Concerns Raised Over LOTRO Forums Security, Gaming, LOTRO — February 23, 2013 at 14:56

Concerns Raised Over LOTRO Forums Security (Updated)

by

communityOn 17th October 2011 there was a security issue regarding the official LOTRO forums and community web applications. It was officially recognised by Turbine who stated that they had taken the forums offline and subsequently resolved the matter. This generated a great deal of debate within the community, with some players of a technical disposition, claiming that the problem was a lot worse. Data was posted on the unofficial LOTRO forums, that allegedly verified this. Since then, Turbine have regularly stated that they will be upgrading the existing suite of sites and applications. However, one year later, these services still remain in beta status.

At the beginning of February  a thread appeared on the official forums under the title of “Turbine, when are you going to fix the forums”. It soon developed into a technical debate and once again the subject of security raised its head. It was claimed that “the forum login also uses completely unencrypted forms, leaking your password (which is the game password) to everybody listening on the network”. There then followed some interesting technical exchanges, until eventually Sapience interceded and made the following statement. “As much of this thread seems to be devolving into an attempt to pass false statements off as fact, we’re done here. That said, I’ll restate what I have said several times now. The community sites are slated for a major overhaul. We’re talking a ground up rethink and some functions will be carried forward and others will not. In fact, it is probably the larger portion that will not be carried forward”. The Thread was then closed.

Security thread closure post

As a result of this, the debate simply transferred to the unofficial LOTRO forums, where further data was posted regarding the matter. Once again the discussion is mainly of a technical nature from individuals with a technical background. The main bone of contention seems to be regarding levels of encryption and potential vulnerabilities. It is also noted that this matter was raised originally last October and that the information was communicated to Turbine.

As a customer of Turbine and a fan of LOTRO, I am legitimately and appropriately concerned about this issue. I am not advocating that we jump to any erroneous conclusions but I do not feel comfortable with Turbines position of simply writing off such claims as “false statements”. A cry of “fire” does not always prove to be true but it would be foolish not to check. Therefore I would like to suggest the following. If you are a LOTRO player with IT skills or better still, direct expertise in this field, please read the thread on the unofficial forums. Then leave some feedback at the as to whether you think the claims are valid or not.

I would also urge all parties to put aside any partisan views they may have and not to indulge in any mudslinging and petty bickering. Simply put, this matter is too important to be trivialised. If the assertions that have been made are proven to be true then there is a serious matter to be addressed. If these concerns can be legitimately assuaged then that too will be beneficial. Finally, I would ask Turbine to respect the concerns of players and recognise that this is not some attempt by malcontents to malign them. Please do not confuse legitimate concern with trolling.

Update:

It would appear that the performance on the official forums is being questioned by players yet again. A further post has been made inferring that the site is still insecure. However, people are very reticent to directly approach the subject for fear of getting an infraction and the thread being locked or deleted. It really is time that Turbine made a clear and definitive statement regarding this matter and announced a timetable for repairing the forums.

Further forum security post

03.03.13

Related Posts Plugin for WordPress, Blogger...

12 Comments

  1. Yea, right… they are going to fix the forums like they fixed Draigoch(SP) like they fix the lag, like they fixed mounted combat… Turbine is a joke now… I cant believe i said that, because i loved Lotro, Played it since launch… But Since free to play Deception, Greed, & a total lack of customer relations/service has destroyed The game I once loved… good job for making me quit your game Turbine!

  2. It’s all a rather moot matter now, alas. Sadly this game has left the radar for most avid followers of the medium. First rate property, second rate engineering, third rate game design yet nearly everyone agrees that it has, and will likely continue to possess, the nicest community of them all. Six months late on a bug filled expansion still being delivered in pieces with mixed themes was likely the last straw. It was not security issues, loss of a coherent or appealing vision or the longest loading screen in this history of MMOs. No game, when revisited, so immediately and profoundly reminds you of why you left it than Lord of the Rings Online.

  3. Pingback: Kalex's Tome » | Kalex's Tome

  4. Riders of Rohan is without doubt my favourite Lotro expansion. It is far better designed than the linear Mines of Moria or the tiny Siege of Mirkood. Mounted Combat is far more enjoyable than the radiance grind (6 man PVE) or skirmishes of those expansions. Learn to set your in-game options and you might be able to play PC games properly.

  5. /insert pithy and relevant comment here

  6. Turbine is a flat out joke they lie to cover up issues.
    Delete and ock threads on relevat topics to save face.
    Rick 9Sapience) Heaton suffers from little man syndrom you know what you get when you give a little man a little power.
    Threats and bans and locking and deleting of threads with relevant negative feedback has become the norm for Turbine.

    It is a shame since the Game itself was a great game and concept established on the greatest of IP’s.
    Only to be destroyed by Turbine and WB.

  7. The forum login is, in fact, insecure. Three different forum posters have posted that they can see the unencrypted info in packet captures, which I’ve also confirmed. If you can see plain-text usernames and passwords in Wireshark (which you can), it goes beyond inference, it’s a fact. It’s also a fact that Turbine is not acknowledging the issue.

    This is a more current thread than the one you have linked: http://forums.lotro.com/showthread.php?505218-Why-do-we-still-NOT-have-a-secure-login-for-the-community-site

Leave a Reply