Lestrade 尚

  • I'm Share-Locked
  • Administrator
  • Posts: 924
  • Trades: 132
Indiegala
«  »
Have you guys noticed how Indiegala changed their bundle gift system..? They recently started sending out passwords in addition to links. Then yesterday they started sending passwords by e-mail for EVERY gifted bundle, even the old ones.
I had to ask my previous bundle provider to fetch 12 passwords for me... Not fun for him, or me. I did about 50 bundles, took me an hour, thank you Indiegala. :-/
I know it's for our security, but... Really, can't they do like HB and allow us to link a gift to our account..?

Pika! Pika!

  • Newbie
  • Posts: 29
  • Trades: 40
Re: Indiegala
« Reply #1,  »
Quote from Lestrade 尚 on November 12th, 12:14 PM
Have you guys noticed how Indiegala changed their bundle gift system..? They recently started sending out passwords in addition to links. Then yesterday they started sending passwords by e-mail for EVERY gifted bundle, even the old ones.
I had to ask my previous bundle provider to fetch 12 passwords for me... Not fun for him, or me. I did about 50 bundles, took me an hour, thank you Indiegala. :-/
I know it's for our security, but... Really, can't they do like HB and allow us to link a gift to our account..?
I am having the same issue and I am actually about to stop using Indiegala altogether if they do not stop this. It does not even increase security as now everyone is inclined to generate all the keys and store them in Excel or Word which makes them more susceptible to getting lost or stolen, but hey....at least this way it is not Indiegala's problem.....

I bought probably around 2500 keys from Indiegala and only in one instance did it appear that a key was compromised (and there is still no absolute certainty that it was due to malicious users/bots). In case of DIG for example it once happened that DIG accidentally sent out already sold keys.

Lestrade 尚

  • I'm Share-Locked
  • Administrator
  • Posts: 924
  • Trades: 132
Re: Indiegala
« Reply #2,  »
No, it makes sense security-wise...
Because apparently anyone can access an IG gift link page if they have the URL, it would make sense to try & brute-force guess page URLs. It means it's taxing on their servers. Forcing a password means even more complications (plus it's in JavaScript IIRC so a bot will have more trouble with it.)

What I'll probably do though, eventually, is move away from my current solution (storing all of my bundle gift URLs in a text file alongside the associated password), and just reveal all keys and store them. Why? Because if the gift page is protected, you can be certain no one can 'steal' unredeemed revealed keys. As for key security, remember that there's something like a billion billions of possible valid Steam keys, *and* Steam only allows you to test a dozen keys or something before they lock you out of redeeming keys for an hour, and I can imagine they'd lock you for a longer time if you kept trying out fake keys... Even if 100M+ people were trying keys at the same time, it's unlikely anyone together would even find ONE valid key...

tl;dr: the password system is okay but they should really consider just limiting access to the account associated with the e-mail address (if any), or the first account to log into the bundle gift page. The 'safe' solutions are to either store your password alongside your bundle link in a text file, or simply reveal all keys, store them in a text file, and never come back to that page.