Concerns Raised Over LOTRO Forums Security (Updated)

communityOn 17th October 2011 there was a security issue regarding the official LOTRO forums and community web applications. It was officially recognised by Turbine who stated that they had taken the forums offline and subsequently resolved the matter. This generated a great deal of debate within the community, with some players of a technical disposition, claiming that the problem was a lot worse. Data was posted on the unofficial LOTRO forums, that allegedly verified this. Since then, Turbine have regularly stated that they will be upgrading the existing suite of sites and applications. However, one year later, these services still remain in beta status.

At the beginning of February  a thread appeared on the official forums under the title of “Turbine, when are you going to fix the forums”. It soon developed into a technical debate and once again the subject of security raised its head. It was claimed that “the forum login also uses completely unencrypted forms, leaking your password (which is the game password) to everybody listening on the network”. There then followed some interesting technical exchanges, until eventually Sapience interceded and made the following statement. “As much of this thread seems to be devolving into an attempt to pass false statements off as fact, we’re done here. That said, I’ll restate what I have said several times now. The community sites are slated for a major overhaul. We’re talking a ground up rethink and some functions will be carried forward and others will not. In fact, it is probably the larger portion that will not be carried forward”. The Thread was then closed.

Security thread closure post

As a result of this, the debate simply transferred to the unofficial LOTRO forums, where further data was posted regarding the matter. Once again the discussion is mainly of a technical nature from individuals with a technical background. The main bone of contention seems to be regarding levels of encryption and potential vulnerabilities. It is also noted that this matter was raised originally last October and that the information was communicated to Turbine.

As a customer of Turbine and a fan of LOTRO, I am legitimately and appropriately concerned about this issue. I am not advocating that we jump to any erroneous conclusions but I do not feel comfortable with Turbines position of simply writing off such claims as “false statements”. A cry of “fire” does not always prove to be true but it would be foolish not to check. Therefore I would like to suggest the following. If you are a LOTRO player with IT skills or better still, direct expertise in this field, please read the thread on the unofficial forums. Then leave some feedback at the as to whether you think the claims are valid or not.

I would also urge all parties to put aside any partisan views they may have and not to indulge in any mudslinging and petty bickering. Simply put, this matter is too important to be trivialised. If the assertions that have been made are proven to be true then there is a serious matter to be addressed. If these concerns can be legitimately assuaged then that too will be beneficial. Finally, I would ask Turbine to respect the concerns of players and recognise that this is not some attempt by malcontents to malign them. Please do not confuse legitimate concern with trolling.

Update:

It would appear that the performance on the official forums is being questioned by players yet again. A further post has been made inferring that the site is still insecure. However, people are very reticent to directly approach the subject for fear of getting an infraction and the thread being locked or deleted. It really is time that Turbine made a clear and definitive statement regarding this matter and announced a timetable for repairing the forums.

Further forum security post

03.03.13

12 thoughts on “Concerns Raised Over LOTRO Forums Security (Updated)

  1. Douglas says:

    Yea, right… they are going to fix the forums like they fixed Draigoch(SP) like they fix the lag, like they fixed mounted combat… Turbine is a joke now… I cant believe i said that, because i loved Lotro, Played it since launch… But Since free to play Deception, Greed, & a total lack of customer relations/service has destroyed The game I once loved… good job for making me quit your game Turbine!

  2. Jonathan Baron says:

    It’s all a rather moot matter now, alas. Sadly this game has left the radar for most avid followers of the medium. First rate property, second rate engineering, third rate game design yet nearly everyone agrees that it has, and will likely continue to possess, the nicest community of them all. Six months late on a bug filled expansion still being delivered in pieces with mixed themes was likely the last straw. It was not security issues, loss of a coherent or appealing vision or the longest loading screen in this history of MMOs. No game, when revisited, so immediately and profoundly reminds you of why you left it than Lord of the Rings Online.

  3. Steven says:

    Riders of Rohan is without doubt my favourite Lotro expansion. It is far better designed than the linear Mines of Moria or the tiny Siege of Mirkood. Mounted Combat is far more enjoyable than the radiance grind (6 man PVE) or skirmishes of those expansions. Learn to set your in-game options and you might be able to play PC games properly.

  4. Roger Edwards says:

    And what exactly has this go to do with the price of Brussels Sprouts?

  5. FTW Online says:

    It’s nothing to do with it. Just your usual fanboy response that we’re getting used to with the lotro community.

  6. Steven says:

    As much as the previous post. I have posted on the official forums and have had no security problems.

  7. Roger Edwards says:

    Do you visit your local hospital to inform them of the illnesses you haven’t got?

  8. Brian says:

    /insert pithy and relevant comment here

  9. Nick Stern says:

    Turbine is a flat out joke they lie to cover up issues.
    Delete and ock threads on relevat topics to save face.
    Rick 9Sapience) Heaton suffers from little man syndrom you know what you get when you give a little man a little power.
    Threats and bans and locking and deleting of threads with relevant negative feedback has become the norm for Turbine.

    It is a shame since the Game itself was a great game and concept established on the greatest of IP’s.
    Only to be destroyed by Turbine and WB.

  10. Geoff says:

    The forum login is, in fact, insecure. Three different forum posters have posted that they can see the unencrypted info in packet captures, which I’ve also confirmed. If you can see plain-text usernames and passwords in Wireshark (which you can), it goes beyond inference, it’s a fact. It’s also a fact that Turbine is not acknowledging the issue.

    This is a more current thread than the one you have linked: http://forums.lotro.com/showthread.php?505218-Why-do-we-still-NOT-have-a-secure-login-for-the-community-site

  11. Roger Edwards says:

    Thanks for the update.

Leave a Reply