Jump to content
3DXChat Community

Pandora Review


Gizmo

Recommended Posts

Dear 3DXChat Community,

 

Recently on our forum there was a topic about a service which according to the creators, allegedly can hack the 3DXChat Servers Database and collect data of the accounts of our players.
Including old data that has been since deleted.

 

This is not true, they cannot get access to our database. But this service simply collects public data (for example profiles, pictures, gifts).
It seems they just scan the players' profiles every day (maybe even several times a day) and save all of the information collected.
Therefore, you can see the history of the profile changes there. We do not store old account data on our server.

 

I just want to remind you not to use your personal data in game profiles! Pictures, Names etc. Since this data becomes public for all players to view.

 

Also, if you want no one to find your alts, then just create a new account in 3DXChat for a new email.

Link to comment
Share on other sites

Firstly, thanks for the feedback and showing that as a developer of the game you are taking this seriously and, I presume, beyond posting a response on the game's forum. A tool which is designed to make public things which people have a right to remain private - the names of alts, for example - undermines trust in your platform. That's neither good for players, or for you. Whether or not the impact is profound is not really the point, it's the hijacking of the game by a third party and the way this affects the relationship between customer and provider which is key. A sex game lives or dies through the belief that privacy - and its protection - is at its core.

Link to comment
Share on other sites

Guest RomanFox

I have mixed feelings about this, so I'll just stay quiet and stick to the shadows on this one. Glad to see the developers caught on though.

Link to comment
Share on other sites

So I must warn you guys and you should understand that alts on the same account is not private data and there is a way to find other characters on the same account.

It's possible due to an option of ignore whole account. Because all avis on one account have the same tag or ID.

 

Yes, of course, that is true but that take a little effort, actually seeing an avi who is not on your friends list etc, as opposed to just typing names into a third party program, which also has the facility to see if someone is online or not, even if that person is not a friend. Linking avis to a single account is possible within the game, but that's a byproduct not the intention of a specifically designed tool.

 

Anyway, looks like you're addressing this, so once again, thanks for the feedback...

Link to comment
Share on other sites

Guest RomanFox

On the other hand, you can't really blame someone for creating a tool, that has been something that some people have been craving for. With the amount of paranoia, fear and who knows what else... being fueled by bad experiences here, something like this was bound to happen. I'm neither approving or disapproving this tool... But I do understand why it got made.

Link to comment
Share on other sites

The logical step would be to encrypt the data being sent out. It's kind of a large over sight to not encrypt and secure the data. By not encrypting data and securing the games code, all the game data is left wide open to abuse and opportunistic third parties.

 

I hope this will be addressed seriously in the future. As without it all we seem to be seeing is a gradual escalation of third party abuse of the game and it's users.

I'm sorry but no user or non user should be able to scan the entire games streaming data and collect information on every single player & put it up for sale.

 

Acceptance of this because they have not physically breached the database is not what I think we should be hearing.

 

I personally do not have any alts, but I found it funny how solution offered to maintain alts privacy is to sign up for another subscription £$.

Made me laugh a lot ლ(´ڡ`ლ) lol

 

Abbey

Link to comment
Share on other sites

Ty for the warning gizmo. I just wonder why they scan our data, what for they need it. Scarry somehow.

They do it because they can, and the paranoid people are willing to throw their money at those who can.

 

So yeah that might be the reason.

 

They can make money of people being paranoid.

 

Welcome to the internet.

Link to comment
Share on other sites

Hey Gizmo.

 

I just have quick question, can this leak cause issues between you and BMT Micro?

Last time there was issue about someone searching email and history on their site and it got fixed really quickly.

There are many of us who have 6 months + subscriptions that would happen if someone report you for privacy breach?

Link to comment
Share on other sites

They scan public data... Well, how? Of course when I'm logged in my user ID or so needs to be sent out to make me visible to the others, of course my profile then can be seen manually and as the data are there also be read automatically.

 

As I am friend with others there are links to me and to my friends. Following these links would make my profile readable even when I'm not online. The friend list anyway should be private to the owner but the gift list is not. So from the gift list of a logged in user you can read the profiles of all who gifted him and this is cascaded; from the results you can again scan all who gifted them and so on. This could be easily broken if there would be only the information X gifted Y without X's profile linked. The question is if we want it.

 

I do not really see a serious technical issue here except somebody does an automatic big data which maybe rated a poor moral.

 

What makes me more worried is the open and not encrypted connection in general. This should be addressed at once. If I understand things right this will prevent our logins from being hacked by man in the middle attacks for instance but not from the scanning thing because in the end in my client the data need to be decrypted to be able to play. So don't think encryption can solve every problem. The issue addressed here by gizmo in my view is not an encryption issue and the reading of public data can indeed be done without database access.

 

Please see I just did some thinking and found things to be very plausible. I cannot guarantee that all this is right. Adding gizmo's hint not to post any real personal data in profiles I suggest strictly to have another game password than the one that provides access to the email account you play with here. Your email should not be scanned but it is good security practice anyway if for what reason ever there are leaks even though. For the same reason it is a nice idea to have different passwords for the 3DX and the forum here. And surely you do good if you follow the common rules for good safe passwords.

 

3DX for me is not that unsafe as some panic threads would imply. Maybe gizmo could have explained things a bit more in detail but at least I agree to his hints.

 

Update: I found a Pandora review which says the profile's data can be read without having a own game account. That indeed first seems as if data are public which should be available to players only. Well, knowing Pandora is a service, not a stand alone 3rd party tool, it is easy to imagine the service has one or more game accounts which are abused to collect the data. So in the background still nothing is public but some guys abuse there logins. These guys cleary know they are illegal as they provide their service in the Tor network only and if you pay them they want Bitcoin only.

Link to comment
Share on other sites

I just have quick question, can this leak cause issues between you and BMT Micro?

 

No it's not. Because we have no privacy breach and no leak.

All the important private data regarding your orders is stored on the BMT Micro servers and it's impossible to get it. Also BMT Micro does not store credit cards info.

 

The goal of this topic is to keep you informed guys, and warn you to not use your private data on public profiles, pics and etc.

 

Of course we at the dev team are trying to find out the best way to improve our game. For example we can implement data encryption between game client and server, also track and block IPs of scanners, or even rework the whole game architecture by removing players tags and 'account wide' ignore option.

 

 

They scan public data... Well, how?

 

As well as search engine scanners. Google crawler for example. It grabs all public data on websites and index / store all captured info.

Link to comment
Share on other sites

And the solution to counter it is not to better secure the data, but to suggest a second subscription... ironic isn't it?

 

For the sake of argument, what is ironic about it?

 

First, we have a scammer, who wants to make money. So he downloads publicly available data and then lies about how he acquired the data to make it seem that he is providing a "valuable" service that people will pay money to use. 

 

Then, of course, we have SDG, who wants to make money. The SDG business plan has always been to allow players to have up to three avis per account and to allow players to have multiple accounts.  I have never seen anything in the terms of use that says one player cannot have more than one account.  

 

Finally, we have a situation where some people think their right to privacy includes keeping the names of their alts private. And in response to that, SDG says: The account-wide ignore function links all the alts to one ID, so if you want to keep the name of your alts private, use different accounts.

 

So, how is "better securing the data" a solution to people downloading publicly available data, and in what way, shape, or form is any of this ironic?

Link to comment
Share on other sites

So I must warn you guys and you should understand that alts on the same account is not private data and there is a way to find other characters on the same account.

It's possible due to an option of ignore whole account. Because all avis on one account have the same tag or ID.

 

But doesn't this tool partly undermine the ignore function which not only makes characters assigned to an account invisible but their profiles too? Someone put on ignore in order to extract them from a virtual life will now be able to view gifts, read profiles updated since being ignored, observe new connections, and reintegrate to some extent if they so wish. I understand that data is not entirely secure and can be searched. But this tool breaks a function thought important enough to include within the game's ignore facility.

Link to comment
Share on other sites

The Pandora service is reviewed to follow gifts, nothing is said about disclosure of friend lists. So I assume Pandora has own user accounts to get the data. They can get nothing you cannot get manually too.

 

DEVs: Maybe the amount and speed of profile requests from an account can rate it a data abuse account like that Pandora thing.

 

If you ignore X you can still see if X gifts Y, also X can see if you gift Y, it is simply in the Y gift list. Maybe following the link to profiles here in the gift list can disclosure an profile that should be blocked due to an ignore. But if so that is a bug that effects manually link following as well as automatic.

 

I stay with my conclusion the spy service is just a new dimension of getting data. It cannot get any data a player cannot get manually too and it has no access to the database. Maybe they look a bit deeper, seeing the user ID but as said before, other clients need a ID of me to make my ava visible. Don't mix the user ID with the email address or an ava's name, think of it more as a random but unique number every account gets. Just because you cannot see data it does not mean there are not there. Further more and important: It does not mean it is a data leak. It is functionality needed to play the game.

Link to comment
Share on other sites

Guest Mulan

The point is that why is this data publicly available in the first place? On a social network like Facebook you have the option if you so wish to make yourself available on search engines on Google and choose how much you choose to make public. I doubt anyone in 3DX wants their information to be made public.

 

The simple thing to do would be to encrypt the information and take security more seriously. Whatever reason people have for creating alts then they expect to do so with privacy. Some people for whatever reason choose to use real pictures and share real information on their profiles. I think 3DX has an obligation to protect its users. 3DX is a paid service, which is fine, businesses need to make money, but in return we expect quality, privacy and security.

 

The DLL hacks are another example of how easily the game can be tampered with. Rather than saying everything is fine and there is nothing to worry about, accept that the game is vulnerable and make the fixes.

Link to comment
Share on other sites

The point is that why is this data publicly available in the first place?

 

 

I think in this particular case, "available publicly" specifically means "available to any member of the public one who pays for a 3dx subscription," and definitely not "freely available to anyone on the Internet." 

Link to comment
Share on other sites

Well Mulan, I have access to the data of other players. I can read their profiles, see there gifts and so on. In the end nobody can prevent me or others to make these data public and to do a history of them. Oh, well yes, that's immoral but the Pandora service is in the Tor network and they want money. So I don't think you can argue with them to stop what they do. As long as people pay them, they simply can create accounts to collect the data. So again: The data need not to be public in the sense that even Google could find them; there only need to be bad guys like Pandora who abuse accounts.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...