Skip to main content

Browse GamesGame JamsUpload GameDeveloper LogsCommunity
Indie game storeFree gamesFun gamesHorror games
Game developmentAssetsComics
SalesBundles
Jobs
TagsGame Engines
redonihunter1 year ago

Whatever are you talking about?

It literally took me less than a minute to log out and log in with 2fas auth to verify your strange claim. No captchas. No mail tokens. More like 20 seconds, actually.

Was your account compromised? Do you log in from public wlan hotspot or something? You do not know what literally means? Also, totp is optional. Is it mandatory for you?

We should be glad, if itch is boosting their security. I often see hacked accounts publishing scams. Even with 2fa it still is not perfect, as sessions can be stolen. Maybe your system was compromised without your knowing and your extra login attempt kept your account from being taken over.

Reply
No Time To Play1 year ago(+1)

If someone doesn't use 2FA for whatever reason, any login attempt is protected with a very aggressive reCaptcha, which as we all know has become almost impossible to bypass by actual human beings lately, while bots apparently have no problem.

Reply
redonihunter1 year ago(+1)

Oooh.

After updating my knowledge...

Depending on reCaptcha version, I might have not been challenged at all. But not really dependant on version, researchers that tried to circumvent it, easily cobbled together solutions that beat the system 50-80% of the time. I think it is reasonable to assume, the bad guys specialized in beating it have access to a solution that achieves the same results. And even when not, many bad guys are in areas where 5 bucks a day would pay for a lot of actual humans doing the job of solving the captcha manually. And since they have experience, they do it fast. And one can assume that whatever they do, it does pay at least to make a living and pay for electricity and computers.

But after reading about that one guy, that apparantly had his session stolen, not even 2fa is secure.

The danger of 2fa and captchas is, to rely on the security it claims to bring. In case of 2fa there was or is a design flaw, that it does not ask for 2fa again when you change passwords. (You might wanna press there, I am not sure, if itch security is aware of the flaw)

But how to protect against those bad guys. If there is a way for humans to enter, evil humans can think up methods to enter as well. If need be, they just use the front door, manually. Itch is a honey pot. Where else do you find people willing to download software from unknown people and willing to execute it on their system. The latest trend seems to be to release fake/stolen games with payment active.

I guess they just do it manually. Brute forcing is just not done. If they want to enter, they already have some credentials or made a new account. So solving any captchas will give them what they wanted. The case where mass solving of captchas achieves some, is spamming message boards. I do not notice this happening on itch (not since external links were highlighted).

Reply
AboutFAQBlogContact us
Copyright © 2024 itch corp · Directory · Terms · Privacy · Cookies