Closed How Safe Is Your HumbleBundle?

Contrary to my other posts this is no joke:

This was literally the second result when I searched "Starbound redeem badge" in Google
Try it- if it doesn't work here's the link:
-REDACTED-

Sorry DrChemistry for throwing you under the bus.

 

I've cross-posted this to the admin forum for better visibility (it's the top-most forum in the forum listing and will remain as the most recent post longer there than it would here).

 

Thats good thanks Jonesy.^
It's just a little unnerving considering some of the $$ people spent on da game...

 

You can say that again!
Please don't Google me. jk

Hmm... maybe the tier rewards page shouldn't be so volatile.
I do like the fact that you can change your submissions...
But perhaps it is safer just to "set the submissions in stone" so to speak.

 

I found another person using some google tricks I know. This is defiantly not a good thing. Though why is googlebot accessing these. Omiting link and process so trolls don't mess with the poor users account (asked Jonesy to notify them though).

I see your robots.txt does lacks "Disallow: /redeem/" that might be why googlebot is finding them.

 

It's actually only indexed two; both of which were posted on another site.

 

Ahh, That makes sense.

Edit: Well darn, seeing how the email the other key is bound to is Russian and the site that posted the two keys is also Russian I'm not sure the email belongs to the proper owner of the page. Think someone should still shoot the email a message about this?

 

Damn you Google...
she's just too powerful,
but I need her!!!

 

Doesn't google only index links that are commonly (or just at all) linked to in public?

Which also according to google, it has been twice.

 

Yeah, looks like they were posted on a Russian version of 2 chan and one of those sites that aggravates chan post or something.

 

Hello TheLastStarfighter,
now somebody change this email adress of this DrChemistry so he will never receive the notification when starbound is out. Could you not sent this problem direcly to the adims instand of posting it her (no offense)? Sure somebody should inform the adims about that but still i would do that in private message.

Therefore to protect DrChemistry data. I would move this topic to not public board. (that would be my suggestion) Than work on hotfix for this.

McRib

 

Dang! Good point McRib-
Well... too late!

 

To late is to late.. but thanks for finding this major lack. Before beta release... .

 

So anyone that knows you'r key can change it? I think it would be better to lock the submit details after the first submit, and make a e-mail to talk to teh develoeprs if you need it to change.

 

For the admin: The NPCs Name/email Adresse have been Change if possible try to recover the old names. Or contact the ower of the account.

 

I would imagine that the devs has some way of linking keys to the info from the original purchaser (paypal emails and such). Currently it looks like as long as you claimed the bundle page to a humble account if your key is leaked it should still be safe, but unclaimed pages might be in danger. Other then that is seems the only real threat is someone getting the "beta is out, check your humble page for download" message instead of you and messing with NPC names (possibly weapon, hat, and statue ideas if one of those tiers was leaked as well as possibly the name for the credits). Overall as long as your bundle pages is claimed your copy of the game should be safe, as well as your forum badge (if claimed). The worst it appears someone could do is prank you and change your suggestions to something nasty. But not as bad as it could have been since it appears only two keys were figured out. However if their is not a limit on how many times someone can try random key combos it might be possible someone could find more with a bit of computational magic.

I would suggest in the meantime claiming a page to a bundle account just in case and checking to make sure your email and any rewards you are entitled to have not been edited maybe once in a while incase a larger scale key leak happens.

 

I've added it to the robots.txt. (Which is to say, I've added a robots.txt) But really the only way to make this 100% safe is to create some sort of login system.

I also redacted the information. Which was as simple as editing the post. Which you could have done.

In the future, I would urge you to take these matters up privately with the team. It's not like we have a poor disclosure track record. And it would give us the time to resolve these issues properly, rather than making a quick band-aid fix.

 

lols..
I'm sorry but you do realise people can still do this:
"This was literally the second result when I searched "Starbound redeem badge" in Google".
Maybe edit that out as well..same thing with this reply, I'm sorry about I can't see a way to tell you this without quoting it..

 

Website account based on e-mail used for Humble Store?