Is this third-party stash app safe?

"

CrystalisQualinthi wrote:

"

Luvz wrote:

I could have speculated that far. However, if you look at that link, it's on reddit's PoE subreddit, which has tons of users and nobody besides me is even asking about the risks, so the general consensus seems to be that it's safe. What I'm looking for specifically is to get some people who are qualified to examine the actual code since it's open source.

That's not to say I don't agree with what you're saying. I do agree and that's why I created this post. I want more proof than a "bad feeling" though, because the tool seems incredibly useful and there are other tools like PoE helper that are widely used and require login credentials.

Personally, I subscribe to the Greater Internet Fuckwad Theory (GIFT) that states "Normal Person + Anonymity + Audience = Total Fuckwad". Thus, my personal preference would be to give 0 third party anyones my username/password. My reasoning for this is twofold.

1. What happens if they redesign the app the harvest the crap out of you later on? Maybe it's fine now, and once they hit a threshold of users that makes it worth their while they go 'black hat'.

2: How do *they* store your account info? Having your account info in more than 1 place simply increases your chances of someone getting compromised and your account info stolen.

Once again, I'm not disagreeing, but neither you or I is qualified to prove whether or not this app even stores/harvests/logs your info and it honestly shouldn't be that hard to find several people who are a) knowledgeable enough to examine the code and b) willing to call this app out if they found it to be dangerous or give it a vouche if it is harmless.

"

CrystalisQualinthi wrote:

"

Luvz wrote:

The purpose of this post is to get the attention of a few people who are qualified to EXAMINE the CODE and determine if there are even security issues in the first place.

So my point that code is malleable and could be completely changed down the road once the app developers see a certain number of users was lost on you? Sure, have a coder examine the code and certify it 'clean', that doesn't meant it will always be clean. :/

It's a download. If the code were malleable once it is already on my computer independent from the internet, then yes, a qualified coder could easily detect this.

"

Luvz wrote:

"

CrystalisQualinthi wrote:

"

Luvz wrote:

The purpose of this post is to get the attention of a few people who are qualified to EXAMINE the CODE and determine if there are even security issues in the first place.

So my point that code is malleable and could be completely changed down the road once the app developers see a certain number of users was lost on you? Sure, have a coder examine the code and certify it 'clean', that doesn't meant it will always be clean. :/

It's a download. If the code were malleable once it is already on my computer independent from the internet, then yes, a qualified coder could easily detect this.

When is your computer ever 'independent from the internet'? Do you seriously disconnect your Ethernet cable at times? Do you shut off your modem? What happens if a coder says "Yes, the code is fine, it does nothing bad." but they forget to mention "It does have the ability to go out to the parent server and download updates to itself at will."? Or even better, what if they do tell you it's clean but can self update? Do you put them on retainer? Keep them around forever to continually re-certify the code for you?

You should only use an application like this when you are given the source, can verify what it does yourself, and compile it yourself. Any responsible person releasing helpful applications for POE should be releasing the source along with the binary, but also instruct users on how to compile the source themselves.

I have been looking through the source code of this application today after having some initial scepticism.

I can provide more information regarding the source if anyone is interested however I can confirm that there is no logging and the only site accessed is https://www.pathofexile.com

Initial testing in a VM using Procurement v0.0.3

Filename: Procurement.exe
MD5: ea53f6f69f1b3fc1ef7d97aab78c72de

Attempts HTTPS connection to 173.192.44.22

URLs used:
loginURL = @"https://www.pathofexile.com/login";
characterURL = @"http://www.pathofexile.com/character-window/get-characters";
stashURL = @"http://www.pathofexile.com/character-window/get-stash-items?league={0}&tabs=1&tabIndex={1}";
inventoryURL = @"http://www.pathofexile.com/character-window/get-items?character={0}";

NINJA EDIT:
The code using the SecureString class which provides some protection against runtime attacks targeting strings in memory (utilises the Data Protection API).

The only remaining thing I am worried about is how the password is sent in the cookie and whether this is retrievable from memory before the HTTPS transport begins but not having much luck at the moment.

(Using VMware Workstation, ProcMon, TCPview, WireShark, VS 2012 Premium, IDA Pro and ollyDbg) for those that care)

"

CrystalisQualinthi wrote:

When is your computer ever 'independent from the internet'? Do you seriously disconnect your Ethernet cable at times? Do you shut off your modem? What happens if a coder says "Yes, the code is fine, it does nothing bad." but they forget to mention "It does have the ability to go out to the parent server and download updates to itself at will."? Or even better, what if they do tell you it's clean but can self update? Do you put them on retainer? Keep them around forever to continually re-certify the code for you?

Because a qualified coder would totally neglect to mention the fact that it's a malicious trojan that can avoid 20 virus/malware scans and has the capability to reconnect with its host and redownload itself. Those are not important things to mention.

"

deathbybinary wrote:

I have been looking through the source code of this application today after having some initial scepticism.

I can provide more information regarding the source if anyone is interested however I can confirm that there is no logging and the only site accessed is https://www.pathofexile.com

Initial testing in a VM using Procurement v0.0.3

Filename: Procurement.exe
MD5: ea53f6f69f1b3fc1ef7d97aab78c72de

Attempts HTTPS connection to 173.192.44.22

URLs used:
loginURL = @"https://www.pathofexile.com/login";
characterURL = @"http://www.pathofexile.com/character-window/get-characters";
stashURL = @"http://www.pathofexile.com/character-window/get-stash-items?league={0}&tabs=1&tabIndex={1}";
inventoryURL = @"http://www.pathofexile.com/character-window/get-items?character={0}";

The only remaining thing I am worried about is how the password is sent in the cookie, will be checking up on this shortly.

Thanks, man. Keep us posted.

Double post.

"

anubite wrote:

You should only use an application like this when you are given the source, can verify what it does yourself, and compile it yourself. Any responsible person releasing helpful applications for POE should be releasing the source along with the binary, but also instruct users on how to compile the source themselves.

Thanks for the advice.

If you want to check out the code, I believe it's available here:

"

anubite wrote:

but also instruct users on how to compile the source themselves.

1.) Open solution (.sln) in Visual Studio
2.) Press F6
3.) ????
4.) PROFIT!

Although I'll go out on a limb and say there's no point viewing the source code if you don't know how to compile it.