Pages Navigation Menu

Wartune Potential Security Flaw & Migration

Hey everyone, there were some weird news today in Wartune of a potential security flaw being identified and data migration action started. I didn’t see anything about this from official announcements, perhaps they will post later, but basically you get an event inside the game called ACCOUNT SIGN IN:

Update: this seems to be a R2 – WonderHill specific issue (Thanks Anders).

Wartune security breach Nov 2017 - 1OPT

They added a reward for this because they want all players to do it, which is expected. So after you click on that you get this “scary” screen:

Wartune security breach Nov 2017 - 2OPT

And it is on that screen where it says at the bottom that there has been a security flaw identified and actions were taken to do a data migration.

Once you pass this screen you get the confirmation with a code which can be redeemed for the mentioned rewards. This confirmation also goes to your email used in the previous step.

Wartune security breach Nov 2017 - 3OPT

And finally you get the rewards in the mail:

Wartune security breach Nov 2017 - 4OPT

The interesting and dangerous thing is that with this system anyone who has access to the account (even a temporary helper who was given login/pass) can perhaps fully take over ownership of the account without the original owner knowing about it.

But what is most weird about this whole thing is that, just like the governments, they keep everything secret it seems and do not transparently communicate what has happened, who has perhaps suffered (if anyone) from this flaw in security. So anyways, I hope this post will help to calm any fears by showing the exact process and if anyone else has any additional information on this Wartune security problem feel free to post in the comments.

Matched Links from DolyGames Sites / Google

18 Comments

  1. In what way does this allow anyone with access to the account take ownership of the account without the original owner knowing about it?

    • As far as I can it doesn’t. Anything that’s entered in the Account Sign-In Form gets emailed directly to the Account Owner, so that person is completely notified. Seems like someone is overreacting.

      • Yeah, that’s what I had seen too – no way can it be thieved like this.

      • unless you are an hacker, you can’t take someone’ else account i think

      • Nobody is speaking about hacking here.

      • Nobody NEEDS to have people run their toons when they can’t. Since it is just a game, missing time in the game shouldn’t be a big deal, real life goes on. When people willingly give out their login/password or other sensitive information to others, they accept the risk of that decision and shouldn’t complain at all if something bad happens as a result.

    • The instructions say “provide us your email and password” and “these credentials will be used to login after migration”, so whoever has temporary access such as a friend or someone helping who was given login/pass can perhaps simply input their email and password as the new settings.
      As I don’t do such not-proper things I don’t know if this actually works, but based on their provided instructions it certainly seems that it would.
      – COSMOS

      • If you are allowing other people to access your account, they can change your information at any time anyway, can’t they? Why would they need this form to do it. In general, I think it’s always a bad idea to give others your login information. If you do and they take your account, you can’t really blame anyone but yourself for using bad judgement with who you choose to be your “friend”.

      • When I did it last night, it automatically put in my email address from my account, so I don’t know if it could really be changed by anyone else.

      • There are lots of reasons why players give their login/pass to others. They range from helping one another, doing runs when party member is on holiday, giving account when one quits, etc.
        I am not saying I support or do not support these reasons, I am just stating a fact that a lot of players do give their login/passes.
        In most of these cases everything goes OK, but it regularly happens that there is a fight between people and people do things to damage one another.

        On one side it’s dangerous if the system allows a different email (not confirmed if it does) but on the other hand I know that some players are on an old email address to which they no longer have access to, so for these people this would be a positive.

        – COSMOS

      • wonderhill emails are locked to the specific account and cant be changed only r2 platforms i think can change the email address to a account if you send a ticket for it to be changed

        it sounds like they trying to find out who broke their tos by sharing accounts and giving their accounts away or sold accounts hahaha

  2. how dose that work when some use the fb login to log into the game

  3. i did my account this morning my email address was already locked into the account so it cant be changed i feel sorry for the ppl who brought accounts or was given accounts cuz these ppl dont ave access to the primary email account of the original owner, so they will loose account? . who in their right mind will give access to a email account hahahaha

  4. where is this event? here is nothing like this ….

    • it’s not for all servers

  5. I use a name to log into my account, I don’t use an email. Can this fact be a problem?

  6. i spoke to r2 about this data migration and exampled if a hacker named player A stole a account from player B and said he lost or dont ave access to the email any more they said they can use another email address to valid the account isnt this against the tos of wonderhill and r2 . we all know r2 dont give a monkeys uncle about their tos

    even ppl who brought accounts from certain websites that sold wartune accounts or ppl who was given a account all against the tos of wonderhill and r2 can do same

    the email should be locked to the specfic account and cannont be changed without proof your the original owner

    but we all know these sites dont give a hoot about the legal player who follows the rules these days.

  7. wow so many comments 🙂

Leave a Comment

Your email address will not be published.

Subscribe To Our Newsletter

Subscribe To Our Newsletter

Join our mailing list to receive the latest news, updates, recent posts and newsletters directly to your email!

You have Successfully Subscribed!