There is an exploit in scripts that allows the developer to access the password of the account you are using.

Do not fear, I have a way for you to check if the script is malicious.

Firstly, this only applies to local scripts. We can't know for sure if the SDN scripts are using the exploit, because that is in the hands of the admins who put it on the SDN.

1) You need to download Jd-gui for windows/mac/linux: http://java.decompiler.free.fr/?q=jdgui
This is a very easy program to use. It puts the java decompiler into a gui instead of command line.

2) Download your script of choice

3) Open JD-gui.exe and load the jar file you downloaded. It will decompile it for you. Sometimes it doesn't decompile it perfectly, so some code may become unusable, but it is a great way to check if the developer is phishing for your password.

4) This step is up to you: You need to browse through every java/class file in the jar using JD-gui. you can use the search function to look for "getPassword()" (this function was developed for the client to only use. It throws a security exception if you try to call it, BUT there are ways around that.) (credit to Cory for announcing the exploit)

5) if you find that phrase in the file, DO NOT START IT.

6) optional: check if the script sockets to a server to transfer the information. If it does, copy down the IP/website name and port number they are using to gather data.

7) Post on their thread to warn other users about the malicious intent of the script.

8) Contact an admin or global moderator to look into the issue.



Please, make the post well known. It's for the safety of the community and security of the bot.

There probably are other ways to grab passwords from the client using reflection etc, but for now this is what we have to worry about.

Thank you for your time,
Dreamliner

Edited August 23, 201312 yr by dreamliner

Thanks for the head up. Going through my scripts at the momment, will update if I find anything.

 

Clean

GammaNPCThiever

BBAgility

mooreSpellCaster

NovumAgility

StoicTeaThief

SuperScript

 

Check done - 23/8/2013

Please note that updated versions should be double checked.

Edited August 23, 201312 yr by Eek

There is an exploit in scripts that allows the developer to access the password of the account you are using.

Do not fear, I have a way for you to check if the script is malicious.

Firstly, this only applies to local scripts. We can't know for sure if the SDN scripts are using the exploit, because that is in the hands of the admins who put it on the SDN.

1) You need to download Jd-gui for windows/mac/linux: http://java.decompiler.free.fr/?q=jdgui

This is a very easy program to use. It puts the java decompiler into a gui instead of command line.

2) download your script of choice

3) open JD-gui.exe and load the jar file you downloaded. It will decompile it for you. Sometimes it doesn't decompile it perfectly, so some code may become unusable, but it is a great way to check if the developer is phishing for your password.

4) This step is up to you: You need to browse through every java/class file in the jar using JD-gui. you can use the search function to look for "getPassword()" (this function was developed for the client to only use. It throws a security exception if you try to call it, BUT there are ways around that.) (credit to cory for announcing the exploit)

5) if you find that phrase in the file, DO NOT START IT.

6) optional: check if the script sockets to a server to transfer the information. If it does, copy down the IP/website name and port number they are using to gather data.

7) post on their thread to warn other users about the malicious intent of the script

8) contact and admin or global moderator to look into the issue.

Please, make the post well known. It's for the safety of the community and security of the bot.

There probably are other ways to grab passwords from the client using reflection etc, but for now this is what we have to worry about.

Thank you for your time,

Dreamliner

 

I thought the get username and get password was for the OSBot account?

 

Edit: Checked API, it's for RS Details

Edited August 23, 201312 yr by Murded

 

There is an exploit in scripts that allows the developer to access the password of the account you are using.

Do not fear, I have a way for you to check if the script is malicious.

Firstly, this only applies to local scripts. We can't know for sure if the SDN scripts are using the exploit, because that is in the hands of the admins who put it on the SDN.

1) You need to download Jd-gui for windows/mac/linux: http://java.decompiler.free.fr/?q=jdgui

This is a very easy program to use. It puts the java decompiler into a gui instead of command line.

2) download your script of choice

3) open JD-gui.exe and load the jar file you downloaded. It will decompile it for you. Sometimes it doesn't decompile it perfectly, so some code may become unusable, but it is a great way to check if the developer is phishing for your password.

4) This step is up to you: You need to browse through every java/class file in the jar using JD-gui. you can use the search function to look for "getPassword()" (this function was developed for the client to only use. It throws a security exception if you try to call it, BUT there are ways around that.) (credit to cory for announcing the exploit)

5) if you find that phrase in the file, DO NOT START IT.

6) optional: check if the script sockets to a server to transfer the information. If it does, copy down the IP/website name and port number they are using to gather data.

7) post on their thread to warn other users about the malicious intent of the script

8) contact and admin or global moderator to look into the issue.

Please, make the post well known. It's for the safety of the community and security of the bot.

There probably are other ways to grab passwords from the client using reflection etc, but for now this is what we have to worry about.

Thank you for your time,

Dreamliner

 

I thought the get username and get password was for the OSBot account?

 

nope can be used for rs account details, but i think it's pretty comonly known you should check locals ;) 

 

good to see you give others a heads up

I thought the get username and get password was for the OSBot account?

No, it is for the RS account you are logged in with. It states it in the API

Thanks for the head up. Going through my scripts at the momment, will update if I find anything.

 

Clean

GammaNPCThiever

BBAgility

mooreSpellCaster

NovumAgility

StoicTeaThief

SuperScript

 

Check done - 23/8/2013

Please note that Scripts can be edited so double check.

Scripts can't be edited unless you redownload them bro.

 

Thanks for the head up. Going through my scripts at the momment, will update if I find anything.

 

Clean

GammaNPCThiever

BBAgility

mooreSpellCaster

NovumAgility

StoicTeaThief

SuperScript

 

Check done - 23/8/2013

Please note that Scripts can be edited so double check.

Scripts can't be edited unless you redownload them bro.

 

Sorry, what I meant was updated versions.

Wow, scary these data can be obtained. Hope they fix soon!

Thanks for this! Will use it in the future for sure. Someone sticky this shit, invaluable information here.

Thanks for the knowledge :p

 

Thanks for the head up. Going through my scripts at the momment, will update if I find anything.

 

Clean

GammaNPCThiever

BBAgility

mooreSpellCaster

NovumAgility

StoicTeaThief

SuperScript

 

Check done - 23/8/2013

Please note that Scripts can be edited so double check.

Scripts can't be edited unless you redownload them bro.

 

 

He is talking about since when he checked.  As in your can't be totally sure about his post.

I'm pretty sure this is how one of my accounts got hacked on another botting site, since it was the only account that got cleaned, and it was only one script I used with the account.. Haven't had any problems with OSBot yet, but always proceed with caution

Thanks for the heads up.

lol...so those newbs that come in and complain could be credible?

I have known about this for a while.. o.o

 

I just assumed that everyone else had known as well. :\ Thanks for the warning!