Ludeon Forums

Just because I like to be prepared way ahead of time, and I suck at web coding, I've written the Steam key distributor and put it up for testing. It is giving out fake test keys only for now - not real Steam keys. This is the system that will assign keys to people who purchased the game before Steam release. I want to test it early because it has to be secure when the time comes - please don't take this as an indication that Steam release is upon us.

http://rimworldgame.com/getmygame

Please don't share the link, but try to hack into it or break it any way you can think of! I'd love to hear of anything you can make go wrong.

Also note there are only 100 keys in the database, so it will run out of keys. This will help me test the code for handling it being out of keys, and the process for adding more keys.

Please keep this thread on topic and don't ask me about who is getting a key. There's no new information on that, this is purely about technical testing.

Thanks all.

Seems to work for me. I know you said fake keys but I still tryed it on steam :D

Everything looked good on my end! Thanks Ty!!

Took almost a half hour for the email to arrive, but everything looks good.

Thanks everyone.

I still encourage you to try to hack and break the distributor!

Two requests sent about a Hr ago, still waiting on the emails. Did the keys run out or is this a indication of a issue?

Fake email attempted. Passed.
Non purchaser email attempted. Passed.

Quote from: Kezat on June 18, 2015, 03:35:23 PM
Two requests sent about a Hr ago, still waiting on the emails. Did the keys run out or is this a indication of a issue?

Fake email attempted. Passed.
Non purchaser email attempted. Passed.

I see you in the log file. You sure you didn't receive anything? Check your spam box please?

Well, that didn't take 15 minutes - it was more like 15 seconds!

(Use Yahoo mail and it didn't get caught in their spam filter.)

Just noticed that the 'send link' button looks like RimWorld's own buttons - neat.
All that brown seems rather drab now.

I got it, but I received it in my spam-box

Sorry about the delay could not check my spam folder on my phone.
Spam folder is empty, emails still not received. I will try getting a key sent again to check it was a fluke. Let me know if I can help to trouble shoot this some how.

Edit:
3rd try 30min ago, still no email.

Quote from: Tynan on June 18, 2015, 03:47:14 PM

Quote from: Kezat on June 18, 2015, 03:35:23 PM
Two requests sent about a Hr ago, still waiting on the emails. Did the keys run out or is this a indication of a issue?

Fake email attempted. Passed.
Non purchaser email attempted. Passed.

I see you in the log file. You sure you didn't receive anything? Check your spam box please?

Just gave it a try. Email Appeared in seconds. :)

Quote from: Kezat on June 18, 2015, 07:11:44 PM
Sorry about the delay could not check my spam folder on my phone.
Spam folder is empty, emails still not received. I will try getting a key sent again to check it was a fluke. Let me know if I can help to trouble shoot this some how.

Edit:
3rd try 30min ago, still no email.

I guess I'm just going to have to work on deliverability.

Worked fine for me.

Worked for me with outlook but it was sent to the junk folder

Worked for me, found the email in the junk folder eventually.

Also, just for giggles I searched the forum for people publicly posting email addresses.  Ran a few through the distributor until I hit one that was also used to purchase RW.  So someone else got an unsolicited email with their fake Steam keys (don't remember who it was, sorry).  Doesn't seem to be a very hackable approach, so I didn't do anything else with it.

Seems good on the sql injection side.

I got my email but actual key was not in it. It just said "Your Steam key(s):  "

I know they aren't real keys but someone else in the thread said they still tried it in steam so I assume there's suppose to be an actual fake key there. It' possible that you're out now, but 100 keys and 16 responses lol, just checking

EDIT: It's also worth nothing that I bought the game after the guaranteed key date, idk if that is implemented in the test or not

Quote from: puddlejumper448 on June 22, 2015, 07:53:56 PM
I got my email but actual key was not in it. It just said "Your Steam key(s):  "

I know they aren't real keys but someone else in the thread said they still tried it in steam so I assume there's suppose to be an actual fake key there. It' possible that you're out now, but 100 keys and 16 responses lol, just checking

EDIT: It's also worth nothing that I bought the game after the guaranteed key date, idk if that is implemented in the test or not

Maybe it's out of Steam keys! Let me look. I was waiting for this.

I got the same result as puddlejumper (I bought the game before the key date thing ended). Got the right sendowl link though. Tried a non purchase email and (correctly I imagine) got : No orders for RimWorld were found under the email [email]. Please check that this is your exact purchase email as described below.

I got the email right away, but it appeared in my junk folder (I had a feeling it might have)Also, I'm on a hotmail email account.

Yep, sounds like it's out of keys. Working on it, thanks.

Tynan, my brother bought two copies of RW, of which he gave one to me, but it's still linked to his e-mail account. Will you be incorporating multi-key e-mail addresses into this tool? There might be others in the same situation :)

Quote from: Praeses on June 23, 2015, 07:38:29 AM
Tynan, my brother bought two copies of RW, of which he gave one to me, but it's still linked to his e-mail account. Will you be incorporating multi-key e-mail addresses into this tool? There might be others in the same situation :)

Yes, it'll give you all your keys.

One security idea (that I can't test) is purchasing RW with an email address that contains special characters that could also be used as an exploit. For example, single-quote can be involved in SQL injection and is in a valid email address (https://en.wikipedia.org/wiki/Email_address#Local_part). Something like '%20or%[email protected] is a valid email and, in the right circumstances, might be an exploit.

Here are some security questions I have for you, Tynan:
- Do you, at any point, use the validated email data in an OS command, PHP eval(), or some other place that would have a special meaning (e.g. # is a common comment character, ; can be used in OS command injection)? I'm mostly concerned about the email sending part and OS command injection (use an API, not a shell command)
- Do you use prepared statements with binding variables (no string concatenation with variables) when hitting the database?
- Do you have character sets specified in both your php script and the database? That's one way attackers tend to bypass input validation. UTF-8 tends to be the standard these days.
- Is this on a separate server? Suppose I get in to this web server, what else could I mess with? Same goes for the database: if I get into that, is there anything else valuable that I could get into?

(obviously you don't need to post your answers, just food for thought)

Quote from: andyprogrammer on June 23, 2015, 04:25:24 PM
One security idea (that I can't test) is purchasing RW with an email address that contains special characters that could also be used as an exploit. For example, single-quote can be involved in SQL injection and is in a valid email address (https://en.wikipedia.org/wiki/Email_address#Local_part). Something like '%20or%[email protected] is a valid email and, in the right circumstances, might be an exploit.

Here are some security questions I have for you, Tynan:
- Do you, at any point, use the validated email data in an OS command, PHP eval(), or some other place that would have a special meaning (e.g. # is a common comment character, ; can be used in OS command injection)? I'm mostly concerned about the email sending part and OS command injection (use an API, not a shell command)
- Do you use prepared statements with binding variables (no string concatenation with variables) when hitting the database?
- Do you have character sets specified in both your php script and the database? That's one way attackers tend to bypass input validation. UTF-8 tends to be the standard these days.
- Is this on a separate server? Suppose I get in to this web server, what else could I mess with? Same goes for the database: if I get into that, is there anything else valuable that I could get into?

(obviously you don't need to post your answers, just food for thought)

Thanks for the info - I never would have thought of making an email like '%20or%[email protected] :p

Anyway, answers are:

-No, only SQL commands.
-No, it's just string concat for now.
-No, I'll fix this now thanks!
-It is on the rimworldgame.com sub-account, which is connected to the creative reward database (nothing too scary there) and the steam key database (very scary!). But theoretically nobody could penetrate to ludeon.com as they're isolated accounts on the server.

I tried it yesterday but never got any email.  I did check the spam folder.

Quote from: seanp on June 23, 2015, 04:45:51 PM
I tried it yesterday but never got any email.  I did check the spam folder.

Thanks for the info. I've made a couple changes, could you try again now?

I tried just now and got the email but the "Keys" area was blank, as mentioned before. Likely out of keys again. Otherwise looks good!

Ok! I've heavily reworked the system. You can take the email, or you can enter your personal download link and the game will give you your Steam key right on the website.

andy I've switched it to prepared statements for greater safety, thanks!

All test data has been cleared, there are now 100 fake test keys in there. Please test it, I'd appreciate it!

Tried it and right away got a Steam Key in my gmail, no wait necessary!

Tried the download link one, displays key no problem.

Hmm.. email delivery worked fine, but DL link method claimed 'order not complete'

send owl gave me a code quickly,

email link went straight through to my yahoo email, within seconds.

edit: also gave me the same steam key from both.

Quote from: Drahkon on June 24, 2015, 05:15:31 AM
Hmm.. email delivery worked fine, but DL link method claimed 'order not complete'

Thanks! It's because yours is imported. Let me fix it.

EDIT: should be fixed, give it another shot!

The download link worked fine for me, pressed the robot button, entered code, pressed submit, got the code right away.

Edit: Just a question, are the order numbers based off the actual order amounts at all? Just because mines in the three millions, so wondering.

Quote from: Z0MBIE2 on June 24, 2015, 01:59:35 PM
Just a question, are the order numbers based off the actual order amounts at all? Just because mines in the three millions, so wondering.

No. I think they're numbers global to SendOwl, so all SendOwl products overall have sold that number.

Yes, it worked that time.  Got the email right away, and the steam key display also worked.

Quote from: Tynan on June 23, 2015, 04:58:53 PM

Quote from: seanp on June 23, 2015, 04:45:51 PM
I tried it yesterday but never got any email.  I did check the spam folder.

Thanks for the info. I've made a couple changes, could you try again now?

Awesome thanks seanp!

Tested it with my SendOwl download link to display steam key
       -           display steam key worked fine

Tested it with my purchase email address
       -            steam key arrived almost immediately into my Junk folder.

Looks successful. I am using a "hotmail.com" address.

Quote from: Tynan on June 24, 2015, 01:14:44 PM

Thanks! It's because yours is imported. Let me fix it.

EDIT: should be fixed, give it another shot!

Yep, that did the trick. Looks good.

Send email link/key worked this time, whatever you changed to fix this worked, email was almost instant.:)

4 days in a row now, im getting [out of keys, try tomorrow] when i enter my email, aren´t any keys left?

Quote from: peraldavid on September 19, 2015, 06:25:41 PM
4 days in a row now, im getting [out of keys, try tomorrow] when i enter my email, aren´t any keys left?

He says in the original post that there's only 100 keys (all fake, of course). The idea was to stress test, bug, break, and cheat the system for when the REAL delivery system comes around, for those who have purchased the game.

Quote from: TheSilencedScream on September 19, 2015, 06:29:48 PM

Quote from: peraldavid on September 19, 2015, 06:25:41 PM
4 days in a row now, im getting [out of keys, try tomorrow] when i enter my email, aren´t any keys left?

He says in the original post that there's only 100 keys (all fake, of course). The idea was to stress test, bug, break, and cheat the system for when the REAL delivery system comes around, for those who have purchased the game.

Thank you very much, i understand now ;)