Bungie.net Community
This topic has moved here: Subject: Is There is something wrong (unsecure) with the passwords on BNET?
  • Subject: Is There is something wrong (unsecure) with the passwords on BNET?
Subject: Is There is something wrong (unsecure) with the passwords on BNET?
  • gamertag:
  • user homepage:
  • last post: 01.01.0001 12:00 AM PDT

In Firefox, there is a "restore session" button, after your system unexpectedly shuts down. If you click on it though, all of your authenticated sessions (IE, Hotmail, passwords etc) do NOT restore (unless you clicked save my password.

The thing though, is Bungie.Net seems too keep your session authenticated, no matter what. SO basically, if you click the button, you still have the ability too post from your BNET account without reentering your password. However, if you try too access XBOX or Hotmail, it will force you too enter your password. Hotmail may require you too clear your cache.

But Bungie.Net doesn't even force you too renter your password .That seems a tad bit unsecure too me, why is BNET not forcing you too renter? I was under the impression that they got their authentication data from WLID, which does not show you as logged in, if you click the restore session button.

Is there any potential security flaws from such an action? Because it appears that you could use this too your advantage, if you were a malicious individidual. I don't think the "Restore session" button is important. Even on school websites (With lame programming) you HAVE TOO RENTER YOUR PASSWORD AFTER YOU RESTORE SESSION , there is definitely something odd about BNET and restore session.

I am unsure whether restore session on FF is the only thing which does this, or if IE has this problem as well.

[Edited on 02.24.2008 2:57 PM PST]

  • 02.24.2008 1:43 PM PDT
  • gamertag:
  • user homepage:
  • last post: 01.01.0001 12:00 AM PDT

I don't trust the security of this site. I mean, they were stupid enough to make the forums look like crap by adding all of this junk to the side, so who knows insecure this site could be.

  • 02.24.2008 1:54 PM PDT
  • gamertag: Cas7er
  • user homepage:

I've noticed this too. I wonder what the web team has to say about it, I'm sure they wouldn't have overlooked something like this. However, if they did, then I am preemptively blaming Stosh.

  • 02.24.2008 2:05 PM PDT
  • gamertag:
  • user homepage:
  • last post: 01.01.0001 12:00 AM PDT

Posted by: Penstugs
I don't trust the security of this site. I mean, they were stupid enough to make the forums look like crap by adding all of this junk to the side, so who knows insecure this site could be.


Um I don't think that has anything too do with security.

  • 02.24.2008 2:05 PM PDT
  • gamertag:
  • user homepage:
  • last post: 01.01.0001 12:00 AM PDT

Posted by: xfire grunt
Posted by: Penstugs
I don't trust the security of this site. I mean, they were stupid enough to make the forums look like crap by adding all of this junk to the side, so who knows insecure this site could be.


Um I don't think that has anything too do with security.


I'm just saying if they fail at making a good site layout then who knows how bad they fail at something like security. Accounts are probably being hacked as I type this. Remember what happened to Pezza? It's probably only a matter of time before something like that happens again.

  • 02.24.2008 2:10 PM PDT
  •  | 
  • Exalted Legendary Member

I get more ass than a toilet seat.

Posted by: xfire grunt
In Firefox, there is a "restore session" button, after your system unexpectedly shuts down. If you click on it though, all of your authenticated sessions (IE, Hotmail, passwords etc) do NOT restore (unless you clicked save my password.

The thing though, is Bungie.Net seems too keep your session authenticated, no matter what. SO basically, if you click the button, you still have the ability too post from your BNET account (which is what I am doing right now) without reentering your password. However, if you try too access XBOX or Hotmail, it will force you too enter your password. Hotmail may require you too clear your cache.

But Bungie.Net doesn't even force you too renter your password .That seems a tad bit unsecure too me, why is BNET not forcing you too renter? I was under the impression that they got their authentication data from WLID, which does not show you as logged in, if you click the restore session button.

Is there any potential security flaws from such an action? Because it appears that you could use this too your advantage, if you were a malicious individidual. I don't think the "Restore session" button is important. Even on school websites (With lame programming) you HAVE TOO RENTER YOUR PASSWORD AFTER YOU RESTORE SESSION , there is definitely something odd about BNET and restore session.

I am unsure whether restore session on FF is the only thing which does this, or if IE has this problem as well.


Well if it has been happening recently it's proabally because of the update.

  • 02.24.2008 2:19 PM PDT
  • gamertag:
  • user homepage:
  • last post: 01.01.0001 12:00 AM PDT

Posted by: Aznb01p
Posted by: xfire grunt
In Firefox, there is a "restore session" button, after your system unexpectedly shuts down. If you click on it though, all of your authenticated sessions (IE, Hotmail, passwords etc) do NOT restore (unless you clicked save my password.

The thing though, is Bungie.Net seems too keep your session authenticated, no matter what. SO basically, if you click the button, you still have the ability too post from your BNET account (which is what I am doing right now) without reentering your password. However, if you try too access XBOX or Hotmail, it will force you too enter your password. Hotmail may require you too clear your cache.

But Bungie.Net doesn't even force you too renter your password .That seems a tad bit unsecure too me, why is BNET not forcing you too renter? I was under the impression that they got their authentication data from WLID, which does not show you as logged in, if you click the restore session button.

Is there any potential security flaws from such an action? Because it appears that you could use this too your advantage, if you were a malicious individidual. I don't think the "Restore session" button is important. Even on school websites (With lame programming) you HAVE TOO RENTER YOUR PASSWORD AFTER YOU RESTORE SESSION , there is definitely something odd about BNET and restore session.

I am unsure whether restore session on FF is the only thing which does this, or if IE has this problem as well.


Well if it has been happening recently it's proabally because of the update.

I don't normally use the "Restore Session Button". I used it 3 days ago and found this out.

  • 02.24.2008 2:37 PM PDT

» Sincerely, Dan

Well for one thing, web design and security are completely different matters - your argument makes no sense. Just because your personal opinion is that you don't like the design, that has nothing to do with the competency of the web team. Anyways, most people (including me) like the new design. That's opinion, security is a different matter.

Anyways, you are authenticated through your Windows Live ID. You are kept authenticated through secure, encrypted cookies. This is not a flaw in the website or anything else, and you are completely secure. If you want this to be cleared just also check "Cookies" in Firefox's Clear Private Data feature.

  • 02.24.2008 3:26 PM PDT

Кланяються мені!

Its ok there is nothing to be scared of. The restore session feature is just cache saved on your brower. The only way this could be malacious is if a hacker stole your saved cache off your FF browser. Bungie doesnt require you to enter your password because you CHOSE to save it in your cache.

If you are stupid enough to save your email and password on a school computer worrying about somebody stealing it, that is your fault. If you want to remove your password from the cache, just delete it. There is nothing unsecure about Bnet. Bnet is linked wo WLID anyways, your credentials are all in Microsofts security system, bungie only holds your Bnet account info such as username, and online games.

EDIT: Cache has an experation date, temporary pages such as email cannot be saved in cache. Another example of such is when your posting a topic, all the info you typed in cannot be saved in cache. Therefore, there is nothing for you to restore. However if you would like a newer version of the page, you will likely have to re enter your password unless saved.

Bottom line is, there is nothing wrong with the system, as long as your computer has its proper antivirus, and other important security youle be fine. No security on your comp? Bungie nor microsoft is liable. Its just your problem.


[Edited on 02.24.2008 3:33 PM PST]

  • 02.24.2008 3:28 PM PDT

» Sincerely, Dan

ecartman1214, I believe you're talking about cookies. Cache doesn't relate to sessions.

  • 02.24.2008 3:38 PM PDT

Official Town Drunk of Sandwichia. Nation of the Flood.
MBT - Impossible Just Happened
* How is it that "Fat Chance" and "Slim Chance" mean the same thing?
* If you choke a Smurf, what color will it turn?

XBOX User Space profile

Posted by: Penstugs
I don't trust the security of this site. I mean, they were stupid enough to make the forums look like crap by adding all of this junk to the side, so who knows insecure this site could be.


lol ya I agree. What stupi9d people to advertise jobs openings in there own company on there website. Like come on who does that nowadays.[/sarcasm]


And the only thing that makes passwords unsecure on Bungie.net is the fast that microsoft is in charge of security on XBL so it's really only dangerous to those with linked GT's.

  • 02.24.2008 3:42 PM PDT
  • gamertag:
  • user homepage:
  • last post: 01.01.0001 12:00 AM PDT

I don't think you guys know how the restore feature on FF works. Basically, every other authenticated session, (including all WLID such as XBOX and Hotmail) force you too renter your password. BNET does not force you too renter your password. Your password information is apparently still there or something. All other WLID sites (that I use) force you too renter your password after restore session. Even school sites (where you don't click remember my password) force you too relogin.

This doesn't have anything too do with remembering your password. It remembers regardless of the button you click, if you click "restore session".

I can already identify one crummy security flaw (I have no "hacker experience). Lets say you saw a kid on BNET next too you in the school computer lab. Just yank his computer cord, and say "Dude your computer died". Now boot it back up and click on FF. You are in his BNET account.

  • 02.24.2008 3:50 PM PDT

» Sincerely, Dan

Doubtfully, the essential cookies are set to expire at the end of your session.

  • 02.25.2008 6:39 AM PDT
  •  | 
  • Exalted Legendary Member

Mourne not your comrades who must dwell / too strong to strive -
Within each steel-bound coffin of a cell, / Buried alive;
But rather mourne the apathetic throng / The cowed, and the meek -
Who see the world’s great anguish and its wrong / And dare not speak.

[group]167741|Diner|Where's the food?[/group]

Well, you're right that B.net does not require you to log back in after a crash. But you're wrong in that no other site I tested requires you to log back in, either, including mail.live.com and xbox.com. How many times have you tested this to come to your conclusions, and what process did you use?

What probably happens is that since you got off without signing out, b.net (as well as the other sites) has no reason to believe that you aren't still there. So on their side, they have a little piece of information that says "user aku is logged in, and you can validate that it's him with this code". While on our side, the restore function brings up all the information from the past session, including the sites you were on, and the cookies that say whether or not you are logged in. So when you try to access the site, your computer tells their server "hey I'm logged in, this is my code". Usually, after a period of inactivity, that code will expire, so that their server would respond by saying that that code is incorrect, and asking you to log in again. But since you were logged in just a few minutes ago, the code wouldn't have time to expire, and as far as the server knows, it's no different than if you were to leave your window open for a few minutes.

I don't think that there is any way the site could even know that you left. In fact, after some testing, I don't think even FF can prevent that from happening. A crash is not considered to be a close, so those options aren't working. The only way to truly make sure that no one has access to your sessions is to delete your cookies, or manually close firefox with the options to "clear cookies on exit" checked.

This would rarely, if ever, be a problem though. Most school, and many other public, systems require you to log into a personal account in order to use a computer. So as long as you log out properly, the next person will have no way to access your information. Many other systems that do not have personal logins still have a general login. Information is typically not saved from one session to another on those systems. If you are ever using a computer that has no loging system whatsoever, you should probably just avoid entering in any sensitive information. Such a system is not very secure. But you could minimize it by manually deleting all cookies before leaving. If the computer unexpectedly crashes, just stick around long enough to get back to FF and delete your cookies.

This is all very over-the-top though. In reality, the odds on meeting a person who has any interest in your B.net account in a computer lab are so slim that I think I'd have a better chance of getting hit my lightning. I would be much more worried about my email and bank accounts, to name only a couple things.

  • 02.25.2008 8:30 AM PDT

» Sincerely, Dan

Simply already remember to log out when on a public computer, this should go for any site you ever visit. aku seems to have hit it right on the mark ;)

  • 02.25.2008 8:33 AM PDT

Twitter | Nothing

Like aku said, this happens on most, if not all, sites that use WLID. As far as I can see its not a problem with Bungie.net but with the WLID system.

  • 02.25.2008 8:50 AM PDT

every other virtual=61

ID=?

If you are signed into MSN Messenger, or any other Windows Live ID companion service, and you visit another Windows Live ID enabled website, you will be automatically logged in if you haven't adjusted your settings to prevent such behavior. Yahoo also does something similar with their family of websites. I had to go and disable the default "convenience" settings in both MSN Messenger and in Yahoo.

[Edited on 02.25.2008 11:24 AM PST]

  • 02.25.2008 11:24 AM PDT
  • gamertag:
  • user homepage:
  • last post: 01.01.0001 12:00 AM PDT

Posted by: Maimum FEAR
Like aku said, this happens on most, if not all, sites that use WLID. As far as I can see its not a problem with Bungie.net but with the WLID system.


No I don't think you are correct. If I click on restore session (after clicking "Do not remember me on this computer" ) Xbox asks me too put in my password info again. Hotmail just never loads.

I don't think you are correct in your allegations that other sites don't function this way.

BTW though, I never said anything about the site lookout and security. This thread has too do with the WLID and FF Restore Session.

  • 02.25.2008 4:31 PM PDT

Tom Achronos
Bungie.net Overlord
twitter: http://twitter.com/Achronos

"I have no words that would do justice to the atrocities you commit to the English language, as well as your continued assaults on the concepts of basic literacy and logical reasoning."

No, there isn't anything wrong. Although I think I know why bungie.net doesn't ask for your login again - but I'd rather not talk about our WLID configuration parameters.

Bungie.net is generally very secure - every instance that people claim to engage in "hacking" is always some kind of social engineering attack on a site outside of our control.

Protect your personal information and don't use the same password everywhere. There are limits to what we can do though, especially if your local machine were compromised.

  • 02.25.2008 4:47 PM PDT

Community Carnage group
They call me Arch. YOU SHALL NOT PASS!

Posting on the forums: 5 minutes.
Making a thread: 20 minutes.
Claiming you are the alt of a banned account: Priceless.
For everything else, there's stosh.

All I have to say is that if your thinking of hacking Good luck and grow the F*** up please!

  • 02.25.2008 4:49 PM PDT
  • gamertag:
  • user homepage:
  • last post: 01.01.0001 12:00 AM PDT

Posted by: ArchAssain
All I have to say is that if your thinking of hacking Good luck and grow the F*** up please!


I'm going to school for hacking. Ha.

  • 02.25.2008 4:56 PM PDT

Community Carnage group
They call me Arch. YOU SHALL NOT PASS!

Posting on the forums: 5 minutes.
Making a thread: 20 minutes.
Claiming you are the alt of a banned account: Priceless.
For everything else, there's stosh.

lmao what I was saying is why bother when you know people have put so much work into everything on this site. Why destroy it for someone who is innocently trying to be apart of the community... how childish but bungie is like a boulder your gonna need a bit more then a fire cracker to stop them lol

  • 02.25.2008 4:58 PM PDT
  • gamertag:
  • user homepage:
  • last post: 01.01.0001 12:00 AM PDT

Posted by: Achronos
No, there isn't anything wrong. Although I think I know why bungie.net doesn't ask for your login again - but I'd rather not talk about our WLID configuration parameters.

Bungie.net is generally very secure - every instance that people claim to engage in "hacking" is always some kind of social engineering attack on a site outside of our control.

Protect your personal information and don't use the same password everywhere. There are limits to what we can do though, especially if your local machine were compromised.

All right, thanks for the information. I wasn't that worried about hackers (and my local machine is in safe hands), but it seemed that this may have been a potential problem.

I do use a different password for everything, but the inherent problem with the WLID is that if one thing goes down, everything goes down.

  • 02.25.2008 7:56 PM PDT

Кланяються мені!

Technicaly if windows live fails this website might fail, but that won't happen. Microsoft is not stupid, er that stupid.

And btw my post from earlier is 100% accurate. I know this because my job requires me workking around military computers, naturaly their security is of the upmost importance. Restore session is nothing more than cach data (passowrds and ect are cookies yes, but cookies are cache data) that firefox stores on every webpage you visit. In case of emergency shut down this information is all saved on your computer or "local machine". Achronos only proved the point that I already made.

BTW cache relates ALL to your restored session. What is cache. On a computer it is information stored from websites and programs you have loaded so they will load faster. Cache can also be used to store a "memory" of the website you have just visited. It would be impossible for the browser to restore a session without this information.

Edit: Also if your using FF on a school comp, its wise to disable the restore session feature.

[Edited on 02.25.2008 9:16 PM PST]

  • 02.25.2008 9:07 PM PDT