After waves of news about the royal wedding came tons of news about Bin Laden. What is your opinion on the matter?
Sorry for the late release of the zOMG easter event, we are now planning for summer event and also working on more story updates. So far, I've heard that we might split the summer event into two smaller events for a change of pace. More info as we got more ideas hashed out.
A user in Site Feedback has brought a VERY serious issue to my attention that I think needs looking into.
(GCD Elf 088 a couple posts down is this user)
Every user's account security is at risk due to one flaw.
The e-mail change tool in account settings.
A hacker can easily guess a password, then hack into the account
and instantly change the user's e-mail address WITHOUT
the original owner even being notified.
The real owner of the account then has no clue that they've been hacked until it is too late. Shouldn't there be a tool that sends an e-mail to the current e-mail
notifying it that there has been a request to change e-mails?
That way if the account is being hacked, the user at least gets some kind of notice
as to when the hacking took place?
BTW, Narumi Misuhara has said it would be a good idea to bring it up here.
Also, can we get someone to fix the Photobucket upload tool on V2 profiles?
It has been broken for a looooong time. ;~;
Hi guys, I have a real big issue I need to bring up about security.
I was recently hacked; It's being reported and dealt with, yadda, yadda, yadda.
However, this brought a very big security flaw to light: Gaia does not alert users when it comes to changing their emails attached to their accounts.
It's so simple for a hacker: First go in and change the account's attached email with the password they've already acquired. Then they change the password and the real owner is locked out of their account, leaving the hacker time to do as they please while the owner scrambles to get their accounts to a mod's attention.
It's like a burglar enters your house, changes the locks, and leaves you watching through the front window while they pilfer your living room.
It could be as simple as requiring a user to first verify the change from the first account to the second, even though this might leave some users with dead emails in a spot of trouble.
However, Narumi Mitsuhara, who came by my threadin the Site Feedback proposed:
This is a good idea... and I'm a bit surprised myself that the process is so easy. sweatdrop
I don't know about making it so that users have to verify through both emails since depending on why the email is being changed could leave some users out in the cold. However sending an email to the old address with a message that says something like "Hello <username> we noticed you have changed your email address to <new address>. An email has been sent to this address for verification. ...Did you not do this? Click Here." Clicking the link within maybe a couple of days would disable the accounts trading pass, reset the account password (with an email being sent to the old address to allow for new password creation), and auto-flag the account for moderator investigation.
This would allow the user to reset the password, log in, look over the account and see if anything is missing/wrong. The downside is even if the account is ok, you'd need to wait until a mod could get to it, investigate, and enable the trading pass again. Upside all items there since the link was clicked would still be there.
Sadly I doubt this is something my team would have time to work on but for sure bring it up in ATA.
You guys warned us back in 2008 to make sure our emails were current because you were going to implement security measures to make it harder for our accounts to be compromised. You guys never followed through.
Please, I understand if the developers schedules are full, but please, consider implementing a simple security step like this and putting it on your schedule for the future.
Heyyyy, how's it going? E-Corp is still around but mostly busy with the zOMG egg hunt at the moment. I almost forgot about the AtA because of it. Lol. I just have a couple little things to bring up today.
-Many of us miss the level of interactivity the Zurg event had with being able to literally chat with the NPCs. Is there any chance for some User/NPC forum interaction in the near future? It's been a long time since we've seen that sort of thing.
-Ever since I returned to Gaia I've noticed A LOT of people voicing a strong dislike of the like/dislike feature in the threads. It often gets abused and leaves many people afraid to post threads due to how much 'dislike' they've gotten. Would it be possible to modify this so that there is no counter, just the hearts? That way threads can still be rated without completely discouraging the poster.
-Why in the world haven't Overseer and Sentinel tried going to the Easter Bunny for help in regaining their powers? Surely he would be willing to help them, if only to spite Jack.
Hi there Lanzer and other lurkers.
I have a question or two about small improvements to how we use the forums.
-In other forums I visit, there typically seems to be a way to "hide" one's posts in one way or another. (spoiler tags, hide tags, etc)
Why haven't we seen that implemented here?
-Continuing on with this "hiding" trend, I was wondering if it's possible to hide individual threads. Sometimes people don't want to see a thread again for one reason or another. (misplaced threads, uninteresting threads, etc )
I think this would be great for people who don't want to see pages cluttered with threads they don't want to see.
- You've admitted at past AtAs that Gaia HQ is understaffed. So, why do you keep working on new stuff instead of concentrating on the site's current features? People don't just come to Gaia to spend money on their avatars. They also come for the features (Forums, Guilds, zOMG!, Towns, Homes, etc.). So, stop ignoring them.
- A "Talk to Lex" link should be added to Prize and Joy. The poor guy has been neglected for way too long.
- Put swarf and bron back on the zOMG! project long enough so that they can add passive buffs to buddies and finish working on Buccaneer Boardwalk and Undermountain.
- Why is zOMG! integration with the rest of the site constantly being pushed back?
We've been working hard lately to make your account more safe and secure, and wanted to let you know about a few changes:
If we see what looks like "suspicious activity" while logging in, you'll have to go through a quick email verification process. This might seem like a hassle, but it will help you (and us) head off potential trouble before it starts.
Changing your username or password will require email verification.
Changing the email address associated with your account is now safer, thanks to a two-part verification system. You will need to verify both your old and new email addresses for the process to succeed.
Password security will be upgraded in the very near future, requiring all passwords to feature a dazzling combination of numbers and letters. You should probably update yours now, just for safety's sake. We recommend that you use longer passwords with a mixture of upper and lowercase letters and numbers.
Now would also be a good time to make sure you can still access the email address associated with your account. We'd hate to see you get locked out of Gaia.
All of this can be annoying, we know, but it's worth it in the long run. Having your account compromised or stolen is a huge pain in the B. We'd like to make sure that it never happens to you!