insufficient evidence

Link the current Sythe account: MyPvM

Which violation you are reporting the user for: False advertising of their plugin security, making false statements to clients, staff members and other forum users and putting their clients accounts and data at risk.

Why you think they're violating Sythe rules: The accused user has throughout multiple posts and threads claimed that a plugin in their possession, which is used by their Boosters/Staff to access client accounts, is completely secure and does not in any way allow the booster to access client information such as Login/Password or bankpin: Quoting from thread 4224050:

“Clients do NOT have to share details
Clients do NOT have to share bankpin
No booster/worker has ever access to client details.”



The purpose of this report is to debunk the “blatant lies” used here for false advertising and promoting their server / services, allowing the offender to claim a large market share for their services on the base of false security that they are promising their clients and other bystanders reading their content on the forum.

1. The clients are indeed required to share their details and bankpin – despite this not being done directly to the booster, the client is obviously required to input their account data for the boosters to be able to access it – this should come as no surprise, but these two points are also not the main focus here, what I want to put complete emphasis on is the third listed argument for why they are, quoting: “the safest and that is not subjective, as it is PROVEABLE”:
   
   
2. “No booster/worker has ever access to client details”. I’ve been working as a software developer for 13 years, throughout various programming languages, companies and systems, anywhere from Freelancing on my own to developing Military Defence Systems used within NATO countries. With the knowledge I have gained throughout these 13 years, as well as an internal discussion with 2 other military grade developers way past my level of knowledge, we could come up with only one solution to make a plugin like this completely safe and without the booster holding onto the client’s account data on their pc, unencrypted, at one time or another during the login process. We estimated the development time of such a system to take multiple weeks of full-time work of an entire, highly advanced, development team.

Given this estimation, I highly doubt that this is the solution the offender’s plugin developer has implemented, and I can, with the confirmation of MyPvM through their chat logs, state that their plugin instead works on simple network requests (may it be REST or WS) between the plugin and a server. As no Blackhat activity is allowed on the forum, no attempts to decompile their plugin has been made. Due to this, I can not confirm whether the account data is being transferred in an encrypted or plain-text state. This however does not make a significant difference, as the client’s data would need to be decrypted prior to sending a login request to Runescape servers either way, and for this the encryption/decryption key must be available on the booster’s pc / within the plugin or one of its installer resources.
Any developer with minimal networking knowledge can easily catch the client data packet on its way from the server, decrypt it using the key they already have locally on their pc (or even skip this step if the data isn’t encrypted) and access the clients data whenever/however they may want.

I have made an attempt to inform the offender about this issue privately through their discord ticketing system, and was met with harassment as well as comparing their safety to Pentagon’s security (A system that I am not familiar with, but I must admit to having my doubts) and in the end acknowledgement of them being aware of the security flaw, but as one of the Owners of the server shortly commented, quoting: “So what?”

For the paragraph above, I would like to quote a statement made by the offender in thread 4224050, which contradicts their actions displayed in the transcript: “Nice sources that you have, that can't stand up if it the plugin is so bad that they are jealous of it. @Pikachu please reach out to me (Niki) and I can show you around. There is legit nothing that we hide from public as it is not needed. If anyone else wants to see the amazing way of protecting customer accounts, I will make some time for you. Even though testing > theory. ”




This again proves that when approached about their lies in private, the offender does not withstand their word that is publicly given for everyone to see.

I have included the transcript of the ticket conversation mentioned above, where I was promised a public apology on Sythe from the owners when the security flaw has been proven. Sadly, all I got was a permanent ban from the server titling: “wasting time, proving stuff”.



The fully uploaded and formatted transcript can be found here, to not require any downloading from the staff team in the process of viewing evidence: https://i.imgur.com/zY5EKvo.png


If one of the administrators wishes to see a demonstration of how easily the security plugin can be used to retrieve client’s data (without any Blackhat activity involved) I will be more than glad to demonstrate the full process in private.

I have also developed an equivalently secure plugin myself over the last 2 days to allow for non-lying service providers to stand on the same ground as the offender, as long as no lies are used to market the safety or functionality of said software.

I believe this to be at least a temporarily bannable offense from the offender’s side, as it:

• Gave their service a false advantage over other services, who did not refrain to lies about the safety of their systems to their clients.
  
  
• Put their clients data and accounts at risk, without clarifying that to the client, and even worse giving them an invalid sense of safety when using their services.
  
  
• Gave them a backbone for their marketing, and was used as it since the plugin was taken into use.

They also refrained from correcting this critical misinformation to their clients when informed about it, meaning that unawareness of the issue can no longer be used as an excuse, and ignorance is not a valid exempt from punishment withing Sythe’s TOS.

 

We'll respond to everything if Sythe Mods ask us to.

But damn brother, from Military Defense System and NATO to trying to crack a plugin on OSRS and sucking some service providers dick, you're the real deal

 

I believe Flaming, Harassment, Trolling is against the official rules of Sythe. The Official Sythe.org Rules

 

Agreed, you should be banned. You're harassing us, and you made this troll post

 

I would really appreciate if you posted the full context of the conversation from which you took the image, which I have done for all the quotes above, as well as which chat it was taken from, as I believe this wasn't a chat between me and you. Also, is that a message I provided / uploaded / sent within the content of Sythe?

 

You keep asking us for stuff, it's getting annoying.

First, you ask for our house keys, so you could crack our plugin (I can provide the full transcript)
Secondly, you're asking us to respond to your delusional report, making us lose time.
And third, this is my last post unless a Sythe Mod ask us for something, which I really doubt because there's no solid evidence.

xoxo

 

I didn't want to involve more people into this, but as you all seem acquainted already given that you have screenshots from my conversations with other members than you, I assume they asked you to involve them, so this shouldn't be a problem.

Here is the full transcript of the conversation from where the screenshot posted above has been taken: https://i.imgur.com/viOYAi5.png

 

The offender claimed to be willing to provide proof of the security themselves, as I have quoted twice above. In my process of asking for said evidence, I was banned, which I also included both explanation of and image proof of.

As per your request, I have replaced the transcript links with full IMGUR screenshots of the whole transcripts.

I can only retrieve one of the discord ID's, as I was banned from the server in which the other conversation was held.

MyPVM Transcript: https://i.imgur.com/zY5EKvo.png
xKylee Transcript: https://i.imgur.com/viOYAi5.png
Id retrieval: Screen capture - b224608496ac26514fe61379b7d2ccb1 - Gyazo

The evidence is technical, and requires a "techie" to understand. A plain text password can not be "securely stored" if it needs to be used in plaintext, which is what runescape authentication servers require to log a user in and provide a valid auth token. Anyone with even minor tech experience will understand that there are no exceptions.

 

It's being sent via HTTPS. The certificate is issued by Let's Encrypt. Sniffing the payload during transport is not possible.

 

I never said a thing about "sniffing payload during transport". You can grab the payload on the boosters PC upon arrival.

I am more than happy to hear that people are aware of https and certificates, much less happy to not have them know about local SSL Proxying. The content of your reply further proves the complete lack of security of the plugin.

 

You can't local SSL proxy if there's a pre-flight check in the plugin that checks the remote certificate's authority. Sure, you can install your own Root CAs and forge certificates, but you can't forge a certificate from a specific Root CA.

 

You don't need to forge anything, because everything is already on your computer as a booster. If it wasn't the plugin wouldn't be able to de-crypt the user data to be able to log in. Once again, nothing you said is related to the statement I've provided. Why would you need to forge content which you already possess locally?

Pre-flight in the plugin? As far as I know the plugin is the receiver, not the sender of the user credentials.

Do you guys not have any more knowledgeable developers to send at this report?.. This, in addition to all the harassment on discord by community members and staff members, really makes me start to believe that I'm wasting my time here talking to a bunch of incompetent liers and wannabe devs.

I truly hope you, Techie, take your time to dig in to what I've said and what claims / actions have been taken from the opposing part and come to the logical conclusion.

I'll gladly answer any questions directed towards me, but I won't waste more time on debunk unrelated responses that put in lots of "fancy tech words" with no relation to the topic to confuse the readers and those deciding on the final verdict.

 

Honestly, I'm a little confused here. When have I not responded to your concerns?



https://www.cloudflare.com/learning...s and responses are,that anyone can read them.

I respond with the fact that we're using HTTPS.

Then you double down and talk about local SSL proxying, a type of MITM attack.

I respond with the fact that it's not possible, since you'd have to forge a certificate with a private key that you don't have.

Now you want to talk about how the plugin is decrypting data on the booster's side? Want me to run you over my whole aritechuture while I'm at it?

Now you've degraded yourself to verbally attacking me. It's almost like you have no idea how these attacks work. I don't think it takes "fancy tech words" to see where this conversation is leading to.

You feel like you're wasting time to an wannabe dev? Can you imagine how I feel when @MyPvM puts me up on stage and asks me to talk to a guy that:

Like take it from my perspective; I have to argue with a guy that's been a "software developer for 13 years ... [and has developed] Military Defence Systems used within NATO countries". Might I note that this is the same guy that had his emails, social media, and gaming platforms breached 7 years ago. Like fuck me bro, who are you to preach about security? I can't believe I have to deal with this shit.

 

I've got nothing against you personally, other than defending a client despite knowing that they are in the wrong. I believe it must feel completely trash to have to defend false claims because your employer forces you to, but that is not something that I have forced you to do. The appropriate answer to that request should have been: "No, I will not publicly lie about the software I made to defend your public image just because you're paying me, you shouldn't have falsely advertised the safety of the software that I develop without my knowledge".

I'd gladly invite you to take on the networking an security course, and if it wasn't for the DNT I'd even encourage you to take on some paid projects without follow up consequences like these ones.

It is completely up to you whether you want to keep this going or not, the report is against MyPVM for false advertising, not against you for your software or programming. I did state that making a plugin more secure than the solutions (I assume) you chose, whether it be http or sockets (who are a tiny tad harder to decode) would take a lot of work, a lot of time, and I can fully understand someone going for your solution instead, as that is what I also settled upon when making this plugin.

If you wish to continue, then my questions from previous reply stand: Why do you need to forge a certificate to read data sent through HTTPS if the certificate is already locally present.

 

RE: MyPvM - False advertising the safety of their plugin to clients

MyPvM is doing is what's shown in the video below:


It's not complex, figured I'd try to save the back and forth

Proxy server forwards the same packets to both clients
Code below is not MyPvM's, I contacted the person from Pugger's video and purchased rights to it

You can't necessarily steal credentials from how people in the thread have described, but hypothetically MyPvM could ruin something.exe and some listeners.

(removed, staff see edited)

So the claims in the report are wrong, but half-truths technically

 

The video you showed requires 2 clients open, one which actually holds the plaintext login credentials and uses them to log in, and the other one which transfers requests to that client, not to runescape directly. This has nothing to do with the plugin which the report is against, where the credentials are sent to the booster via http requests.

 

No it doesn't. MyPvM probably has their own servers and it probably runs off a local proxy server. And I'm certain this is what they are using because this is the only way you can block stuff off like trading / pins (which they are doing).

Feel free to compile it and play with it yourself

 

Rs client also holds the login fields in plaintext - you gonna report jagex too?