Steam key distributor test site is up (without real Steam keys)

milon · June 22, 2015, 10:18:01 AM

Worked for me, found the email in the junk folder eventually.

Also, just for giggles I searched the forum for people publicly posting email addresses. Ran a few through the distributor until I hit one that was also used to purchase RW. So someone else got an unsolicited email with their fake Steam keys (don't remember who it was, sorry). Doesn't seem to be a very hackable approach, so I didn't do anything else with it.

macrosblackd · June 22, 2015, 02:52:24 PM

Seems good on the sql injection side.

puddlejumper448 · June 22, 2015, 07:53:56 PM

I got my email but actual key was not in it. It just said "Your Steam key(s): "

I know they aren't real keys but someone else in the thread said they still tried it in steam so I assume there's suppose to be an actual fake key there. It' possible that you're out now, but 100 keys and 16 responses lol, just checking

EDIT: It's also worth nothing that I bought the game after the guaranteed key date, idk if that is implemented in the test or not

Tynan · June 22, 2015, 09:05:39 PM

Quote from: puddlejumper448 on June 22, 2015, 07:53:56 PM
I got my email but actual key was not in it. It just said "Your Steam key(s): "

I know they aren't real keys but someone else in the thread said they still tried it in steam so I assume there's suppose to be an actual fake key there. It' possible that you're out now, but 100 keys and 16 responses lol, just checking

EDIT: It's also worth nothing that I bought the game after the guaranteed key date, idk if that is implemented in the test or not

Maybe it's out of Steam keys! Let me look. I was waiting for this.

RayvenQ · June 23, 2015, 12:31:31 AM

I got the same result as puddlejumper (I bought the game before the key date thing ended). Got the right sendowl link though. Tried a non purchase email and (correctly I imagine) got : No orders for RimWorld were found under the email [email]. Please check that this is your exact purchase email as described below.

I got the email right away, but it appeared in my junk folder (I had a feeling it might have)Also, I'm on a hotmail email account.

Tynan · June 23, 2015, 12:44:32 AM

Yep, sounds like it's out of keys. Working on it, thanks.

Praeses · June 23, 2015, 07:38:29 AM

Tynan, my brother bought two copies of RW, of which he gave one to me, but it's still linked to his e-mail account. Will you be incorporating multi-key e-mail addresses into this tool? There might be others in the same situation

Tynan · June 23, 2015, 01:24:21 PM

Quote from: Praeses on June 23, 2015, 07:38:29 AM
Tynan, my brother bought two copies of RW, of which he gave one to me, but it's still linked to his e-mail account. Will you be incorporating multi-key e-mail addresses into this tool? There might be others in the same situation

Yes, it'll give you all your keys.

andyprogrammer · June 23, 2015, 04:25:24 PM

One security idea (that I can't test) is purchasing RW with an email address that contains special characters that could also be used as an exploit. For example, single-quote can be involved in SQL injection and is in a valid email address (https://en.wikipedia.org/wiki/Email_address#Local_part). Something like '%20or%[email protected] is a valid email and, in the right circumstances, might be an exploit.

Here are some security questions I have for you, Tynan:
- Do you, at any point, use the validated email data in an OS command, PHP eval(), or some other place that would have a special meaning (e.g. # is a common comment character, ; can be used in OS command injection)? I'm mostly concerned about the email sending part and OS command injection (use an API, not a shell command)
- Do you use prepared statements with binding variables (no string concatenation with variables) when hitting the database?
- Do you have character sets specified in both your php script and the database? That's one way attackers tend to bypass input validation. UTF-8 tends to be the standard these days.
- Is this on a separate server? Suppose I get in to this web server, what else could I mess with? Same goes for the database: if I get into that, is there anything else valuable that I could get into?

(obviously you don't need to post your answers, just food for thought)

Tynan · June 23, 2015, 04:30:19 PM

Quote from: andyprogrammer on June 23, 2015, 04:25:24 PM
One security idea (that I can't test) is purchasing RW with an email address that contains special characters that could also be used as an exploit. For example, single-quote can be involved in SQL injection and is in a valid email address (https://en.wikipedia.org/wiki/Email_address#Local_part). Something like '%20or%[email protected] is a valid email and, in the right circumstances, might be an exploit.

Here are some security questions I have for you, Tynan:
- Do you, at any point, use the validated email data in an OS command, PHP eval(), or some other place that would have a special meaning (e.g. # is a common comment character, ; can be used in OS command injection)? I'm mostly concerned about the email sending part and OS command injection (use an API, not a shell command)
- Do you use prepared statements with binding variables (no string concatenation with variables) when hitting the database?
- Do you have character sets specified in both your php script and the database? That's one way attackers tend to bypass input validation. UTF-8 tends to be the standard these days.
- Is this on a separate server? Suppose I get in to this web server, what else could I mess with? Same goes for the database: if I get into that, is there anything else valuable that I could get into?

(obviously you don't need to post your answers, just food for thought)

Thanks for the info - I never would have thought of making an email like '%20or%[email protected] :p

Anyway, answers are:

-No, only SQL commands.
-No, it's just string concat for now.
-No, I'll fix this now thanks!
-It is on the rimworldgame.com sub-account, which is connected to the creative reward database (nothing too scary there) and the steam key database (very scary!). But theoretically nobody could penetrate to ludeon.com as they're isolated accounts on the server.

seanp · June 23, 2015, 04:45:51 PM

I tried it yesterday but never got any email. I did check the spam folder.

Tynan · June 23, 2015, 04:58:53 PM

Quote from: seanp on June 23, 2015, 04:45:51 PM
I tried it yesterday but never got any email. I did check the spam folder.

Thanks for the info. I've made a couple changes, could you try again now?

gibbsman · June 23, 2015, 05:31:44 PM

I tried just now and got the email but the "Keys" area was blank, as mentioned before. Likely out of keys again. Otherwise looks good!

Tynan · June 23, 2015, 11:31:10 PM

Ok! I've heavily reworked the system. You can take the email, or you can enter your personal download link and the game will give you your Steam key right on the website.

andy I've switched it to prepared statements for greater safety, thanks!

All test data has been cleared, there are now 100 fake test keys in there. Please test it, I'd appreciate it!

starryknight64 · June 23, 2015, 11:33:10 PM

Tried it and right away got a Steam Key in my gmail, no wait necessary!