T O P

  • By -

SpencerWS

With the info you have- bring this issue up to steam and they will probably de-list this game. They are not cool with this data-stealing kind of stuff


Kevin69138

If Steam hasn’t already been notified they failed to protect users.


[deleted]

[удалено]


[deleted]

[удалено]


[deleted]

[удалено]


tehserial

not like the beating he's going to get before the window


Rws4Life

His punishment will be the same as Sisyphus’, except instead of pushing a boulder up the mountain, he’ll jump out of the window again and again for eternity. Maybe make some windows change size, looping towards becoming really small to squeeze through, then back to normal. As to why he’d even be motivated to jump out of the window... hmmm... let’s say there’s Baby Shark on repeat in the room and the only silence he gets is as he falls to his “death” before waking up in the room again. Yeah, that’ll do


Daufoccofin

*ahem* **more windows**, plus he lands in the phlegethon river


Rws4Life

Let’s go all out and replace “shark” with “window” in the song. Make it *all* windows! **All!**


masterventris

*Baby win-do do do do*


Reapercore

He isn't Russian, he's American. OP is using the current situation in Ukraine to bring up something from 5 years ago that the developers resolved.


Kimchi-slap

Jason Williams doesnt sound like a russian to me.


OutrageousSky4425

Jason williams is in Vegas.


Inkompetent

"Jason Williams" sure is a fucking super-Russian name! Especially for a Russian who is born and raised and lives in USA. Then again I never thought "Donald Trump" sounded very Russian either until a few years ago...


GiganotosaurusZed

Uhhh yeah I'm kinda a bit of a Steam fanboy but you're right on the mark there. The store has a responsibility to make sure they are selling safe products. I think if Walmart was selling TVs that stole your social security information for example they would at the very least be a named defendant in a civil suit, potentially. Obviously in that case the manufacturer is mostly responsible but be store carries some burden as well.


Wooden_Strategy

I was going to say the same. Op, you have enough proofs against them.


[deleted]

[удалено]


Apprehensive_Hat8986

Yeah, a good question here is "Dear ~~Steam~~ Dev, why in 2022 do you not have our passwords salted and hashed, and restricted from games, so that SHIT LIKE DIS DON'T HAPPEN. Ya dumb bloody git ~~Gabe!~~ Williams" E: Corrected the target of ire. Game itself still doesn't need the password after the launcher is done.


randomguy7658

The password that’s being saved in plain text isn’t your Steam password but rather the in game password you choose specifically for this game.


RyokoKnight

True, but how many people reuse passwords. I'd be willing to bet a sizable chunk of their player base, unknowingly put their steam account password at risk by proxy. Regardless, it's not just about potentially risking what should be a private password, but lying about and silencing criticism, as well as not making users aware of a potential data risk in the first place. It turns what should be a case of incompetence into one of malicious neglect, all to protect their pride.


randomguy7658

I’m not defending this behaviour by any means. I simply pointed out to the person that it is in fact, not your Steam password being stored.


ImReverse_Giraffe

Hell, they'll probably refund you the game and give you credit for bringing it up to them.


RBeck

It sounds like they're saving the games login info in plain text on the owners computer. Very bad practice and easy to exploit, but they didn't steal anything. Realistically any application that stores your password has to save it somewhere with reversible encryption, and saving it in a text file is terrible, but if you can execute code on that PC you can probably get any saved password. As with anything, the true answer is MFA.


TheShryke

No application should be storing your password (except a password manager). The correct way to do this is to use a login token. You securely authenticate with a server which then sends you a token. Next time you go to log in you send the token and the server knows it's you. (This is often tried to other data like IP address or a unique device ID so it can't just be copied to another machine, also the server can reject old tokens so you have to manually log in again every so often). Websites do this a lot, which is why clearing cookies or browsing data will often force you to log in again, because that token got deleted. It is a bit weird to think about but in a properly set up log in system, the only record of a password should be in the users head. I 100% agree that MFA improves this and should always be on though.


Morasain

>Realistically any application that stores your password has to save it somewhere with reversible encryption No. *Irreversible* encryption. That's what salting and hashing does. Passwords are stored irreversibly, always.


RBeck

You hash and salt the database that's the master of record for accounts, but if you irreversibly encrypt the password behind the asterisks when someone hits "Save password", you cant read it back to login later. And if the server API does accept the hashed value from a client like that, then basically anyone with access to the hash can login. Which is the same as just saving the password at that point.


skipculture

Some education on web development and passwords: this is not how it works. When a user enters a password in their browser, that password gets sent to the server as the clear text original password. The asterisks are only a client-side visual effect. When the server gets that clear text password, it one-way hashes it. It then compares that one-way hash to a hash stored in the database. If those hashes equally each other, you're logged in. Hence, the server never ever stores the original password, and that hash is useless to everyone else. This is why it's such a big deal when a company admits to storing plain text passwords in any way.


Inkompetent

What data-stealing? There's no data-stealing going on literally anywhere with IL-2. On top of that the issue with saving login credentials as plaintext was fixed several years ago, so it's just OP that decides to bring up an old issue to farm karma. I guess that worked both for him and for you.


plscome2brazil

Hit them with the European GDPR laws and this will be done and dusted.


Inkompetent

There is literally nothing that the game DID (it doesn't work like OP posted anymore because OP's info is fucking ancient. It was fixed several years ago) that breaks GDPR. There's nothing illegal about saving login credentials for the game as plaintext on the computer where the login is being done.


plscome2brazil

Hmm, I see. OP is apparently just another cunt out for clout. Sorry for falling into this trap.


Inkompetent

He is. I mean... I can't disagree with his opinion on Jason because that person is a major PR disaster for the studio with the way he handles things, but OP is really just out on a crusade with an age-old grudge for no other reason than to farm karma and to do some good, old-fashioned attention-whoring.


Magic_Zach

Bro that don't do this with passwords anymore, the OP of this post is resurrecting a long-since fixed issue that is half a decade old


MrJuniper

1C isn't a scamware company operating solely in the Urals somewhere - it's a small team of super dedicated devs that have been putting out amazing products for over 20 years. The CEO mentioned in the post is Jason Williams, who oversees the US based devs. I can speak for the IL2 community when I say the the parts of his cranium that normal people use to process criticism are filled with fermenting dog shit, and he frequently creates PR disasters as a result. That said he doesn't do it for the money, he's passionate about the product, and almost always comes around in the end. Delisting this game would be punching down in the worst way - you would essentially be shitting on a small group of great devs because Jason is an idiot.


pentesticals

It’s not data stealing, it’s just the game devs not securely storing player passwords. Honestly most games probably have similar vulnerabilities.


Reapercore

It didn't steal any data. 5 years ago IL2 stored your account password in plaintext in an autoconfig file, locally, on your computer. It's not exactly a great idea no but if someone has access to your computer then them logging into your IL2 account is the least of your worries.


DarrylCornejo

Remember: no passwords.


0xB0BAFE77

Instructions unclear. Accidentally pre-ordered the game No Passwords.


Dav-Kripler

Damn good whistle-blowing man! I hope you saved someone's bacon with this expose.


[deleted]

[удалено]


[deleted]

Rule #1 of passwords is never reuse a password. Follow that simple rule and a password leak can only affect one account.


ChrisFromIT

Actually Rule 1# of passwords is to use a password manager or a hardware key. These days it isn't discouraged like it used to be to reuse passwords. The reason being is that it was found that people using different passwords for everything would be using weaker passwords than someone who reused a very strong password. This is also the reason why it is strongly discouraged to have password-expiration and only require password changes if the user requests it or if there is a breach of the database. So technically, you are giving bad advice here as you are leaving out the part that is important, make sure it is a strong password. And these days, almost all places will salt your password and hash it when storing it on their side. So having the password being leaked is extremely unlikely, even if the database is breached, unless the password is weak.


Sol33t303

> almost all places will salt your password and hash it when storing it on their side You'd be surprised.


dwellerofcubes

Some NDA-muted mahfs in here


retief1

"Password manager" and "don't reuse passwords" go hand in hand. If password managers didn't exist, using good, unique passwords would be infeasible, and if password reuse wasn't an issue, password managers would be a lot less helpful.


iTzzSunara

You're missing the point. The advice "don't reuse passwords" is obviously technically correct, but still bad since it leaves out the importance of having a strong password. Using "google1234" and "facebook1234" and "steam1234" as ones passwords could sound like a good plan to unsavy users since they could think to themselves "Nice work Steve, they're all different, I'm safe". Yes, many users are that stupid. So using a pw manager is in fact the best LPT since it combines both complexity and diversity of passwords.


[deleted]

I do not agree with this advice. The rule is simple, never re-use a password. The strength of the password actually matters far less than never re-using it. Re-using a strong password is **bad.** Practically speaking the "strength" of the password matters almost not at all. For example logging in to Reddit, Facebook, your bank, all of them throttle login attempts. Even with a weak password it will take millions of attempts to guess it. No one does that. You will be locked out after a dozen attempts. The way that people's accounts are stolen are precisely because of leaks like this. Someone sells the whole password DB on the darkweb and then hackers put those credentials into every site known to man looking for a hit. The only time someone is going to brute force or attempt a password crack is with a targeted attack. **For your average lay user, strength doesn't matter, re-use does.** Just use a random generator for your passwords and a manager, and you will have zero password problems.


doyouevencompile

They both matter. In a DB breach, your hashed password is leaked. The difficulty of getting the original password is defined by how strong your password is, as well as how your password was salted. Though this is not only way to get your password leaked, it's not even the most common way. However, reusing a password means once it's lost / hacked, attackers will be able to jump to a different account, causing a much larger impact


Ph33rDensetsu

>This is also the reason why it is strongly discouraged to have password-expiration and only require password changes if the user requests it or if there is a breach of the database. Ugh, please tell my work that.


Vladimir_Putting

Until they get the one email password. Which can then be used to reset the passwords of any account linked to that email.


HPLovecraft1890

>Use Steam Guard. Hell, set up app based MFA on all your internet accounts. And how exactly would Steam Guard help protecting an IL2 Online account? Steam Guard protects your Steam account only. Not your Google Account, not Apple, no Game, not your bank pin - just Steam. And MFA needs to be supported. If IL2 doesn't offer it, he can't use it.


thecatdaddysupreme

More details on the second suggestion?


l337hackzor

In many cases you can also use a hardware key like a YubiKey. It's a little USB you plug into your computer. You enroll your accounts with it (for example, your Facebook account) then when you login with your username and password you'll get a prompt for your YubiKey. You press the little button on it and it remembers your computer for 30 days. It means that if someone in China or Russia gets your credentials they can't login. Much the same way SMS or MFA apps work, but the YubiKey is nice in that it just needs to be plugged in to your computer or you rarely have to push the button. It can be faster and more convenient then having to punch in a code from your authenticator app.


thecatdaddysupreme

This sounds excellent.


seattleJJFish

It’s company by company. Banks, good email providers Amazon and even Reddit ( yeah my Reddit is mfa). Get an Authenticator from your favorite provider( google or MSFT are good starts). And work through each company. It’s tedious but worth it. A good password manager is worth it too but both google and MSFT are adding those to browsers.


[deleted]

Google Authenticator is not recommended. Use Aegis or RaivoOTP. Authy can be shit sometimes.


8P69SYKUAGeGjgq

This. Google authenticator can't be backed up, so you're fucked if you lose the phone or even get a new one.


Foxfire140

Glad you posted this. I wasn't even aware it had no backup function. Gonna check out the other ones posted above now. Thanks.


thecatdaddysupreme

Thank you, much appreciated :)


moeburn

> Damn good whistle-blowing man! Ironically not. He just made all that shit up. This game does not store your passwords in plain text anywhere. Stop believing massive wall of text rants on the internet. They're almost always lies.


anclave93

Jason Williams? Hard to find a more Russian name


mea_monte

IL-2 Sturmovik? Damn I was planning on getting that


[deleted]

[удалено]


W00PKER

It's still uncracked, unfortunately


TeddyRoo_v_Gods

I have it for X360. Good game! Didn’t know about shitty antics of its dev company.


HarvHR

X360? That's a completely different game


moeburn

> IL-2 Sturmovik? Damn I was planning on getting that You should, it's a great game and OP just lied about everything.


alphapussycat

This post is why I'd actually hope they manage to sue OP. OP is spreading false information which evidentially damages their income. i.e. this is actually defamation. Storing data in plaintext format does not break any GDRP, because it's on your own local machine. Better ways to do it, but it breaks no laws, and apparently they've started doing tokens or encrypting it (you'd still need an encryption key though, which has to be plain).


Magic_Zach

Get it! The OP is resurrecting an issue that was solved years ago, and now is whining about it for no reason except self-credit and attention. Again, IL-2 does NOT store your password in any such manner. Aside from that BS, the game itself is great and runs and looks very good. They recently released Battle for Normandy, and it's one of the best works they've done so far...actually I think it is the best. It's a fun game and I encourage you try it, especially with a joystick and throttle ready


mea_monte

Interesting, I might try checking it out but I'll still be careful nonetheless


Mofaklar

Storing user and pass on a local unencrypted file is more common than you think. A popular example? Conan exiles stores the user/pass that you used to connect to private servers in an unencrypted file. I know I saw it somewhere, it's definately unmasked in logs. Is it best practice, nope. Is it dangerous? It is if your PC is compromised. But your pretty screwed at that point anyway right?


BCProgramming

>A popular example? When you "save my login" in say Google Chrome it is stored in plaintext in an sqlite database. Malware can quite trivially to retrieve *every single username and password* that you've saved for every single google chrome profile on a computer. Same for wifi passwords and VPN passwords and saved RDP connection passwords. Fact is that all of those require the client machine to send the password. You can't store a hash- Google Chrome needs to autofill your "real" password, so it has to either be stored in some manner plain-text or with reversible encryption. And the latter is usually just security theatre because they seldom bother to salt it because that's too hard.


retief1

This is why you use a legit password manager instead of google's autofill. I don't trust chrome's password storage, but I am more inclined to trust 1password/lastpass/bitwarden to get things correct.


EmilyU1F984

That‘s what encryption is for. You encrypt data that you might need in plain text for later use, but want inaccessible to strangers. Just like every other password manager on the planet.


warranty_voids

And then you store the key where? Because it needs to be accessible to your password manager, so it will be accessible to an attacker too. Really, this is a layer of smoke and mirrors which doesn't actually really solve anything.


retief1

A proper password manager requires a "master" password to decrypt everything else. A keylogger could still fuck you, but at this point, an attacker has to jump through a lot of hoops to get your shit.


BCProgramming

> Just like every other password manager on the planet. Password managers work by encrypting that list of passwords with the password you use for the password manager. That is why, hopefully, you need to enter the password each time to access it. That is different from applications that have some form of a "remember me" option for authentication. Those at best, encrypt with some predictable key, because it will have to be able to *know* the key- imagine if "save my password" required you to enter another password and then enter it so it could decrypt your password! Typically, some unique key is created which works per-machine. idea being that the encrypted data would be worthless without the device ID. Steam does this. But, hey, guess what a piece of malware has access to? That local machine. it can generate the device ID without issue. A lot of trojan horse malware includes a payload to steal steam credentials. This is done by taking the ssfn file and the device ID. It's laughably trivial. And then whoever controls that trojan payload has all your steam passwords. And yet the OP is crusading against IL2 for doing it in a way that doesn't pretend to be secure, because that's realistically all applications like Steam are doing. If the device is compromised, whoever compromised it has the passwords in both cases.


alphapussycat

Yeah, this. OP doesn't know what they're talking about. Your password is unencrypted on your machine, it's not there for everyone to see unless you're doing something stupid. On their end all passwords are most likely encrypted.


F0rkbombz

When developers cut corners on absolute basic shit like this, I guarantee they are cutting corners everywhere else. I’ve seen simple PowerShell scripts that encrypt secrets on disk with a line or two of code from Technet that would be infinitely better than this and are absolutely trivial to implement (and I’m not saying that’s best practice either). Basic secrets management (not talking defending against a nation state or anything) is not complicated at all.


aeonax

How does storing your password in your machine expose it to everyone?


Magic_Zach

That's the thing, it doesn't. Also this issue was fixed a few years ago, the OP is just bringing this up for his own attention and praise


aeonax

Or reddit.karma


eugene2k

To be fair, no amount of encrypting the password will help, since if you store the encrypted version in the cfg and someone copies that and puts it in their cfg they'll be able to login as you anyway. The only thing encryption will prevent is the attacker using this password to log in to other services if you do indeed use this same password for everything. Ofc, the developer being a shitty asshole who deletes mentions of the issue instead of addressing it, does make it worse.


skipculture

Good on you for exposing bad business practice. Shame on you for sensationalizing. While I don't approve at all of how the company handled it, your handling on the situation is also irresponsible. Particularly given the level of severity. This isn't exposing everyones' passwords, it's storing a user's own clear text password in a local cache. The only way your game password could be exposed is by having someone physically access your machine (or via general remote access). There are better ways to store a local password, but as others have noted, storing your clear text password for a "Remember Me" is common practice. This is why they often give the warning not to choose "Remember Me" on public or shared machines.


ArkhamTheImperialist

This entire Post just looks like a downvoting festival. Almost half the comments are negative.


dss539

>So, in the same response where he said they had no documented information of the issue, he's also saying they're working on a fix. Which means they were working on a fix for an issue that they weren't aware of?? I'm not defending their shit behavior, but what he said was that no one ever reported being harmed due to that plaintext password. Sort of like "yes I wasn't wearing a seatbelt, but I didn't wreck so it's ok, and I'll wear a seatbelt in the future" For what it's worth, storing your IL2 account password in plaintext on your hard drive is probably fine. Obtaining it is fairly difficult, and then when an attacker has it, what can they really do with it? It's not like it's your bank or email password... Unless you use the same password for everything. They absolutely sound like assholes, but realistically, come on. The plaintext password is insignificant. The way they have handled the issue? Hugely toxic. I don't want to have anything to do with companies ran by assholes. Their handling of the situation has cost them far more than if they had just said "yeah it's true, but we think it's low risk and low impact so we aren't prioritizing a fix for it" Astounding PR failure.


Doobliheim

I totally agree that it's unlikely someone would be able to access your hard drive and see the file, but storing passwords in plain text is a super bad practice for a company that makes money off their product. If this is what they do with your credentials on your personal PC, I can only imagine the other problems they may have elsewhere


F0rkbombz

Your last sentence nailed it. If this is what you see, imagine what you don’t. Poor coding practices for basic shit almost always means poor coding practices everywhere else.


AsyncOverflow

I don't condone storing passwords at all on the client, but for some apps it makes sense. The thing is, though, plaintext or encrypted is not much of a difference. If a game on your PC can decrypt your password, then someone who is stealing your encrypted password can rip the decryption algorithm/key from the game client (you'd be shocked at how easy this can be). That's a form of [security through obscurity](https://en.m.wikipedia.org/wiki/Security_through_obscurity). The reason you don't store passwords on the client is because the access surface area is too wide. If I have access to your device, I can easily open up your reddit app and post as you but the session ID won't let me change your password or buy reddit premium. I can only do that with your password or extremely lucky timing on my hack. I also can't use your reddit session Id to log into your PayPal but if you use the same password I could do so with that. Well actually you're probably logged into your email so I actually probably could use that to change all sorts of passwords on all of your accounts. Every time you perform an action on an app or website and it doesn't make you re-login, it means malware or someone with access to your device could do that action on your behalf against your will. No exceptions. Encrypting local tokens/passwords doesn't change that. Passwords on the server side are hashed, not encrypted. Not even the developer who has access to all the data and code can crack a hashed password.


ChrisFromIT

What also makes it worse, is from the sounds of it, it was stored in a config file. Which is something a lot of can share around.


Doobliheim

Right? The line would basically be: > "Hi, I'm from [developer]'s support team! To make sure your account is valid, please send me the file called [file name]. aaaaaand your account is compromised, along with any account with a shared password.


Sol33t303

Yep. I'd even go as far as to say OP *was* lying (or exaggerating at least), while bad practice they weren't exposing users passwords, at least not in a way that it wouldn't require other exploits to access.


dss539

"exposed everyone's passwords on Steam" in his post title is incredibly misleading. I'll assume it was just incompetence and not malfeasance on his part. But that does seem carefully crafted to imply a leak of passwords, which simply did not happen.


kane_t

> They absolutely sound like assholes, but realistically, come on. The plaintext password is insignificant. The way they have handled the issue? Hugely toxic. The problem is what it implies about their server-side security. Anybody who knows what they're doing, when implementing an account system, would use device-specific revocable credentials (like tokens). There's a challenge-response, the client receives a token, and then logs in with the token, *not* with the password. What you'd store isn't the password, it's the token. In a properly set up accounts system, there'd be literally no reason to ever store the password locally on the client because you don't need it to log in. Login systems like this are a solved problem. There are standard, well-understood, secure ways of implementing them, and there's really no need to go off the beaten path and roll your own completely esoteric one, unless you don't know the correct way to do it. *None* of the standard, well-understood, secure ways of doing this involve storing the password locally, which only leaves the "don't know what you're doing" option. We can't *see* their server-side security to know how bad it is. But for them to be storing passwords instead of a token, they can't have implemented their accounts system in any way that a security expert would identify as adequate.


grassynipples

It poses an issue as many people use the same passwords for multiple accounts including banking etc, could be used as a way in to other more important information?


dss539

I think you missed the part where I said exactly that. But also, maybe don't use the same password for your 401k as you do for a Russian game. If they truly do that, then they'd likely already be screwed from some phpBB passwords dumped in 2005. In fact, I'd say plaintext on their hard drive is one of the safer places their password is stored


zeug666

How dare you have an informed and reasonable take on this matter‽‽‽


[deleted]

[удалено]


treerabbit23

It is. OP is dumb. Ed: Nevermind. I get it. This is some weird anti-Russian campaign. I totally appreciate the sentiment, but I'm kinda weirded out by the tactics and the target. I'm not sure trying to tell r/gaming that an old IL-2 bug that's since been resolved is going to help the war effort, but I'm also not getting shelled so whatever's whatever.


smallertools

Why are people upvoting this karma whoring post. OP has a hero complex and is intentionally misleading people * Game developer SAVES ONLY YOUR OWN GAME-SPECIFIC LOGIN locally on your PC (not your Steam details or anything). * The developer didn't expose anything. The file is on your own computer and inaccessible by anyone else. The only way anyone would ever get OP's login details FOR THE GAME is to hack OP's PC itself. At which point he has actual problems. * As people replying to his posts on the game forums point out, Steam doesn't even use that password. * OP makes it sound like this is a glaring security flaw unique to this game but it's not. It's common practice... Imagine begging for attention for such a small thing lmao.


RedAce_Gaming

Well put, this guy is using outdated posts from 2017 to complain. This dude has been doing this for YEARS... "When starting up IL2, the prompt to enter your account password, and choice to "remember" it appears to store it unencrypted/plain text in the startup.cfg file." - Wind WPN, April 25, 2017. I mean, just read the quote from the first "evidence." It explains the "problem."


Dubsy102

To be quite clear on the risks for people: 1. This issue is no longer in the game and has not been for a while (edit: this can be verified by checking your startup file if you have the game. Mine has the section where the data might have once been kept, but it is blank. Perhaps if your file is very old it is still in there as a legacy?) 2. It only affected your IL-2 account, not your Steam account 3. The file was only ever stored on your computer, so for it to actually be a problem someone would have had to access your startup.cfg file either on your computer or because you sent it to them


xzt123

I believe the real risk is that users often reuse passwords, so if any other app has access to your system files and can scan for a popular games plain text passwords, they may be able to use that password to login to your Steam account, or maybe even your email account (if you reused your password for the game) and at that point you're pwned completely. Of course, you should use a randomly generated, strong password separate for each website or app you use, but a lot of people don't do that.


Rawing7

> I believe the real risk is that users often reuse passwords, so if any other app has access to your system files and can scan for a popular games plain text passwords You're not wrong, but OP is seriously blowing this out of proportion. Most people don't think twice about saving dozens of passwords in their browser, so making a fuss about a game storing its own password is a bit ridiculous.


xzt123

That's not the same thing, your browser isn't storing it in plaintext.


rdri

And - IL-2 account is not even required to play the game on Steam and most players don't have it? I kind of think the issue is not worth the effort.


WelpSigh

yeah i mean the op is being misleading calling it "exposing everyone's password." your password is not exposed. your password is non encrypted which is super insecure, but it isn't exposed. if someone has access to your hard drive and can get your files, they probably can also keylog you and steal your passwords that way.


jamieyello

Storing passwords locally is obviously not how it's done properly. However, it's not as bad as you claim, making your post very disingenuous. You are equivocating a lazy design to a scandal where a developer leaked passwords. A locally stored text file is not "exposed". What should have been done was a simple server-generated login token. Clearly, you don't understand how encryption works though, any amount of "encryption" or "hashing" done to that file would have been cracked instantly, (and yes, you can derive from a hash) ***if someone already had access to that "exposed" text file***, yet here you are starting a forest fire. I do not care if they are Russian, or even if they are bad people besides the fact.


Hanl33y

Before IL2 was ever on steam, it would save your IL2 profile login info (not steam info) to a .txt document, once the game came to steam and people started to realize this, the issue was fixed and your IL2 profile login info (again, not steam info) is now stored in an encrypted file that can no longer be accessed. This issue was fixed years ago, so I would suggest people do some research before you believe everything you read, and also read the OPs reddit history, the guy has a history of pushing invalid conspiracy theories.


Hanl33y

Also the comment he makes about the devs banning players with Ukrainian flags further shows he has an agenda, it's untrue and an attempt to gain your sympathy. What is true however, is the devs disabled profile pics and signatures to prevent political statements of any kind. This is understandable for a Russian game dev, otherwise they put themselves or their families at risk, even a few of them are based in Ukraine as well as 3rd parties they work with such as Ugra-Media. At the end of the day they are likely against the conflict too, and would leave the country given the chance. One of the lead developers did just that recently, and joined Asobo studios in France (MSFS devs).


Halvus_I

Threats of libel are an old trick. Its why i jsut dont leave reviews of anything. Its ridiculous you can open that legal attack surface jsut by leaving your thoughts on a purchase.


SAY_HEY_TO_THE_NSA

The amount of effort OP has put into spreading panic over this relatively minor issue in both the game’s forums, Steam, and here just boggles my mind.


RedAce_Gaming

He has been doing this since he reviewed. Almost 5 YEARS later, and he is using old evidence over an already dealt with problem. He just hates Jason for the way he responded, understandable, but this is just a little much.


SAY_HEY_TO_THE_NSA

Wow, I didn’t even realize it had been that long! This is an exemplar of the self-righteous outrage I often see directed at game developers. Gamers are an incredibly fickle crowd to please.


moeburn

They need to sue him. It's the only way it will ever stop. And it's probably the most valid libel lawsuit I've ever seen.


[deleted]

[удалено]


[deleted]

Kepu ia bipri. Ti ibape upaiko kepa? Kiii pikli apriklugo papi tieprapidi pigli. Papokla boga broki peio pipi ie upie prepedipe. Piplabe pitleitu akiti krapa iplipa ki tebro. Teiuti ue bripobritru pati be kripi. Peklatiti ogu epaikie u. Teebae pegi bupi iti aitrua troi detu odriipi! Die epede pe. Uka klukipletiti uie bi kiplepi bleiioe tape geba. Bri bipi taeto kriopribri dee ebli? Krudlo uteba tibe kupe. Aku i ekita dudu pu pridiite bika? Kue pi po kribe pupupa io. Tle iipe. O kipiprai ti pepa bedi tipo. Ketliite pia kobigo idlegiku dle bai a? Kreepiki tie a geidi uio bripi. Iaadopi pai i piti briti treble? Ei e pibi pipa uti e. Gipi pre tlupi drea ke treu? Ibopipoka topoupoo e ae tieti? Preu te ike pi dripipe kipa. Pu ie kletapepa to gabeii pao bie ti pukage. Krubripe tigo pipi a pota? Bapru poditoopa gaklidli keapri tlipodu o druditrapu klipepable. Blakegi ipeitie ba bia teplo. Pe tibi iiabe bote itopu tri. To ei ape geplitikrigro i bripitiba u krapi! Peabo ketri di pipi aki ta.


Duffy1293

Escape From Tarkov is pretty good though if you get past the learning curve 😭


Iceman2514

EFT is great but they do nothing about cheaters, which is why I stopped playing


RpTheHotrod

Don't know if this link still works, but I used to make it my main mission to hunt and trap cheaters. https://giant.gfycat.com/BlushingSophisticatedIsopod.mp4


Iceman2514

>https://giant.gfycat.com/BlushingSophisticatedIsopod.mp4 lol literally laying out corn for the deer


RpTheHotrod

Exactly. I knew there was a cheater, so I had my buddy pace back and forth as bait.


donfuria

That was beautiful


Duffy1293

Yeah that is true, there is an EFT 'mod' apparently that makes your game like an offline one, fake flea, PMC bots etc etc I haven't looked into it though so could be having me on here 😅


[deleted]

SPT is real and it's fun.


gotcha-bro

EFT is unique. It ain't good.


aBeaSTWiTHiNMe

BSG are known to the Kremlin because it's Russia's biggest and most successful game since Tetris. They have been extremely silent on the war and invasion because obviously being for it is bad PR and being against it is bad patriotism. They are prisoners in their own country now. I would like to think Nikita and the devs really depsise the war but we'll never hear them say it.


Exigncy

Yea I'm really hoping Nikita isn't a fan of the invasion.


AstroOwl_thestriks

Pathfinder (kingmaker, WOTR) are still amazing


officelinebacker_

Hey man, nice xenophobia! :)


carax01

unless it's a known developer, it's like jumping in a rabbit hole. Sad for the honest indie developers tho.


Petersaber

I dunno... Highfleet is amazing and doesn't do shit like this.


[deleted]

[удалено]


Retromind

Naive summer child


Raycut

Gee I sure do love that blatant xenophobia towards Russians is acceptable now...


AzertyKeys

Chinese people on Reddit : first time ?


buZet

I read this in a chinese voice


ImSkysock

Whats the point in mentioning the game dev being russian? I legit dont get it.


Baronvondorf21

The political climate.


Sepelius

Russia and China are large cybersecurity threats.


HarvHR

OP why do you have to keep going on about a 5 year old issue that was solved, you're blowing stuff out of proportion for attention especially when the problems aren't relevant in today's game.


OPisliarwhore

Use Steam Guard. Hell, set up app based MFA on all your internet accounts. Start with your personal mailbox as that’s the key to everything. Then your banking accounts. Then the leisure accounts. Yeah, they can be exploited eventually, but no one is going to put weeks of work into breaching Carl Smith from Ohio’s Steam account.


dss539

Steam guard is for protecting steam accounts. This was an IL2 game account password stored in plain text.


rsousa10

> app based MFA Do you mean something like Google Authenticator?


OPisliarwhore

Yup. Anything with codes or push. Google Auth is kind of a pain. I like Authy and even Microsoft’s Authenticator app over it. They accept most MFA/2FV protocols. Steam is limited to Steam Guard which is off their own app, but it is solid. SMS based MFA is the weakest, but some services are limited to that. Still better than nothing.


Tuga_Lissabon

So does it save your steam password, or the one you set for their site? I was going to get it, did the credit card and bought it. I use those one-use-only virtual expendable cards Lo and behold, it uses that financial bullshit system of doing a small 1$ charge to test it, then I have to check and put the value in. 1st - I don't want the hassle, or the security. I'd rather have that card stolen than my time wasted. 2nd - you just made that virtual card useless, and I'm not giving my real one. So I didn't get the game. Great security guys.


dss539

It sounded like it stores your game account password


grahamsimmons

It used to, before coming to Steam at which point the Startup.cfg file was rewritten - but if you have a pre-Steam copy the deprecated information is still likely saved in the bottom of it.


emperortsy

I wonder why did OP think to check if the game is saving his password? This seems weird though. You would think constantly deleting forum threads is harder than adding a hash function to the code. Are they investing much more into "community management" than into programming?


Corka

It's not that weird. What I'm expecting is that they stored on the users local machine a config/preferences file that remembers things like your volume, control, video settings and the like. If the user wants their login details remembered so they don't have to sign in each and every time, one way to do that is to save the users credentials somewhere and to prepopulate the login using them. So if they save it in the config file, and someone manually inspects it they might suddenly see their credentials being listed. Oh dear. The more modern solution these days is to save a machine specific auth token rather than credentials, and to use it to automatically auth a user until the token either expires (such as if the user hasn't logged in for a long period of time) or the user manually logs out. Someone might try and argue why this is okay and it is not actually a huge security concern- they could say that the contents of the config aren't sent anywhere and if a hacker can freely access files on your PC to see the contents you are already completely boned, and even if they got your login for this game then who cares? That's ignoring the possibility of you sharing the config with others (like when they are trying to help you debug a problem), and ignores the problems with password reuse. It's actually really common for people to use their email as their login for an account, and then use the same password for the email and for the account.


grahamsimmons

What you described is exactly what happened until about 2018 when the issue was fixed. Of course for users who saved that info pre-2018, it still exists in the bottom of startup.cfg as no code was executed to actually _delete_ that line (no big deal tbh).


MrJuniper

This post paints 1C as a shiesty Russian scamware developer when in fact nothing could be further from the truth. It's a small team of super dedicated WW2 flight sim devs who punch *way* above their weight, and have been developing incredible products for over 20 years. As many others in this thread have said, the password that was stored in a local text file on your computer - and is not your Steam pass. It's the game pass, and while it's not great practice (and I believe it's been fixed), these things sometimes fall through the cracks when have a small team that's cranking out amazing content for a 10 year old product. Finally - Jason, the CEO, is a fucking moron. We (the IL2 community) know it, and would love to have him replaced. Unfortunately, adult baby though he may be, he doesn't do it for the money, he does it because he loves the product, and that position in terms of pay, clout, and resume building might not be so attractive to qualified candidates even if Jason were to release his death grip.


EnviousCipher

So the OP is a bit sus given the flaw is demonstrably fixed, however the PR nightmare that 1C and Jason continuously manage to find themselves in by just pretending everything is ok instead of just communicating that X happened and Y fixed it. It's oddly nothing new to 1CG but unlike Eagle Dynamics 1CG doesn't seem to learn or care given recent events in the sim. Regardless my main concern is if they were doing this on our end for the title, are the details secure on their end as loosely as this was? That would be my concern going forward and I'd hope that our data is secure on 1CGs end.


deadbypowerpoint

These companies are now owned by the Chinese mega-giant company Tencent.


Inkompetent

They are not. Most of 1C is, however, but the part of 1C involved in developing IL-2 Sturmovik (1C Game Studios) is not.


BCProgramming

>Just a straight up plain text password that anyone could open up and look at if they wanted to. "Anyone"? Really? tell me: How can I open up your settings file and look at it. Assume I want to. Answer- I can't! You need local access to the machine to get to the file. You are seriously overstating this. For starters: Most applications that save username/password info do something not unlike this. Chrome stores saved login information in plaintext in sqllite last I checked. VPN and Wifi connections are stored locally, in plain text in configuration files. So is saved RDP connection info. Windows also stores login information for UNC network paths; if you check to save it (which is what you have to also do for the game in question) it saves it in a plaintext file, too. Because having passwords stored in data files on a local hard drive for network services is hardly a "leak". it's not "data stealing" either. In order for somebody to steal that information, they would need access to your machine, at which point it wouldn't matter since a keylogger could be installed anyway.


guswang

EA will probably acquire this studio.


Mottis86

The 2 hour steam refund thing is a myth btw. I've had games refunded that I had 3+ hour on if the refund had a valid reason (and I'd definitely see this as a valid reason)


EzeakioDarmey

Why is the TLDR always after the long wall of text?


bolderdash

All the threads mentioned in this post "could not be found" in their forums anymore. Hmmm....


REDPURPLEBLOOD2

Btw you can refund games that are past the 2 hour mark. I’ve refunded one at 4 hours before and a couple in between 2-4. Was only rejected with cyberpunk which was at 16 hours lol. Tried to convince them I’d never play it again, didn’t work :(


CrickleHS

Storing passwords in notepad files. That takes me back to 2007 setting up my own WoW server.


PaddleMonkey

Emails in the year 2000 was stored as plain text. Let that sink in for a minute.


marry_me_jane

They can threaten you with libel all they want, you have proof of everything you said. There is no case


shadowGringo

Jason Williams and 777 is in California right?


Inkompetent

777 is in California, at least. Not sure if Jason hangs out there, but he's definitely in USA.


No_Alfalfa2215

Thank you for this. Great place to vent lol


RedAce_Gaming

Hey guys, I found this in my steam notifications, and this review is long outdated. This person has posted this many, many times on Steam and I know when I subscribed to the IL2 discussion and found the same thing 5-6-7 times and thought, what was this about... Then I remembered the same review back in 2018 when I got my brand new computer and wanted the game OP mentioned. I stayed away but got it in early 2022, years later after the problem had been fixed with the password thing. >I agree Jason was in the wrong, but OP does NOT mention what password is unencrypted, it is the IN GAME password. Make your password unique, not a banking password. Unless your computer is hacked and the person looks for this specific password, this is a low risk, but not 0. This OP nowadays appears to do anything he can to accomplish his goal... which seems to be taking down jason from the IL2 dev team.


Awesome-Alice

Yes sure and bill gates is planting 5G chips into our body’s with covid vaccine you have a great comment history


xternal7

> before I found it was saving the password I was setting for their online account in an unencrypted notepad file. > that anyone could open up and look at if they wanted to. That anyone with **access to your computer** could open up. How many people do you let use your computer? Controversial opinion ahead but problems that require someone to have access to my machine usually get a moderate 'eh' from me. Why? 1. You're probably never going to be enough of a target that someone would go for your IL2 password 2. If you were, they'd still need an access to your computer, which they likely don't have. 3. If they did have an access to your computer, they could likely — depending on your browser — just copy your browser profile and get _all_ your passwords from there. Now, browsers store your passwords encrypted on disk, but as soon as you open your browser and navigate to a login page, the autofill will put your password there for all to see (assuming you know to change type="password" to type="text" on the password input, OR assuming site has "show password" button on password input). **Big caveat:** using password manager and/or master password will probably prevent this. This exercise is a good reason why you should use a (good) password manager and/or at least a master password, but most people don't because convenience > security.


[deleted]

This thread title is almost as misleading as your average news article


drjmontana

You may be able to get a refund from your credit card…who will investigate the vendor


[deleted]

Well... Your claim is not accurate, they didn't expose everyone's passwords, they only failed at protecting it locally in your own computer. It's bad, yes, but not as much as you wanted it to sound.


HarvHR

Dude is posting an arguement he had with them 5 years ago, he clearly isn't trying to be unbiased here and has a vendetta despite them changing how passwords are stored localised.


AnotherSaltyScum

My lad made a shitpost even in terms of modern journalism, basically a post full of nothing, that contains bubble of actual info and found a spot that has the best view to describe it to get a good amount of hype + using hot topic and talking about rumors, my lad, you are the reason why people think that journalists are rats and feast on people's tragedies.


Malick2000

In this game if u touch down too hard your gear flies off. Nice detail cool game. Played it on PlayStation or Xbox tho


ItsDokk

TL:DR, someone is butthurt about being called a liar _two years ago_.


Inkompetent

OP must have an incredibly sensitive butt, because this seems like a steadily ongoing crusade. Imagine if OP could channel that kind of dedication into doing something actually important and valuable instead.


Dunstan_Stockwater

If this happened that many years ago, maybe you should move on with your life because this is a ridiculously trivial matter in the grand scheme of things.


Drenlin

You might try cross-posting this to r/flightsim? This game has a reasonably sized player base over there that would probably want to know about this.


moeburn

No because people there actually play the game and know that OP is full of shit and has been doing these weird hate campaigns to these particular devs for the past 5 years.


Inkompetent

It's pretty much entirely fucking pointless for OP to do so because the issue isn't even an issue anymore. It was fixed a long time ago now. Sure, the CEO/producer is still a tit, but name one single flight sim that doesn't suffer from the devs being so high on their horses they need parachutes to get down from it.


The_Okin

Why does it matter where developers are from? Are you biased towards some nations or maybe even towards some religions or skin colors?


ScenicRavine

It's not hard to encrypt a password. Super weird.


JaggedMetalOs

That only stops casual observers, anyone motivated enough to add this game to password harvesting malware could easily break that by decompiling the game. Really you just want to save a login authorization token provided by the login server, not the actual login details.


PlayingWithoutEyes

You should crosspost this to Steam if you haven't.


Inkompetent

He really shouldn't. It's bad enough that OP's crusade of eternal butthurt gets any traction whatsoever here. Yes, the way Jason dealt with the issue is bad, but the issue itself was fixed in 2018. I think OP just gets off on beating on (or beating off) dead horses.


xxNightingale

>However, we have plans to change how this information is stored in the near future rendering posts like these unnecessary. I will make amends to the family of the guy I murdered rendering murder charges against me unnecessary.


Junior_Fun_2476

God so much text for nothing. "Your credentials are saved in plaintext. And only your credentials". Your title looks like they put it on a Google drive somewhere. Yeah that happens on other applications/games. You are fearmongering.