Public Service Announcement
When you view the "Offer Wall" (and no, I will NOT provide the link), Turbine sends the email address tied to your account as well as your DDO billing/launcher username over the Internet UNENCRYPTED.
The following was captured using a HTTP debugger:
Sent to content.turbine.com
GET /sites/my.ddo.com/ultimatepay/TurbineProvider.php?accountname=(your_username_here)&email=(your_email_here)&userid=cmpncfdk4lttt3knpehqlt3ey&hash=752c9dea8cb ebedd14b69f5807b64941
As long as you are using a standard browser (IE, Firefox, Chrome, Safari, etc), the offers do not have direct access to this information. However, that's by browser implementation. The data is still going out unencrypted.
Here's what is actually sent to get offers when you view the page:
Sent to www.ultimatepay.com (albeit over https)
GET /app/api/live/?sn=TDDO&method=StartOrderFrontEnd&display=OfferPa nel&accountname=(your_username_here)&email=(your_email_here)&userid=cmpncfdk4lttt3knpehqlt3ey&hash=752c9dea8cb ebedd14b69f5807b64941
At this point, Turbine has already given the offer provider your DDO account name and the corresponding email address. Expect to get spammed just for viewing the offer wall. Also, don't be surprised if your DDO account is hacked. Turbine just gave away half of the data (the username) as well as the email it's tied to.
Update: Proof this information is being used maliciously:
After viewing the Offer Wall, I personally received a World of Warcraft phishing scam email. Apparently there is enough market overlap between DDO and WoW to justify sending WoW phishing emails to DDO players. Note, I have never played WoW and do not even have an account with any of Blizzard's games.
If you receive one of these emails, IT IS NOT LEGIT - IT IS A SCAM!Originally Posted by Spammer
Moral of the story:
1) The "Offer Wall" is bad news to even VIEW, nevermind click.
2) Turbine is willing to give away your email address and account login name to known scammers and fraudsters without asking you.
3) Use strong passwords. Here's a password strength checker.
This concludes your public service announcement.