WSR: #8: Feburary 7th - 13th 2022

Hacking Runescape, Masters program, and moving on from discord

Published: February 13, 2022

| Reading Time: 5 minutes

This Week’s Recap

Every Sunday I post a quick recap of what I’ve worked on the previous week in my freetime. There are a few reason I wanted to do this.

  1. Not everything deserves the time and attention of a full blog, but is still interesting.
  2. When I first started out in security I didn’t know what projects to work on. This roundup was started with the intent to show people what projects you can work on to get experience in security without first having a job in security.
  3. Document my wins but also my failures.
  4. Its fun to talk about random projects you’re working on :)

2/7/2022

Backstory

This week I spent entirely too long trying to get access to all my old Runescape accounts. This was one of those times where being a massive dweeb technically savvy had a very practical use. Let me set the stage. One of the first games I ever got into was Runescape. Over the years, I had created many accounts for various reasons but the main account, the account I made nearly 15 years ago on February 15th, 2007, I had not been able to log into for years. Around 2010ish Runescape transitioned from using usernames to using emails for authentication. This meant that if my username was grahamhelton (which it is not), I would have to add an email to that account for example graham@gmail.com . No big deal, right? Well, many years later, I created a new Runescape account with that email address graham@gmail.com. Now two accounts are associated with this email. grahamhelton and graham@gmail.com I’m not sure if this is a bug or a feature.

When sending a password reset request for the account associated with graham@grahamhelton.com, I would only get access to that older account, not my original one. To make things more tedious, you would get locked out of requesting password resets after you send two or three (more on this in a moment…). To further make matters even more confusing, I had 4 accounts in total that were created at various points under various emails addresses. After some mindmapping I was finally able to piece together how to request my password for my oldest (15 year old account).

What does this have to do with security?

A few things to note:

  1. Password reset lockouts based on IP are not an effective way to keep people from issuing many password resets.
    • Password resets should be based on accounts, not IP. I should not have been able to request a password reset to the same account from 10 different IPs all within an hour of each other. This was trivial with a VPN.
  2. Mindmapping is such a great tool for scoping out a web application and discovering how things are working behind the scenes.
  3. Don’t assume your user knows how things work on the back end.
    • Perhaps this is common knowledge to those who never stopped playing Runescape, but for someone just trying to log into their account for the first time in 10 years, it is very confusing to have two accounts associated with one email. To trigger the password reset on one, you give it your email, to trigger the password reset on the other you give it a username. (To make matters more convoluted, my username is not my in game name.)
    • A fun rabbit hole for me but probably one most people won’t purposely jump down.

2/8/2022

  • Tried my hand at some bug bounties for an hour or so just to dip my toes into it.
  • Fun fact, probably won’t be doing this again. Shortly after I was working on some bounties I noticed a few sites wouldn’t load (such as tacobell’s new menu(This is NOT good.))
    • After some investigating, it looks like my bug bounty shenanigans were a little to spooky

2/9/2022

  • Had an advising meeting with SANS for my masters. Looks like I’ll be starting GCIH March 1st!
  • Read chapter 4 of Hacking APIs

2/10/2022

  • Got confirmation that my domain transfer of ỵoutube.com got successfully transferred to Google’s security team. Very cool to see them interested in taking it. Shout out to the people who got me into contact with the right people, you know who you are ;)
  • Just found out that @KimZetter Has a substack. I’ve never subscribed to something so fast in my life. Her book Countdown To Zeroday was the book that initially got me interested in security when I was 15-16ish. HIGHLY recommend

2/11/2022

  • Bought helton.it that I will try to use as a link shortening service.
    • The problem with this is that in order to own a .it domain, you need to purchase it through a domain trust (Unless you live Italy). This means the typical way I host a website using AWS will be a bit more convoluted since I’ll have to transfer it from my domain trust. We shall see. Sounds like a problem for next week…
  • Recorded a video about I3WM and the efficiencies you can gain from using a tiling window manager. Now sure if I’ll upload it though, it’s hard to talk about something so niche without sounding elitist…

2/12/2022

  • Cleaned up some scripts I have for automating various tasks on my local computer
  • Started working on a prototype discord bot called vouch that will allow users to generate an poll that asks if people approve of inviting the person being vouched for.
  • Began to look for some open source tools that have an API I can hack away at that I can self host. Really itching to do some stuff with API’s after reading Hacking APIs.
    • Decided to take a crack at Vaultwarden’s API sometime next week.
  • Added an RSS feed to this is (finally). You can now access all my glorious content from your favorite RSS reader :)

2/13/2022

  • Looking into the differences between discord and element/matrix.
  • Thinking about blocking twitter during the work week. May or may not go through with this.

Have any questions

Do you have any questions? Feel free to reach out to me on twitter. See you next Sunday. :)