Game Site Insecure?

    • Reported

    This site uses cookies. By continuing to browse this site, you are agreeing to our Cookie Policy.

    Dear users,

    please note that we have a new forum now. You'll find it here.

    The old forum is set to read-only mode now.

    Your Ikariam Team

    • Game Site Insecure?

      Is this a recent issue?



      I'm pretty sure that Ikariam is normally a secured site, after all, the board is. But this morning, when I logged in there's a circular been sent asking to re-confirm email addresses, and as I was abut to do so, I noticed the alert in the corner. Moving back to the main game screen I saw that it's currently an insecure website. Given that people can have their card details stored on this site (for ambrosia purchases) this is a big problem. For that reason, I've set this as an "Ikariam Plus" bug, although really it effects the entire game.

      So whoever is in charge of your site security should probably sort out this issue ASAP.

      Screenshots

      I would put some screenshots here but apparently "screenshots from tinyupload is not allowed" and "screenshots from i32.photobucket is not allowed" so it appears that I can not do so. Way to go devs, how else do you expect to get screenshots?


      Raider Philosophy: "I steal stuff to build more ships to steal stuff with. Wood doesn't grow on trees"
    • chym wrote:

      en.ikariam.com shows as "insecure" while en.ikariam.gameforge.com is "secure"
      There is an option to use encrypted (with SSL) and the one that isn't. thus the http and https options.


      Wyr3d wrote:

      Is this a recent issue?



      I'm pretty sure that Ikariam is normally a secured site, after all, the board is. But this morning, when I logged in there's a circular been sent asking to re-confirm email addresses, and as I was abut to do so, I noticed the alert in the corner. Moving back to the main game screen I saw that it's currently an insecure website. Given that people can have their card details stored on this site (for ambrosia purchases) this is a big problem. For that reason, I've set this as an "Ikariam Plus" bug, although really it effects the entire game.

      So whoever is in charge of your site security should probably sort out this issue ASAP.

      Screenshots

      I would put some screenshots here but apparently "screenshots from tinyupload is not allowed" and "screenshots from i32.photobucket is not allowed" so it appears that I can not do so. Way to go devs, how else do you expect to get screenshots?
      Just to be clear, the circular was reminding us to verify that email is updated. meaning make sure that you've verified your email address and that you have access to the email address that you've used in game.

      With regards to Ikariam being not secure, i don't think that's the case. It was probably Ikariam's way for reminding the players to confirm your email address used in game with them in order to secure your account.

      If for example your account were to have problems and you were to communicate with support, they would require you to send them the verified email address you use in game. if you haven't verified your email address yet there is no way gameforge can help you with your account concerns.
    • I admit this message can be alarming, but it's not Gameforge's software fault for this.
      As game staff we see various situations and I am not allowed to talk about them here.
      But without getting into any personal details let me explain something.


      Ikariam is not insecure, only the way you use it is.


      You all have heard of account being stolen. This can have various reasons and not any of them is related to the game programming. Infected computers with stealing software is one reason, an account giveaway that went wrong, easy-to-guess password, etc, not to mention other reasons due to breaking game rules and T&C.


      To protect you, Gameforge has created a procedure to recover your account within 7 days from losing access of your account. But you need to know your email on the account and have access to it. Without it the account is lost forever. No one believes you are the owner of an account if the email on it is not correct.


      We tried to warn you several times, please read this too Never share your Passwords or Personal Information



      Wyr3d wrote:

      I would put some screenshots here but apparently "screenshots from tinyupload is not allowed" and "screenshots from i32.photobucket is not allowed" so it appears that I can not do so. Way to go devs, how else do you expect to get screenshots?

      Some sites that let you share images are not allowed if they are not https like the board is.
      Others do not allow you to share their images in boards. Please read their T&C and you will see that they block the share in such cases not our boards.
    • This reminds me about that if you create new account in game and first 7 days you receive emails from Gameforge about account starting gifts and you open their given link, it send you to unsecured login screen, but other emails from Gameforge that are not related to this starting gifts sends you to secured login screen.
      I guess this could be Gameforge's software fault.


      The scariest monsters are the ones, that lurk within our souls.
    • The unsecure login screen is still in use because of some players using browsers that do not know how to handle https. Removing the unsecure login will make those players unable to play.
      I just look on such an email and I have the secure link. I don't know where you see it.
    • A long time ago, my country's server was sending a message to replace mail addresses with gmail, so that the gaming team could help us with theft.because they are not able to provide support if the mail was with live.com or yahoo.com.

      It's only important that your email address in your account is valid and that you use it, so your account will be safe and you can always return it to how much someone is trying to steal it.
      Life is an eternal struggle.
      Who does,he can.Who knows no fear,goes forward.
      V.Z.Misic
    • As an update to this, I believe the issue may have something to do with how the server handles requests from search engines? I'm not sure why the server would default to the "insecure" version when browser searched, but this appears to be the case. Maybe this is something that should be looked into?

      A fresh search for "ikariam" on Google Chrome will respond with the following link: en.ikariam.gameforge.com/


      which directs you to the insecure page: s2-en.ikariam.gameforge.com with no other results specifically for the game website. However, you can log into the secured version by typing the full secured version into the address bar: s2-en.ikariam.gameforge.com

      chym wrote:

      en.ikariam.com shows as "insecure" while en.ikariam.gameforge.com is "secure"

      Initially both show as "insecure" but I was able to switch the latter link to a "secured" version by simply retyping the the whole address manually, and including the S as mentioned above.

      Pepi wrote:



      [snip]

      With regards to Ikariam being not secure, i don't think that's the case. It was probably Ikariam's way for reminding the players to confirm your email address used in game with them in order to secure your account.

      [snip]

      I've been playing for over 10 years, and I've always kept my email updated, so that's not the problem. As for the game showing as insecure as a "way of reminding players to confirm emails" - I seriously doubt that is the case.

      Antikythera wrote:

      [snip]...it's not Gameforge's software fault for this...[snip]

      Ikariam is not insecure, only the way you use it is.

      [snip]
      As it is the responsibility of game companies to keep their software compliant with data protection laws, if this is an issue that could compromise the security of personal data; then yes it is the software at fault. Just sayin..

      Please explain what you mean by "Ikariam is not insecure, only the way you use it is" because believe me, a HTTP connection is not secure at all. HTTPS connections encrypt the data passing between the server and browser, HTTP does not.

      The following paragraphs (snipped from this quote) go on about stolen accounts, and the actions (or inactions) of players that can lead to this, and the consequences that result thereof, but I can not help but see this as anything other than an attempt to brush off the issue.

      I have never shared account details with anyone. My account is as safe and secure now, as it has always been on my end. My transactions are made through PayPal, so I have added security regardless. But I am concerned for the personal data of other players stored on the servers that is subject to compromise because they apparently prefer the insecure connection :/

      Raider Philosophy: "I steal stuff to build more ships to steal stuff with. Wood doesn't grow on trees"
    • Antikythera wrote:

      I just look on such an email and I have the secure link. I don't know where you see it.
      Since the old emails about this I have already deleted, then yesterday I created new account and today I received email, that invites me to collect welcome gift in game ibb.co/d4CN0f and after I press collect here it sends me to unsecure link ibb.co/jYuALf.

      For next 6 days game will send me this kind emails, till I accept all this gifts ibb.co/b1dbt0.
      All other emails from Gameforge that I receive send me to secured links, only this welcome gift emails are unsecured. And this apply for different email adresses.


      The scariest monsters are the ones, that lurk within our souls.
    • kirby k2 wrote:

      they are not able to provide support if the mail was with live.com or yahoo.com.
      There was a time with big problems with hotmail/outlook and yahoo emails. And sometimes there still are problems.
      It was not Gameforge's fault this time either. Let me explain:
      yahoo has many servers around the world in different countries. At some point in time they had problems in receiving and sending emails in a timely manner. I don't know the source of their problems but they existed. It worked for some users and didn't work for others. It all depended on what server your account was stored.
      Therefore, when someone sent you an email on yahoo you didn't receive it for more than 24 hours. And when you sent an email anywhere it had big delays too. So, any communication with Gameforge was delayed too making support unacceptable. This issue still appears from time to time, but rarely.

      Hotmail/outlook had a different problem. At some point in time they changed their interface drastically They introduced the whitelist/blacklist and different settings with strange names and based on other settings you couldn't receive emails from someone unless you put them in whitelist. At that time we had a post in the old board explaining how to set that whitelist to receive emails from Gameforge. But too few read it, so the best option was to tell them to use Gmail instead of hotmail.

      What I am telling you now were problems of year 2010. Not problems anymore since players get used to managing hotmail interface and yahoo updated their servers.



      kirby k2 wrote:

      It's only important that your email address in your account is valid and that you use it,
      correct


    • Wyr3d wrote:

      Please explain what you mean by "Ikariam is not insecure, only the way you use it is" because believe me, a HTTP connection is not secure at all. HTTPS connections encrypt the data passing between the server and browser, HTTP does not.
      I was talking about players still forced to use http instead of https. This may apply to players playing from inside a company or from school where network has some settings that do not allow https, or from other browsers than Edge, Firefox or Chrome, or who knows what other conditions may exist.


      Wyr3d wrote:

      I have never shared account details with anyone.
      That's very good.


      Wyr3d wrote:

      I believe the issue may have something to do with how the server handles requests from search engines?
      We cannot control the search engines. As you may notice from Google documentation, search engines display first the most accessed links. At this point the insecure link is most accessed.

      Wyr3d wrote:

      However, you can log into the secured version by typing the full secured version into the address bar: s2-en.ikariam.gameforge.com
      On the login page you have the link already displayed, just click it. Or simply click on the link bar and add an s after http without retyping everything,




    • Thanks for reporting this, the information has been forwarded to Gameforge (88487).
      Found a bug or think something doesn't work in the game? Don't be afraid and write a ticket or PM me! :)


      "The difference between stupidity and genius is that genius has its limits."
      (c) Albert Einstein