decline access, knowing that incorrectly declining is an unfortunate but better outcome than incorrectly granting access. These are all established and documented policies.
We have a great team of customer support agents who follow these policies, and the hacker tried a bunch of times and found one agent who didn’t.

We want to protect all accounts as much as we want to protect our own. Some of you were particularly concerned about the impact to the game of hacking a GM account. You should know that we don’t give GM accounts or any accounts the ability to cheat progress, synthesize items, or manipulate the game’s economy. We play the game the same way you play the game. The hacker was able to use Gaile’s GM access to manipulate guild trims, but mostly he handed out Gaile’s personal items that she had collected from years of playing GW1.

We take your account security seriously and will continue to do everything we can to ensure that our support team consistently applies this security policy and prioritizes protecting you from account hackers.

You seem to be happily ignoring the article on how one can get information using images on sites. Someone thought it didn't make sense to restrict posting images and I gave a rational reason. The other posts were in response to them not believing that there aren't and haven't been a lot of hacked accounts. As for gaile grey's account, the only reason they couldn't get into her gw2 account too was she enabled 2 factor authentication on it.

Link to comment
Share on other sites
Inculpatus cedo.9234

Inculpatus cedo.9234

Posted
Posted

I don't believe there have been a lot of compromised accounts due to posting images on the forums. If posting images on the forums had led to 'a lot' of compromised accounts, then posting images on the old forums would have been unavailable. Or are you suggesting that ArenaNet purposely left a major security breach open and unaddressed for 5 years? That is what would be hard to believe.

Link to comment
Share on other sites
Just a flesh wound.3589

Just a flesh wound.3589

Posted
Posted

@Faux Play.6104 said:

@"Inculpatus cedo.9234" said:Strange that there weren't massive account compromises during that whole 5-year period if security was such an issue. Or, even now, since the old forums are still accessible, and thousands of posts/pictures will be...forever.

From Sept 2012...

"Hackers have lists of email addresses and passwords stolen from other games and websites, and collected through spyware, and are systematically testing 'Guild Wars 2' looking for matching accounts," ArenaNet staff wrote on this wiki page tracking the issue.....And they warn players to make sure they are using a unique password that has never been used anywhere else.

and collected through spyware
” in other words, the user’s computer was infected with a virus that collected login information. That’s not about pictures on a forum. It’s about people reusing the same password over many sites, some of which are not secure. People reusing passwords on multiple sites is why all old passwords were blocked back then and everyone was required to make a new and unique password.

@"Inculpatus cedo.9234" said:Strange that there weren't massive account compromises during that whole 5-year period if security was such an issue. Or, even now, since the old forums are still accessible, and thousands of posts/pictures will be...forever.

From Sept 2012...

"Hackers have lists of email addresses and passwords stolen from other games and websites, and collected through spyware, and are systematically testing 'Guild Wars 2' looking for matching accounts," ArenaNet staff wrote on this wiki page tracking the issue.....And they warn players to make sure they are using a unique password that has never been used anywhere else.

and collected through spyware
” in other words, the user’s computer was infected with a virus that collected login information. That’s not about pictures on a forum. It’s about people reusing the same password over many sites, some of which are not secure. People reusing passwords on multiple sites is why all old passwords were blocked back then and everyone was required to make a new and unique password.

Regardless of what you may think, allowing people to post files to your webserver is a risk. I think it is smart for them to have that done on a site that specializes in it vs. accepting the files on their server. Not long ago Gaile Grey's account was hacked. Do you really think they make public announcements every time a normal player's account gets hacked?

Gaile Gray’s GW1 account was hacked because someone in support gave out account information without properly verifying ownership. That has nothing to do with posting files on an web server, and thus is irrelevant to a discussion of whether or not files have login information attached.

Last night a hacker socially engineered one of our CS agents to gain control of Gaile’s account
, and accessed GW1 using it. Gaile of course has two-factor auth on her account, and despite the social engineering, the two-factor auth worked and protected her, so the hacker had no access to her forum or GW2 accounts. Only GW1 pre-dates our 2FA/SMS system.

Social Engineering: (in the context of information security) the use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes.

To socially engineer the CS agent, the hacker provided a variety of personal details about Gaile. But we don’t accept personal details as primary proof of account ownership. We require things like verifying billing info, two-factor auth, access to the account’s primary phone number, or access to its primary IP address in cases where IP address ownership is clearly established. When we can’t verify, we decline access, knowing that incorrectly declining is an unfortunate but better outcome than incorrectly granting access. These are all established and documented policies.
We have a great team of customer support agents who follow these policies, and the hacker tried a bunch of times and found one agent who didn’t.

We want to protect all accounts as much as we want to protect our own. Some of you were particularly concerned about the impact to the game of hacking a GM account. You should know that we don’t give GM accounts or any accounts the ability to cheat progress, synthesize items, or manipulate the game’s economy. We play the game the same way you play the game. The hacker was able to use Gaile’s GM access to manipulate guild trims, but mostly he handed out Gaile’s personal items that she had collected from years of playing GW1.

We take your account security seriously and will continue to do everything we can to ensure that our support team consistently applies this security policy and prioritizes protecting you from account hackers.

You seem to be happily ignoring the article on how one can get information using images on sites. Someone thought it didn't make sense to restrict posting images and I gave a rational reason. The other posts were in response to them not believing that there aren't and haven't been a lot of hacked accounts. As for gaile grey's account, the only reason they couldn't get into her gw2 account too was she enabled 2 factor authentication on it.

Her account being hacked has nothing to do with the situation being discussed, which is files and security. As it has nothing to do with the topic there was no reason for it to be brought up in this thread.

As for this part

Do you really think they make public announcements every time a normal player's account gets hacked?

No, they don’t. And they might not have announced hers except the hacker told everyone on Guild Wars 1 chat and was handing out her stuff. In addition, people were taking screenshots and there were several threads about it on at least 3 separate forums (gw1, gw2 official forum, and Reddit). So many people knew that the company had to say something and explain what happened.

The other posts were in response to them not believing that there aren't and haven't been a lot of hacked accounts.

The previous hacked accounts had nothing to do with files either. They also had nothing to do with anet’s security and everything to do with players having computers with spyware and reusing login information from sites that are not secure. Since the discussion is about files and security, the number of hacked accounts from spyware and reusing login info from unsafe sites is also irrelevant as it tells us nothing about whether or not files are safe to use.

You seem to be happily ignoring the article on how one can get information using images on sites.

That still doesn’t explain why they allow images now and for the last 5 years. Either it’s unsafe or it hasn’t been unsafe.

Link to comment
Share on other sites
Faux Play.6104

Faux Play.6104

Posted
Posted

@Just a flesh wound.3589 said:

@"Inculpatus cedo.9234" said:Strange that there weren't massive account compromises during that whole 5-year period if security was such an issue. Or, even now, since the old forums are still accessible, and thousands of posts/pictures will be...forever.

From Sept 2012...

"Hackers have lists of email addresses and passwords stolen from other games and websites, and collected through spyware, and are systematically testing 'Guild Wars 2' looking for matching accounts," ArenaNet staff wrote on this wiki page tracking the issue.....And they warn players to make sure they are using a unique password that has never been used anywhere else.

and collected through spyware
” in other words, the user’s computer was infected with a virus that collected login information. That’s not about pictures on a forum. It’s about people reusing the same password over many sites, some of which are not secure. People reusing passwords on multiple sites is why all old passwords were blocked back then and everyone was required to make a new and unique password.

@"Inculpatus cedo.9234" said:Strange that there weren't massive account compromises during that whole 5-year period if security was such an issue. Or, even now, since the old forums are still accessible, and thousands of posts/pictures will be...forever.

From Sept 2012...

"Hackers have lists of email addresses and passwords stolen from other games and websites, and collected through spyware, and are systematically testing 'Guild Wars 2' looking for matching accounts," ArenaNet staff wrote on this wiki page tracking the issue.....And they warn players to make sure they are using a unique password that has never been used anywhere else.

and collected through spyware
” in other words, the user’s computer was infected with a virus that collected login information. That’s not about pictures on a forum. It’s about people reusing the same password over many sites, some of which are not secure. People reusing passwords on multiple sites is why all old passwords were blocked back then and everyone was required to make a new and unique password.

Regardless of what you may think, allowing people to post files to your webserver is a risk. I think it is smart for them to have that done on a site that specializes in it vs. accepting the files on their server. Not long ago Gaile Grey's account was hacked. Do you really think they make public announcements every time a normal player's account gets hacked?

Gaile Gray’s GW1 account was hacked because someone in support gave out account information without properly verifying ownership. That has nothing to do with posting files on an web server, and thus is irrelevant to a discussion of whether or not files have login information attached.

Last night a hacker socially engineered one of our CS agents to gain control of Gaile’s account
, and accessed GW1 using it. Gaile of course has two-factor auth on her account, and despite the social engineering, the two-factor auth worked and protected her, so the hacker had no access to her forum or GW2 accounts. Only GW1 pre-dates our 2FA/SMS system.

Social Engineering: (in the context of information security) the use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes.

To socially engineer the CS agent, the hacker provided a variety of personal details about Gaile. But we don’t accept personal details as primary proof of account ownership. We require things like verifying billing info, two-factor auth, access to the account’s primary phone number, or access to its primary IP address in cases where IP address ownership is clearly established. When we can’t verify, we decline access, knowing that incorrectly declining is an unfortunate but better outcome than incorrectly granting access. These are all established and documented policies.
We have a great team of customer support agents who follow these policies, and the hacker tried a bunch of times and found one agent who didn’t.

We want to protect all accounts as much as we want to protect our own. Some of you were particularly concerned about the impact to the game of hacking a GM account. You should know that we don’t give GM accounts or any accounts the ability to cheat progress, synthesize items, or manipulate the game’s economy. We play the game the same way you play the game. The hacker was able to use Gaile’s GM access to manipulate guild trims, but mostly he handed out Gaile’s personal items that she had collected from years of playing GW1.

We take your account security seriously and will continue to do everything we can to ensure that our support team consistently applies this security policy and prioritizes protecting you from account hackers.

You seem to be happily ignoring the article on how one can get information using images on sites. Someone thought it didn't make sense to restrict posting images and I gave a rational reason. The other posts were in response to them not believing that there aren't and haven't been a lot of hacked accounts. As for gaile grey's account, the only reason they couldn't get into her gw2 account too was she enabled 2 factor authentication on it.

Her account being hacked has nothing to do with the situation being discussed, which is files and security. As it has nothing to do with the topic there was no reason for it to be brought up in this thread.

As for this part

Do you really think they make public announcements every time a normal player's account gets hacked?

No, they don’t. And they might not have announced hers except the hacker told everyone on Guild Wars 1 chat and was handing out her stuff. In addition, people were taking screenshots and there were several threads about it on at least 3 separate forums (gw1, gw2 official forum, and Reddit). So many people knew that the company had to say something and explain what happened.

The other posts were in response to them not believing that there aren't and haven't been a lot of hacked accounts.

The previous hacked accounts had nothing to do with files either. They also had nothing to do with anet’s security and everything to do with players having computers with spyware and reusing login information from sites that are not secure. Since the discussion is about files and security, the number of hacked accounts from spyware and reusing login info from unsafe sites is also irrelevant as it tells us nothing about whether or not files are safe to use.

You seem to be happily ignoring the article on how one can get information using images on sites.

That still doesn’t explain why they allow images now and for the last 5 years. Either it’s unsafe or it hasn’t been unsafe.

The images they allow now are on a 3rd party site vs on their server. That limits what information someone can get at. If you aren't constantly keeping up with vulnerabilities it wont be safe to allow people to load files onto your webserver. Since the 3rd party sites specialize in hosting images files, they should have more resources to detect and eliminate bad files.

Link to comment
Share on other sites
Just a flesh wound.3589

Just a flesh wound.3589

Posted
Posted

@Faux Play.6104 said:The images they allow now are on a 3rd party site vs on their server. That limits what information someone can get at. If you aren't constantly keeping up with vulnerabilities it wont be safe to allow people to load files onto your webserver. Since the 3rd party sites specialize in hosting images files, they should have more resources to detect and eliminate bad files.

Ok. But I still don’t understand why the old images weren’t a problem for the last 5 years. I posted lots of images as did many other people. I never had an attempted hack from them and I’ve never heard ANet say it’s a problem and suggest imgur or other 3rd party site to avoid account hacks. Surely if they had a security issue they would have done something years ago. Hacked accounts costs them money out of their support budget and a few words about a security breech would save them a lot of money. So why now? Is this forum setup markedly less secure?

Link to comment
Share on other sites
  • ArenaNet Staff
Gaile Gray.6029

Gaile Gray.6029

Posted
  • Author
  • ArenaNet Staff
Posted

@Just a flesh wound.3589 said:

@Faux Play.6104 said:The images they allow now are on a 3rd party site vs on their server. That limits what information someone can get at. If you aren't constantly keeping up with vulnerabilities it wont be safe to allow people to load files onto your webserver. Since the 3rd party sites specialize in hosting images files, they should have more resources to detect and eliminate bad files.

Ok. But I still don’t understand why the old images weren’t a problem for the last 5 years. I posted lots of images as did many other people. I never had an attempted hack from them and I’ve never heard ANet say it’s a problem and suggest imgur or other 3rd party site to avoid account hacks. Surely if they had a security issue they would have done something years ago. Hacked accounts costs them money out of their support budget and a few words about a security breech would save them a lot of money. So why now? Is this forum setup markedly less secure?

No, I'd say this forum setup is markedly more secure. I asked some of the same questions you've asked about why we operated one way in the past, and are now operating differently. I guess in the end it's sufficient to say that we believe we're using the best security protocols, after extensive review, and I'm personally happy that we can have images and a level of forum security that those responsible for the pre-launch review felt was an essential element of these new forums.

Link to comment
Share on other sites
Ardid.7203

Ardid.7203

Posted
Posted

Last year a bunch of literal digital weapons were taken by computer bad apples and put into their labs to make new ways to bypass security. Do you know even having a basic WPA2 wifi connection in your house is actually a breach a hacker could use to infiltrate your home network? No matter passwords, firewalls or anti malwares. Well, it is, and if you have important stuff other people could want to steal, better stick to cable connections.

My point is that, while this forum is, no doubt, much more secure than the previous one, our environment is WAY MORE DANGEROUS NOW.So I have to support even the most tiny effort Anet team do to keep thing safe. It can be uncomfortable, but today is needed.

Link to comment
Share on other sites
shadow.6174

shadow.6174

Posted
Posted

@Faux Play.6104 said:The images they allow now are on a 3rd party site vs on their server. That limits what information someone can get at. If you aren't constantly keeping up with vulnerabilities it wont be safe to allow people to load files onto your webserver. Since the 3rd party sites specialize in hosting images files, they should have more resources to detect and eliminate bad files.

Well, if it was to be an attack like one detailed in the link you posted early, the server in which it's hosted on doesn't matter, it could be hosted anywhere. Also, by allowing images to be pulled from a 3rd party server is even more insecure for that type of attack described in that article.

However, it's very likely that those 3rd party hosting services would do something to strip info that's not image data from those files, but what if they didn't? The attack would still be possible, even if the image is hosted somewhere else! What makes it safer is if denying code to be posted in the comment field (that luckily this and the old forums always did that), those in addition with a carefully crafted image is what makes the attack possible.

Point is, for sure nobody is denying that it's possible to exploit vulnerabilities through images, but simply denying uploads having that as reason doesn't make fully sense. It could be a factor yes, but it's not the complete response. If allowing image upload is a security threat, most than 90% of web is doomed then (bye Facebook, Instagram, Imgurl, TinyPic, Google....). Images alone doesn't offer any threat, hosting images alone also doesn't.

It's like fire, it depends on exact components to exist, remove one and the fire is extinguished. As that article even sated at end, just a simple sanitization of posts and form contents is what's needed to prevent that type of attack. Denying images uploads altogether for that reason is like using dynamite to kill a cockroach.

Link to comment
Share on other sites
  • 2 weeks later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
GuildWars2.com
ArenaNet

©2020 ArenaNet, LLC. All rights reserved. All trademarks are the property of their respective owners.

ESRB - Teen
×
×
  • Create New...