Early Access Discussion - How hackers are stealing your stash with no 2FA - Forum

" alpacalypse#1488 wrote: Guys, I think there is some sense to this. I just tried opening my stand alone client, and pressed login without typing in my password and i managed to login. Is this normal ? There seems to have some session cached somewhere. It is perfectly normal. Have you noticed "remember me" checkbox on every website you login to? It means your personal access token is created based on your credentials, your hwid, IP address, current date and time, and other factors chosen by developer. Until this token expires you may skip typing password next time. Now, assuming orginial bug info is true, problem is GGG was too lenient on sharing players data during party, to facilitate multiplayer. Of course I don't think there are full tokens of other people lying around in your client memory, but whoever reversed poe protocol (respect BTW:)) could have found enough bits and pieces to reconstruct valid auth token for another player after partying with this player. Personally I never enabled autologin in poe, and always type my password manually, so here's hoping client won't allow token login in this case:) Last edited by Echothesis#7320 on Jan 6, 2025, 1:08:42 AM	Posted by Echothesis#7320 on Jan 6, 2025, 1:07:57 AM Quote this Post
So moral of the story is don't party up with random people, so the question is how do I trade with someone? If I need to invite them to a party to go to their instance? What's the safest way to play atm?	Posted by shootandrise92#3727 on Jan 6, 2025, 1:12:56 PM Quote this Post
" shootandrise92#3727 wrote: So moral of the story is don't party up with random people, so the question is how do I trade with someone? If I need to invite them to a party to go to their instance? What's the safest way to play atm? Follow the steps in the first post anytime you trade. Other than that you shouldn't have to worry. 1. Do not log off 2. Open a second POE client 3. Log in with the second POE client 4. You will be kicked off the other client 5. Close the other client Last edited by XerxezBreak#3933 on Jan 6, 2025, 1:28:46 PM	Posted by XerxezBreak#3933 on Jan 6, 2025, 1:28:26 PM Quote this Post
" StinbrarKekw#5642 wrote: Posting this here as it needs to gain more attention. There is a a possible vulnerability in POE where a hacker can steal your account session token by initiating a trade window with you in game. Numerous reports and evidence of this support this conclusion. If you accept the trade request they can login to your character using an account pivot technique that does not trigger any 2FA and they do NOT need your password. They gain access to your stash, steal your currency/gear and then they're gone. Typical scenario that many users have reported: 1. You list an expensive item or try to buy an expensive item 2. The hacker pings you to trade 3. The hacker opens a trade window with you 4. The hacker cancels the trade and then logs off 5. They wait for you to log off and then use your hijacked security token to instantly login to your character and rob you 6. This does not trigger any 2FA since they are already "authenticated" Something that may reset the token if you suspect you are a victim of this: 1. Do not log off 2. Open a second POE client 3. Log in with the second POE client 4. You will be kicked off the other client 5. Close the other client Your session token can only be used to login from your IP, very often even only from the same device (HW-ID). People who got ripped off have been much more likely infested with a keylogger when visiting any RMT websites.	Posted by Bohnensuppe#6778 on Jan 6, 2025, 2:37:48 PM Quote this Post
You don't need a keylogger if you use the same email and password on the RMT, or got phished, or put a session key on a 3rd party app. There are many ways to hijack someone's account. There is no way to extract your token by visiting another player's hideout or partying with them. The whole idea is that you get assigned this token when you log in so that the game keeps you logged in. Why would it exist at all if they put it in the open?	Posted by ZubMessiah#1803 on Jan 6, 2025, 3:08:39 PM Quote this Post
" Your session token can only be used to login from your IP, very often even only from the same device (HW-ID). People who got ripped off have been much more likely infested with a keylogger when visiting any RMT websites. This doesnt seem true from my experience. I use both standalone client, and GeForce Now cloud gaming. Switching between the two is a different IP, and completely different PC. So every switch should trigger the email. But for some reason only about 1/5 actually triggers the email verification. As a personal experience, its convenient not having to check my email everytime, but it also shoves the lack of security in my face with is concerning. Last edited by iadapt#7831 on Jan 6, 2025, 3:14:57 PM	Posted by iadapt#7831 on Jan 6, 2025, 3:14:43 PM Quote this Post
I just had a weird encounter when trading; it was probably nothing, as my meager loot is still intact. Thought I would check the forums just to be safe. I think I was lucky, and I am just paranoid. Is this just fearmongering, or is there a legitimate vulnerability in regards to trading? Has GGG confirmed or denied anything officially? Either way I think I am going to allow my paranoia to win and wait for the team get back from the holidays	Posted by SmokeGhost#2880 on Jan 6, 2025, 3:47:03 PM Quote this Post
" iadapt#7831 wrote: " Your session token can only be used to login from your IP, very often even only from the same device (HW-ID). People who got ripped off have been much more likely infested with a keylogger when visiting any RMT websites. This doesnt seem true from my experience. I use both standalone client, and GeForce Now cloud gaming. Switching between the two is a different IP, and completely different PC. So every switch should trigger the email. But for some reason only about 1/5 actually triggers the email verification. As a personal experience, its convenient not having to check my email everytime, but it also shoves the lack of security in my face with is concerning. Mine triggers the email EVERYTIME I switch between Geforce Now and my PC. Ever single time. Its almost annoying, but I'm glad its there in the end.	Posted by Nimecshady#8338 on Jan 6, 2025, 6:13:26 PM Quote this Post
So this is what I just had happen to me. I received a whisper generated from the trade site, for a piece of gear not particularly worthwhile for 1 exalt. I invite this person to my party but, instead of them coming to my hideout they just sat in the Ziggurat Encampment. No biggie I was doing inventory management after a map and have seen people not know to travel to the trader's hideout. So I fast travel to them, he initiates the trade, I place the item, he places the exalt, I scan over it and hit accept. Then he seems to force log-off closing the trade window. I am a bit paranoid so I logged into the game from Steam forcing myself out of the client, closed the client. Went to the site and changed my password. Reopened the client and logged in with the new password. Should I be safe now?	Posted by TheBearlion#7006 on Jan 6, 2025, 9:48:37 PM Quote this Post
Too many better arpgs out there to be dealing with this nonsense May 15th 2012 - The day the king of ARPGs died. January 23rd 2013 - A new king takes the throne.	Posted by bluejays90#2103 on Jan 6, 2025, 9:55:27 PM Quote this Post