Old School RuneScape: Have a question about the game or the subreddit? Ask away!

Have a question about the game or the subreddit? Ask away!
POV you ask a reasonable question during a Jagex Q&A
Made a post yesterday about a potential Trailblazer bug. Everyone called me an idiot, turns out I was right
Yo I thought Woox was done with Trailblazer
Runescape Needs a Security Overhaul - Players are in Danger - A Follow-Up Post
I :) love :) the :) chaos :) altar :)
not sure why people recommend nmz training?? xp rates are terrible
Petition to allow adding a rock hammer to slayer helm, so we can headbutt gargoyles to death. ty
See ya'll back in the real world January 6th!
Wanted to understand why the dragon pickaxe was so damn expensive. Came across this post and insanely underrated comment
The weird shit you see in Kraken Cove
I have been a F2P player for twelve years. I became a member for this league. I just got my first abyssal whip, fulfilling a childhood dream
these names are getting ridiculous now ��
Trailblazer map by Mod West, including a Desert Expansion?
Mounted my kq head
*sits down to play a 20 year old Java game*
Anon gets ripped off
Ridiculous coincudence!
Change the maximum amount of people on ignore list to 2,147,483,647 in order to accommodate for the spam.
me: "I'm glad I picked eternal jeweler", also me:
stolen
Daily reminder to remove the Duel Arena
The power of our community reaches Runescape 3!
After 14 Years and 6 Failed Attempts... I Finally Killed Jad!
When I was a kid playing runescape, I saw this slab with an Black Mask indent on it. The first time I got a Black Mask, I remember trying to interact with it as if it would unlock something new. Have you ever had a moment like this as a kid? If so, what was it?

Have a question about the game or the subreddit? Ask away!

Posted: 15 Nov 2020 04:10 PM PST

Daily /r/2007scape question thread for Monday, November 16 2020 (posted on 00:10:26 UTC - RuneScape server time)

Ask anything about Old School RuneScape here! They are designated for you to ask anything you like that is relevant to the game or this subreddit. Remain respectful to your fellow 'scapers when answering questions; there are stupid questions, but it does not mean you should not be respectful whilst answering them.

Click here to view the archive of /r/2007scape "ask anything" threads.

submitted by /u/AutoModerator
[link] [comments]

POV you ask a reasonable question during a Jagex Q&A

Posted: 16 Nov 2020 07:26 AM PST

submitted by /u/Kermitable
[link] [comments]

Made a post yesterday about a potential Trailblazer bug. Everyone called me an idiot, turns out I was right

Posted: 15 Nov 2020 06:24 PM PST

submitted by /u/Go_Blue_
[link] [comments]

Yo I thought Woox was done with Trailblazer

Posted: 16 Nov 2020 07:15 AM PST

submitted by /u/bearycupcake
[link] [comments]

Runescape Needs a Security Overhaul - Players are in Danger - A Follow-Up Post

Posted: 16 Nov 2020 03:01 AM PST

As a follow-up to the unexpected success of my last post that I directed to one simple security fix, here is a wider list of grievances I have against Runescape's security practices. Jagex's security standards are far, far below average for 2020, and it's terrifying.

Passwords are not case-sensitive, don't include special characters and are limited to 20 characters. ---> This makes them not ideally secure against brute-force and intuitive guessing attacks. The anti-security people keep arguing it's enough entropy. The thing is, people do not make completely random passwords. People use predictable patterns and dictionary words, and likely 8-10 character short passwords. With only numbers and letters available, dictionary attacks and rainbow tables can realistically brute force accounts to a degree of success. If it can be more secure, why not have it more secure? Passwords with case-sensitivity and special characters are simple industry standards. This needs to be implemented.
No secure autologin feature, or passwords cannot be copy-pasted to the game client. ---> This causes people to make short passwords to be able to get in faster. People also cannot use password managers with them because of it. This highly disincentivises the use of long, complex passwords, and incentivizes the use of short, easy-to-remember passwords.
Captcha testing after multiple failed logins is not implemented. ---> Aside from the failed-login lockout exploit that is currently being used by abusers to lock legitimate players out of their accounts [Link], this has more dire consequences that I did not talk about in detail in my last post. It opens up avenues for brute-forcing or intuitive password guessing even further. People think brute-forcing looks like trying every possible combination on one guy's account and waiting for forever, plus they wait for the failed-login timeout. No, a hypothetical scenario (one of many) is that a hacker can attempt to brute-force 100,000 accounts at once, using only the most common passwords, common password patterns, dictionary attacks and rainbow tables. The failed-login timeout is useless because they are targetting many different accounts, not just one. It is highly likely in that scenario that some account will be breached, even if not a specific one. Because captcha testing does not exist, there is nothing to stop (or at least frustrate) exploiters. If captcha testing existed, they would have to pay to have them solved, and then wait the ungodly amount of time it takes for 100,000 captchas to be solved. And they have to do this every few failed attempts. There are reasons that this is not being done (as far as we know) for the moment. Proof-of-work per login is required, which is the only thing Jagex uses to stop this, but it is not enough. Proof-of-work can be circumvented in various ways, given enough effort. Security needs multiple layers. Captcha testing is a massive, exponential leap in frustrating exploiters, and it is one of the easiest, simplest and most basic things that can be implemented to improve security. There is no downside when used right, because people would not see it unless they keep entering the wrong passwords. At worst, anti-security people will argue that it can be useless. But if it can be a massive help to frustrating hackers and exploiters, then there is no reason why such a basic, simple thing should not be implemented.
Associated email addresses to log in accounts cannot be changed. ---> This means players have less options to secure their accounts, or re-secure them if they are being targetted.
When attempting to log in with an email address, even with a wrong password, the client gives indication as to whether this email address is valid. ---> Absolutely huge problem, more than it sounds. The client can tell you that the login email is valid, but the password is wrong. It should not give any indication to either. This allows people to confirm that an email address is a valid, working one. This confirms to abusers of the failed-login lockout exploit that they are targetting a valid account. This confirms to brute force hackers that they are targetting valid accounts. This allows hackers to dig for valid Runescape emails, obtain long lists of valid Runescape emails, and then send those people phishing/scam emails.
Jagex customer support can literally give out people's specific email addresses associated with their accounts to anyone who asks. ---> They gave out Woox's email to a random person on his Twitch stream, who pretended to be him. And they did it within 5 hours of the account's creation. Video here: [Link]. This is absolutely unacceptable. Under no circumstances should they be given out freely. This allows hackers to target specific individuals with exploits, phishing/scam emails, and everything else I outlined here. The further implications of this are vast, but I will not delve into the tedium, because this post might become far too long.
There is evidence of a Jagex database breach that Jagex has not disclosed. Any or all player information might be compromised. ---> Video here: [Link]. It may or may not be true, but a big name in security has come up with the conclusion. If this is true, it must be disclosed to the public. Jagex must be transparent about the state of any breaches, as is required by law, and improve their internal security practices.