Jump to content


Mods: wotreplays.com - that website isnt wargaming, or is it?

is it or is it not :)

This topic has been archived. This means that you cannot reply to this topic.
43 replies to this topic

echo7 #1 Posted 25 May 2013 - 06:41 PM

    Senior Sergeant

  • Beta Tester
  • 0 battles
  • 756
  • Member since:
    11-28-2010
Updated for TLDR of the thread:

- Wotreplays is an independent site, its not associated with wargaming (according to ectar)

- The warnings several users received from wargaming support staff regarding the login (for which wotreplays uses wargamings own auth-server via open id) seem to have been only given as general recommendation. No wargaming employee or user reported cases of security attacks.

- If you wish to follow the wg-supports recommendation to upload only as guest-account, and not to use the shared openid-login, you can permanently disable the openid login for wotreplays.com at https://eu.wargaming.net/personal/ and deselect it under "Authorized Third-Party Websites"

- The details regarding the information categories wargaming shares via openid are disclosed at https://support.worl...cle/View/90/21/ .


Original thread start.

To show gameplay, discuss tactics etc, there are several websites hosting wot-replays.
Since my go-to-service for this, mwreplays, has been offline for some days now, i looked for another one.

A german forum mods pointed to the website wotreplays.com, i used it, but now i feel quite uninformed.

The website
wotreplays.com
uses a login which requires the wargaming.net login... openid; and it sure looks a lot like an official wargaming website.

Heck, it even says wargaming on the bottom, only if you look closely, it says "wargaming design"...

Is that website from wargaming? The "About" and a quick whois-query make me think different.

And if not - its pretty fishy to then make a look-a-like login which requires wot-user-data.
Or is this openid a partner service from wargaming which they provide to wotreplays.com?

Please mods (or wotreplays.com folks), inform us about the real status of the partnership between wargaming and wotreplays.

p.s.
As long there is no confirmation from wargaming, i would STRICTLY recommend not using your wargaming account data as login; even if it looks & feels like wargamings login.

Edited by echo7, 30 May 2013 - 08:41 AM.


teemu92 #2 Posted 25 May 2013 - 06:45 PM

    First Sergeant

  • Player
  • 0 battles
  • 1,382
  • Member since:
    12-07-2011
hmm, thanks for informing, wont login to that site unless its proven safe, thanks.

FatigueGalaxy #3 Posted 25 May 2013 - 08:25 PM

    First Sergeant

  • Player
  • 0 battles
  • 2,052
  • Member since:
    02-09-2011
You should educate yourself how OpenID works, my good sirs.
From https://eu.wargaming.net/

Quote

With the introduction of the Wargaming.net ID, you will get a unified account for all services by Wargaming.net. Whatever project you fancy joining, your ID will automatically grant access to all games and applications from Wargaming.net universe. Reaching partner and fan websites will become easier with OpenID authentication
How it works? You log in into Wargaming's service and it lets other sites know who you are (that you are you). It's like Urban Charter for internet: you don't need buying separate tickets for buses, pool, zoo, cinema - you have all of them on one card.

Appearance of their site may be similar to official WoT site because they could use WG's fansite kit. It's still available somewhere.

echo7 #4 Posted 25 May 2013 - 08:43 PM

    Senior Sergeant

  • Beta Tester
  • 0 battles
  • 756
  • Member since:
    11-28-2010

View PostFatigueGalaxy, on 25 May 2013 - 08:25 PM, said:

You should educate yourself how OpenID works, my good sirs.
How it works? You log in into Wargaming's service and it lets other sites know who you are (that you are you). It's like Urban Charter for internet: you don't need buying separate tickets for buses, pool, zoo, cinema - you have all of them on one card.
Well, i know how open-id works.
The question for the mods is another one.

Is the website part of wargamings partner. is the login openid; or is it a redirecting phishing lookalike.

One thing is for sure; if was logged in with open-id (in the forums), however wotreplays didnt recognize the session - and wanted me to login, even as the client browser was logged in. Therefore:

We need a conformation from wargaming officials if wotreplays is truly authorized by wargaming with open-id, and that the double login is just a tech problem or a phishing attack. All we need is a confirmation by wargaming officials for that.

And, dear FatigueGalaxy
a) - your amount of blind trust isnt a good thing on the internet. Phishng & cybercrime in general is a multi billion crimal industry; and wargaming *has* been compromised and under attack just recently.
b) - i started the thread actually because wargaming support has WARNED users to NOT use their account information on wotreplays.com, while a german forum mod recommended the website.. Support and Forum mods often arent synchronised with their info, so we need to know which one is correct.

View PostFatigueGalaxy, on 25 May 2013 - 08:25 PM, said:

Appearance of their site may be similar to official WoT site because they could use WG's fansite kit. It's still available somewhere.
True; however we still need to know if support (which warns about wotreplays) or forum staff (which recommends it) are correct. If the website is not fraudulent, then its no issue for a mod to confirm this.

FatigueGalaxy #5 Posted 26 May 2013 - 10:55 PM

    First Sergeant

  • Player
  • 0 battles
  • 2,052
  • Member since:
    02-09-2011
I don't think you know how it works.
Even if you're logged in the forums, official WoT site or anywhere else, you still will be asked to login again because it's wargaming's site. Portal, forum, Wargaming's site, WoWP site and forum - they never share your login session between each other.
So what double login?
You click "login" and you get message that you'll get redirected to wargaming's site. Notice the "https" in the address bar, you can check the certificate, your connection is encrypted. It's legit. When you log in, you'll asked for permission to authorize session on wotreplays.com by sharing your ID.

It's not a blind trust, It's a knowledge that helps me decide what is safe and what's not. So don't judge me and don't try to educate me. I don't need advices from a guy who can't tell if site is safe or not while he can clearly see legit address, connection encrypted with AES-256 and the certificate.
But you never can be 100% sure but you probably don't know how much effort do you need to fake encrypted connection. People who can do that won't attack you to steal your WoT account, lol.
Also, it's easy to spot phishing in most cases because they don't use https and/or address of the site is wrong.

So how can it be phishing site when they're redirecting you to legit wargaming's site to authorize your session? If it would be phishing, they would ask for your WoT account login and password, not redirect you to wargaming.

Quote

b) - i started the thread actually because wargaming support has WARNED users to NOT use their account information on wotreplays.com,
That's interesting, could you share a link?

And yeah, wait for answer from our community team. They are sure well informed. Remember when they reacted about illegal mods/cheats? When the forums got flooded with threads about them and players started to rage there.

Rostlaube #6 Posted 26 May 2013 - 11:20 PM

    Senior Sergeant

  • Player
  • 0 battles
  • 515
  • Member since:
    04-03-2011
in this thread here, for offical wot videos, they aks you to upload your videos to wotreplay.com.
http://forum.worldof...__ comments#top

this is why i am pretty sure, that the site is legit. so i started using it and used my wargaming loggin. would be strange, if wargaming linked us to a phishing site.

Baldrickk #7 Posted 27 May 2013 - 03:02 AM

    First Sergeant

  • Player
  • 0 battles
  • 2,129
  • Member since:
    03-03-2013

View PostRostlaube, on 26 May 2013 - 11:20 PM, said:

in this thread here, for offical wot videos, they aks you to upload your videos to wotreplay.com.http://forum.worldoftanks.eu/index.php?/topic/229223-video-series-rng-no-comments-replays-only/page__hl__%20comments#topthis is why i am pretty sure, that the site is legit. so i started using it and used my wargaming loggin. would be strange, if wargaming linked us to a phishing site.

Yeah I remeber them linking to it touting their new redesign.

Homer_J #8 Posted 27 May 2013 - 03:22 AM

    First Sergeant

  • Beta Tester
  • 0 battles
  • 12,908
  • Member since:
    09-03-2010

View PostFatigueGalaxy, on 26 May 2013 - 10:55 PM, said:

Wargaming's site, WoWP site and forum - they never share your login session between each other.

For your average user it would be better if it did.

Quote

It's not a blind trust, It's a knowledge that helps me decide what is safe and what's not.
Knowledge your average user doesn't have.

Your average user has been told to be suspicious of everything, and this looks suspicious.

echo7 #9 Posted 27 May 2013 - 04:52 AM

    Senior Sergeant

  • Beta Tester
  • 0 battles
  • 756
  • Member since:
    11-28-2010

View PostFatigueGalaxy, on 26 May 2013 - 10:55 PM, said:

I don't think you know how it works.
Even if you're logged in the forums, official WoT site or anywhere else, you still will be asked to login again because it's wargaming's site. Portal, forum, Wargaming's site, WoWP site and forum - they never share your login session between each other.
So what double login?
The technical process i clear to me - however its new for me that two authorizations are used in the same client-session.

View PostFatigueGalaxy, on 26 May 2013 - 10:55 PM, said:

It's not a blind trust, It's a knowledge that helps me decide what is safe and what's not. So don't judge me and don't try to educate me. I don't need advices from a guy who can't tell if site is safe or not while he can clearly see legit address, connection encrypted with AES-256 and the certificate.
But you never can be 100% sure but you probably don't know how much effort do you need to fake encrypted connection. People who can do that won't attack you to steal your WoT account, lol.
Here you are wrong - sadly. First of all, the account servers of wargaming themself have been hacked, last time just recently in april. Payment systems wargaming uses have been hacked, last time i remember was playspan in october. And "legit address, connection encrypted with AES-256 and the certificate" dont block man-in-the-middle-attacks; in fact many ebanking attacks work that way often, and its not complex to do so, especially as most users use elder browsers with plenty of known exploits, together with outdated java, flash and quicktime. And heck, against a sophisticated MitM attack, not even a solid VPN helps.

And cybercrime in general is a multibillion industry, MMO a nice niche-market; and the sophisticated exploits are darn inexpensive to buy for interested folks, sadly.

Furthermore, even the foundations are no guarantee, as HTTPS/SSL itself has been hacked and compromised as well.
http://www.infoworld...n-hacked-174025

Please dont get me wrong - i dont say that ANY of the process or the sites is fraudulent, and i dont want to lecture you.
The warning from support was what made me ask.


View PostFatigueGalaxy, on 26 May 2013 - 10:55 PM, said:

That's interesting, could you share a link?
And yeah, wait for answer from our community team. They are sure well informed. Remember when they reacted about illegal mods/cheats? When the forums got flooded with threads about them and players started to rage there.
Yeah, i will look it up later today - it was in the german subforum in a thread regarding alternatives to mwreplays - but now i have to go to work.

And the easiest solution would simply get an official answer from wargaming, all they have to say is : "Calm down, padawans, wotreplays is fully legit!".

p.s. / edit
found the thread in which the user write about support warning them before leaving for work:
http://forum.worldof...ys#entry4866353
In case you dont understand german, rough translation:
The User "Boswelli" writes:
"Support told me very very clearly, to NOT login there with my Wot-Login. Even if the site seems to be, its no official WG-site. To avoid any password-theft, only upload as guest-account, if at all."
In German he writes:
"Bzgl. wotreplays.com hat mir der Support dringend abgeraten, mich dort mit meinem WoT-Login anzumelden, denn auch wenn es den Anschein erweckt, ist es wohl keine offizielle Seite von WG! Um die Gefahr des Passwort-Diebstahls gar nicht erst einzugehen, sollte man dort nur als "guest" etwas hochladen, wenn überhaupt."

Edited by echo7, 27 May 2013 - 05:00 AM.


Cobra6 #10 Posted 27 May 2013 - 02:22 PM

    First Sergeant

  • Beta Tester
  • 0 battles
  • 6,405
  • Member since:
    09-17-2010
Posted 25th of May, how hard is it for a moderator to do a simple round around the office to ask if this website is legit and get back to us....

PM'ed the Community Team about this so they should be in contact with us shortly I hope/expect

Cobra 6

Edited by Cobra6, 27 May 2013 - 02:37 PM.


ninjafighter123 #11 Posted 28 May 2013 - 03:04 PM

    Private

  • Player
  • 0 battles
  • 6
  • Member since:
    11-05-2011
On the Website 'about' section it says:
About project
Friends! wotreplays.com was made for players by players. Please use it for replays sharing and learning more about World of Tanks.



So still a bit skeptical.

PrivateMonkeyz #12 Posted 28 May 2013 - 03:53 PM

    Sergeant

  • Player
  • 0 battles
  • 368
  • Member since:
    02-16-2013

View Postninjafighter123, on 28 May 2013 - 03:04 PM, said:

On the Website 'about' section it says:
About project
Friends! wotreplays.com was made for players by players. Please use it for replays sharing and learning more about World of Tanks.



So still a bit skeptical.

This Open ID thing is rather dangerous due to the fact that hackers can modify the Open ID link to target a fake site that looks just like the normal WoT.eu . It's not something that can not be done, and it sure will not be detected since wotreplays has nothing to do with Open ID

I'll do my *research* on that site to see how safe it is.

VeryRisky #13 Posted 28 May 2013 - 04:49 PM

    First Sergeant

  • Player
  • 0 battles
  • 5,647
  • Member since:
    10-11-2012
OpenId is used by other companies.  Certainly Hattrick.org uses it for 3rd party sites.  It's a pretty good appraoch as far as I can see.

Ectar #14 Posted 28 May 2013 - 05:50 PM

    English Community Manager

  • WG Staff
  • 0 battles
  • 6,613
  • Member since:
    05-10-2012

View PostCobra6, on 27 May 2013 - 02:22 PM, said:

Posted 25th of May, how hard is it for a moderator to do a simple round around the office to ask if this website is legit and get back to us....

PM'ed the Community Team about this so they should be in contact with us shortly I hope/expect

Cobra 6

wotreplays.com is not an official World of Tanks website. We can't for example assist players with any issues on that site regarding uploading replays or site issues despite it linking to our support page.

Rostlaube #15 Posted 28 May 2013 - 06:02 PM

    Senior Sergeant

  • Player
  • 0 battles
  • 515
  • Member since:
    04-03-2011
thank you Ectar, but that clarifies ABSOLUTELY NOTHING!

i want to know if my account is compromised after useing this site. a site i only used in the first place, because you from wargaming yourself asked us to use this site, here: http://forum.worldof...s-replays-only/

if your company linked me to a  phishing site, i want to know it.

PrivateMonkeyz #16 Posted 28 May 2013 - 07:07 PM

    Sergeant

  • Player
  • 0 battles
  • 368
  • Member since:
    02-16-2013

View PostEctar, on 28 May 2013 - 05:50 PM, said:

wotreplays.com is not an official World of Tanks website. We can't for example assist players with any issues on that site regarding uploading replays or site issues despite it linking to our support page.

Just like I said, this is a serious security issue.

Cobra6 #17 Posted 28 May 2013 - 10:38 PM

    First Sergeant

  • Beta Tester
  • 0 battles
  • 6,405
  • Member since:
    09-17-2010

View PostEctar, on 28 May 2013 - 05:50 PM, said:

wotreplays.com is not an official World of Tanks website. We can't for example assist players with any issues on that site regarding uploading replays or site issues despite it linking to our support page.

Thanks for the reply Ectar, however, what we players want to know is: Is it safe to use or not. Are our accounts at risk of getting hacked/exploited or is it a secure system.

Cheers,

Cobra 6

Edited by Cobra6, 28 May 2013 - 10:40 PM.


echo7 #18 Posted 29 May 2013 - 09:28 AM

    Senior Sergeant

  • Beta Tester
  • 0 battles
  • 756
  • Member since:
    11-28-2010
so, is it not legit of that website to use(or falsificate) the wargaming login?

if so, you should warn users asap, ectar!

Ulys #19 Posted 29 May 2013 - 11:44 AM

    Sergeant

  • Player
  • 0 battles
  • 266
  • Member since:
    04-30-2011
This thread is so funny if you have any computer knowledge :D

Mucker #20 Posted 29 May 2013 - 11:55 AM

    Senior Sergeant

  • Player
  • 0 battles
  • 757
  • Member since:
    04-15-2011
My gut feeling is that players that used wotreplays.com users should change their login data ASAP.
I'm not saying the service is fishy per se, but you shared confidential information with a third party and you just cannot be sure who has access to your data and the risk of misuse is quite high.