You're too hell bent on word "guessed"
"Aquired without hacking owner account" sounds better?
Comment has been collapsed.
"It appears that your keys were in fact compromised by a third party. I was able to reset/revoke the keys in question, while also revoking the keys that had been gifted away. This type of key theft does not happen often, but it does happen. We are currently in the process of making it more difficult for hackers and resellers to scrape URL for unused or unclaimed bundles or gift links."
So you've got someone watching traffic on the HB site and managing to occasionally capture the content of keys/link pages that were visited and they are scraping that content for the link URLs.
It's a HB security issue.
Comment has been collapsed.
Probably better stated as "highly improbable when HTTPS is involved" even though there are ways to attack that my measuring changes in compression size, but scraping is used all the time to harvest data.
I'm still much more inclined to believe this is a HB security issue given that random support person admitted this kind of thing does happen and that they believe it's their own fault even if the support person in question can't adequately explain why.
Comment has been collapsed.
You can check a small analysis I did on hb . Need more time to figure out if what I think is true.
If so, anyone that got 1 gift link from you can figure out the other gift links:
Comment has been collapsed.
Is the objective of posting something like this to argue that people are being distracted from whatever the real compromise of Humble is by talking about 'guessing' gift links, or to imply that no compromise of Humble is taking place?
Comment has been collapsed.
FYI , there are other ways than guessing , also, that only happens on a really random world, and as we all know true randomness is not possible yet.
More likely there are info leaking on users accounts and someone got the gift generation algorithm (That is why only gifts links are "guessed" and not all the account keys)
Comment has been collapsed.
lovely uh? :P
play on my name and hack (being a developer, and in that field, the meaning of hack is a bit different :P . Granted I am always asked to hack fb accounts :)
Comment has been collapsed.
I hate uppercase people :P
On the other hand , what I mean is not that. obviously it is ridiculous to get the random value on the server.
It is more simple:
Currently when generating or creating a gift , the browser does a POST request to a certain url.
In this url you send 3 values(or 4 in case of generating a gift link)
gamekey : name of the game in lowercase and with special symbols and space as
key: Unique value per bundle per account
keyindex: 0 (always)
gift:1 (when creating a gift link)
This is protected by a session , so it can not be abused
When redeeming a gift , they send the same values but the key value is different (account associated too)
Tried reedeming 2 gift links from the same account and their key value is different
but , It seems people managed to reuse that key value and that is how they are able to take every gift from an account.
As the gift link is not protected via a session , you may be able to test many things and figure it out.
Want to test it ,but don't have time now.
As you can see, it is not as much as a work of guessing as one of analyzing how HB works...
Comment has been collapsed.
It seems totally incredible to me now,
that everyone spent that evening
as though it were just like any other.
From the general forum came the sound
of shunting trains, ringing and rumbling,
softened almost into melody by the distance.
It all seemed so safe and tranquil.
Comment has been collapsed.
I just guessed all of your gift links. Why do you have 87 copies of Secret of the Magic Crystals?
Comment has been collapsed.
Your math is based on assumptions like there is no pattern in HB links and they are completely random, how many guesses can be made in a second (that is a constant value over the course of billion years?) and how many seconds left in the universe and HB gift links will work as long as the universe exists :D
Comment has been collapsed.
Hmmm, while I'm waiting on a reroll, should I be concerned about the associated giftlink?
Maybe use it myself and get out the key now?
Comment has been collapsed.
I know a way that gives 99.999% of chances of finding exact Humble Gift URLs with 99.999% accuracy ^^
It involves Credit Card
Comment has been collapsed.
You did math! Neeeeerd!
JK ambimidotbot. I keep thinking your name is amidibot
Comment has been collapsed.
Comment has been collapsed.