That awesome and hilarious feeling when you see 10 of these sitting in your inbox

[323]

"Gaia Administration Staff - Account Permanently Banned"

Haha so anyways, what have you guys been up to? I've been trying to see how many bans I can get and how fast, by advertising LG.

[GAMEchief]

Always the best use of cheap mules you find.

[The Unintelligible]

That's nothing. Try doing what me and Isonyx did. Create a session stealer that automates banning a user by autonomously spamming different segments of Gaia with illicit material like porn.

It's not much either, but it was definitely way more fun.

[GAMEchief]

Oh man. A session stealer for a mass PMer.

[The Unintelligible]

Oh man. A session stealer for a mass PMer.

I don't understand your advancement.

[323]

Session stealing auto PMer would be badass. Also Unintelligible, that's fucking hilarious haha. I'll have to try that out, any tips?

[The Unintelligible]

1. Get/steal user's session
2. Hijack said session
3. Post porn and junk

I simply automated this process to make for an effective ban/user account tamperer.

[323]

1. Get/steal user's session
2. Hijack said session
3. Post porn and junk

I simply automated this process to make for an effective ban/user account tamperer.

How would you steal SIDs? Tricking users seems too slow, can you brute force them?

[The Unintelligible]

XSS would be the primary way to steal a session ID without tricking/coercing.

Brute forcing is unrelated to this entire subject matter lol.

[GAMEchief]

How would you steal SIDs? Tricking users seems too slow, can you brute force them?

Thanks to GSI, anyone who can execute JavaScript can steal session IDs. Also anyone with a user/pass combo. Or anyone with a program that logins to Gaia to function.

[CL0V3R]

I feel like I'm learning in this thread.

[The Unintelligible]

I feel like I'm learning in this thread.

It is osmosis

[CL0V3R]

It is osmosis

I will suck in the intelligence.

[323]

XSS would be the primary way to steal a session ID without tricking/coercing.

Brute forcing is unrelated to this entire subject matter lol.

I was saying brute forcing as in sequentially moving through numbers to find active SIDs.

How would you steal it though XSS? By stealing the user's cookie or something? Seems pretty cool haha, you could have a website constantly recording SIDs and then a program on your computer constantly checking a text file hosted on the site for new SIDs, and then when it gets a new SID it does the account-banning techniques lol. You could get people banned en mass.

[The Unintelligible]

I was saying brute forcing as in sequentially moving through numbers to find active SIDs.

How would you steal it though XSS? By stealing the user's cookie or something? Seems pretty cool haha, you could have a website constantly recording SIDs and then a program on your computer constantly checking a text file hosted on the site for new SIDs, and then when it gets a new SID it does the account-banning techniques lol. You could get people banned en mass.

There is no such thing as "sequentially moving through numbers to find active SIDs." That makes absolutely no sense lol. Session IDs are also alphanumeric. Session IDs aren't something you can randomly duplicate. That would require a ton of time and luck.

JavaScript. Also, that isn't possible. At least the basis of this idea isn't.

[323]

There is no such thing as "sequentially moving through numbers to find active SIDs." That makes absolutely no sense lol. Session IDs are also alphanumeric. Session IDs aren't something you can randomly duplicate. That would require a ton of time and luck.

JavaScript. Also, that isn't possible. At least the basis of this idea isn't.

Oh, I thought SIDs were like 29582793 or something so you could just try to find active ones. And why wouldn't it work? Steal the cookie and have a website that saves all information posted to it in a text file, and have the JS post the SID to it.

[The Unintelligible]

Oh, I thought SIDs were like 29582793 or something so you could just try to find active ones. And why wouldn't it work? Steal the cookie and have a website that saves all information posted to it in a text file, and have the JS post the SID to it.

Nope.

If that's what you mean then that would be pointless lol.. Waste of bandwidth. Just stockpile the sessions and have a program sift through them. A server isn't required for something like a bulk ban.

At least you're trying to think outside of the box, though. That's a good thing.

[323]

Nope.

If that's what you mean then that would be pointless lol.. Waste of bandwidth. Just stockpile the sessions and have a program sift through them. A server isn't required for something like a bulk ban.

At least you're trying to think outside of the box, though. That's a good thing.

Oh okay, well thanks for the info. Also, thanks.

[GAMEchief]

Flare's idea works. I made that exact program when I found out GSI publicly displays the session ID.

[The Unintelligible]

Flare's idea works. I made that exact program when I found out GSI publicly displays the session ID.

Welcome to the retarded idea club. Welcome to the pointless idea club. Never said it wouldn't work after Flare elaborated.

Edit: I'm probably just being a douche. The idea works but it's not really my cup of tea. But alright idea I suppose.

[Spammathon]

OMGHACKERS


This thread makes me feel stupid.

I have no idea what you guys are talking about.


*Can't stalk this thread, leaves*

[Butts]

There is no such thing as "sequentially moving through numbers to find active SIDs." That makes absolutely no sense lol. Session IDs are also alphanumeric. Session IDs aren't something you can randomly duplicate. That would require a ton of time and luck.

JavaScript. Also, that isn't possible. At least the basis of this idea isn't.

characters would of been better. he's basically trying to say if a session identification is still valid, then use said session identification. It's kind of like dumping invalid session identifications, and keeping the active ones.
flame I don't know why you said bruteforcing, just no.

[GAMEchief]

Welcome to the retarded idea club. Welcome to the pointless idea club. Never said it wouldn't work after Flare elaborated.

Edit: I'm probably just being a douche. The idea works but it's not really my cup of tea. But alright idea I suppose.

I think it's a very efficient form of session stealing. It unfortunately requires a server to get the information from their client machine to yours, unless you want to be ballsy and have them connect directly to your computer. But IDK whuld want that.

He was being totes dumb about consecutive SSIDs, but he was on the money about what to do with stolen ones.

OMGHACKERS


This thread makes me feel stupid.

I have no idea what you guys are talking about.


*Can't stalk this thread, leaves*

Gaia uses an API called GSI (I assume stands for game-server interaction or something, since that's effectively what it does). It allows Gaia's flash games to interact with the Gaia server. To do this, the flash games have to send an identifier that tells who you are (i.e. who is playing the game, i.e. who to reward with gold/whatever for playing the games). When browsing Gaia's main site, this "SSID" that identifies you is not public. It's stored in what is called an HTTP-only cookie, which means only the browser can read it, and not programs that function from within the browser. Since flash is a program that functions from within the browser, the flash games can't read your session ID, so they are the one exception -- Gaia publicly displays your session ID in the GSI so that flash games can "login" as you. As a result, other in-browser programs (such as anything written in JavaScript) can use the GSI to steal your session ID. If someone gets your session ID, they can set it as their own and thus enter your account.
The end.

[GAMEchief]

characters would of been better. he's basically trying to say if a session identification is still valid, then use said session identification. It's kind of like dumping invalid session identifications, and keeping the active ones.
flame I don't know why you said bruteforcing, just no.

The number of possible combinations of session IDs is like a quadrillion. The number that would actually work at any given moment is probably like 50,000. There are far more efficient ways to stealing accounts.

[323]

The number of possible combinations of session IDs is like a quadrillion. The number that would actually work at any given moment is probably like 50,000. There are far more efficient ways to stealing accounts.

Oh, I see now. And thanks for the support on my what to do with them method, haha.