The point for me is that it is completely unnecessary for them to write out the password. It’s a log file that is recording your username and password every time you log in. You can delete it and the installer still works. It’s low risk. The ATS website does not hold any of my personal information, not even my address and all my payments have been through PayPal with 2 Factor authentication. So not much chance of any damage being done to me. The worst that can happen is someone gets into my account and downloads a route. If you use the same password for other things, then that is your problem. However having unencrypted passwords in plain text is just plain bad. Passwords are meant to be secure for a reason. I personally wouldn’t leave any passwords in plain text for anything. I’m going to raise a ticket to ATS and question this. I suspect I’ll just get a response telling me to delete the file or maybe no response at all (Though they normally do reply). I appreciate it being raised here.
Maybe I'm using the wrong term. But that doesn't change the point. "Phishing is a form of social engineering and scam where attackers deceive people into revealing sensitive information[1] or installing malware such as ransomware." If someone is known to be an ATS subscriber, being able to get something installed on that user's computer can give the attacker access to the credentials for that subscriber's account. The attacker can then log in (likely masking via a VPN) and download everything for free, including anything additional that the user has purchased. It all installs as if the hacked user was downloading it. Imagine if that attacker shares the files elsewhere. The user whose account was used - the actual victim - would be seen as the one doing bad things and possibly have themselves banned, and we don't know if that password might otherwise protect banking information or anything else on that device that is now open to hacking by the attacker as well. Tiger is right that it's the user's fault if passwords get reused on multiple accounts. Password managers can help, or you can keep a manual notepad log of your passwords. But if someone gets into your computer and gets access to unencrypted passwords, that is the problem here.
All true. All incredibly unlikely. The real issue, as others pointed out, is that it's bad practice, and not that anyone is at serious risk of having their password compromised by this particular flaw.
People get fooled and tricked permanently. Many don't have a clue what they're doing, clicking Yes and Allow on each request a website presents to them. I fixed a lot of neighbours' PCs and all I could do is tell them "watch what you're clicking!", use NoScript, use Linux. You're only safe if you're blocking all Javascript. And the fact that ATS content is immediately available from Russia (they have the specialists who managed to inject large scale ransomware into international company networks, the Conti Group) only means that they got account data already. Of course ATS is a small fly, that doesn't change the fact that security risks must be reported and not trivialized.
Maybe not. But the fact that it happens at all is the risk, and shows the level of care that ATS has. As I said, when stealing is safer than purchasing, that's a bad sign. I don't say any of this as an attack against ATS or anyone there, either. I've been around the Internet block a few times. Hell, I took part in Yahoo! Clubs and Yahoo! Games back in the day. I even found myself easily manipulated in one of those Clubs; someone put my e-mail address on an account, made me an admin, sent out a group message stating I was taking over, then complained that I hacked the community. I didn't, but my account got shut down anyway and they refused to help me when I called and complained (you were able to call people back then). Ignore the fact that I had to set up an autoreply to explain that the group owner actually sent the e-mail and I was not connected to the account used in this endeavour. I did everything right but still lost my account because someone didn't like me and wanted me to suffer. I have seen a lot of things over my Internet lifetime. I'm saying ATS is doing a bad job from a security standpoint.
Just as a follow up - I raised a ticket to ATS regarding the password being in plain text on Friday. Just got a notification that it's been fixed. Tested it myself and you need to delete the existing file first as existing entries are not removed. When you run the installer again, then the password is no longer readable. So thanks to Spikee for finding it. While I don't consider it a high risk, it's not good to have plain text passwords anywhere.
C:\Users\New User\AppData\Roaming\ats-launcher-js\Local Storage\leveldb, which file do we delete? Tigert1966
The one that is just a number. Mine was 00003. But to be sure view it in Notepad and if you see your password in the file, then that is the correct file. Doing the above is at your own risk. It worked fine for me, but if you want an official answer, contact ATS support.
This is no different to the Steam application which is also linking to installed files and validating. Would we also say Steam is phishing? By deciding to use a piece of software which helps autoupdate you have technically agreed to the contract and analysis of that piece of software. Not spyware. An agreed level of service. If you do not trust the supplier (ATS, Steam or any other provider of software e.g. Microsoft) then just don’t enter into the contract. I personally have found the ATS vehicle to be beneficial. I have all of their working timetables and product and am very pleased with them. Others can have their own opinion. Respectfully
Does the Steam client also store account info/password details in plain text? I think this is something that would have been picked up long ago and likely caused an uproar if that were the case.
This sounds more like a security issue rather than spyware. I keep all of my ids and passwords all different so if I have leakage from one vendor it does not affect another financial stream. Respectfully
It doesn’t - and neither does the ATS installer anymore. By the speed at which they fixed it, seems they were unaware and got it resolved quickly. Also, ATS, at least for me doesn’t hold any personal details apart from my email address. Not even my address. So what could they do? At worst download my content. At best maybe a nice hacker would buy me a DLC or two. Unlike Steam who keep trying to save my Credit Card Info every time I make a purchase by defaulting the check box. All a bit of a non event. Spikee found it. I thought it was bad. So I raised a ticket and politely told them so. They fixed it. Now whether you like the installer or indeed ATS is up to you. I personally hate it, I hate Steam as well and any similar system that doesn’t let me download my own back up, but I use them because they are the only option. In the case of ATS, I really like some of their products, so I’ll live with it.
That txt-file on users PC´s is one thing. But nobody here knows, what is laying on the ATS servers. Much more of those unprotected personal data? More unencrypted passwords? and bank data? Would be much more fatal. A website where people can buy stuff is way more a target with "useful" data than a single PC of somebody. We know all that even at big companys gets data leaked (YT, Telekom, Facebook, ....) and we can assume they have much more capable people to ensure data security
Rubbish I know exactly what they hold about me, because I entered it. They have my name and my email address. No payment info or even my address. If you buy stuff the payment is done through PayPal.
If they are storing unencrypted passwords on their end, that is a huge security issue indeed. And I don't think that is being properly protected. It's ripe for hacking IMO. And that worries me.
It would be bad, but being as they don’t store any personal or payment information, I fail to see what the risk is other than someone downloading my DLC?
Not really that worried to be honest. Wouldn’t be hard to regain access and as I’ve pointed out twice now. I’ve never entered any personal details other than my name and email address. Each to their own and I respect anyone’s choice to use the site or not, but for me a small train simulator site that only holds my name and email address is not the biggest worry I have about my data on the internet. To get sidetracked a bit - I once went to a presentation where they showed how much information was publicly available just from scanning social media and that honestly scared me - there were some people that you could pretty much work out answers to any security questions that might be asked. That was a few years ago now. With AI and ever increasing amounts of data out there. There are a lot worse things to worry about than ATS. Rightly or wrongly I still assume that they are secure - mainly because when I raised a ticket for what Spikee found they told me they were looking to introduce 2 factor authentication, so they at least are considering security.
Or more, the discontinuation of it. It's the biggest annoyance I have with ATS products. Getting rid of it is a long time overdue.
Some users famously boycotting the launcher can now come back to enjoying the latest ATS items... not sad or happy about it beeing fazed out. I hope the new way will work well.
I think I was misreading the text as it said the Launcher was available to download. If they get rid of it I might purchase some things - like the Northampton Loop - from them.
The Northampton Loop does look good, but £13 might be a little bit too much. It all depends on the scenery quality, and how well it blends in with the existing DTG scenery. The Reigate extension Rivet made for the Brighton Main Line was mediocre but mostly blended in well with the rest of the route. It certainly wasn't as bad as the Steam reviews would make it seem, and quite a bit better than the hilariously bad TSW version. One annoyance with the Northampton Loop is that as it doesn't used a cloned version of the original route, there is a small possibility that scenarios could be broken by it, and the route will need to be reinstalled after a file verification. At least the installers (assuming the new ones will be the same as the ones from before the ATS Launcher was introduced) don't require product keys and didn't have (heaven forbid) a limited number of installs like K-Trains and SSS have.
And, if I may say so, good riddance. It's the worst idea since the guy who said we don't need sliced bread.
when I use the Link in the ATS post I get the version 1.5.6 launcher. But On the website is an article ATS Launcher updated to Final Build V2.2.2 When installed, in the programm on the right down there is shown v2.2.2 Final Release. So why the heck the Setup exe is named in such total different version? That´s one of the reasons, I dont like those stuff if they even couldnt name files in a way people get to know what to get
A experienced the same confusion with 1.5.6 being named 2.2.2. It looks no different from the previous version. As per the ATS web site.... More to come!
The project overall had a lot of potential and as the developer who was comissioned to develop it, there's a lot I would do different but unfortunately a lot of timescales just unfortunately stopped it from reaching it's true potential. As they now go back to seperate installers hopefully a lot of the usefullness of the launcher can be integrated into those to allow for quicker distribution of products without having to rely on one person to constantly manage it, change code etc. At the end of the day I do hope that they just don't blame the Launcher and look to improve their own internal workflows to allow for even smoother customer experience. Wish them all the best with their ventures moving forward. - Kieran
When it comes to ATS I'm as cynical as a cynic O-D'ing on cynicism but "At the end of the day I do hope that they just don't blame the Launcher" sounds too much like a subtle dig without being a barbed comment.
Unfortunately certain individuals at ATS have already done that. Is what it is at the end of the day, they have all the code and can do as they wish. Ultimately it's a complicated bit of kit to maintain so I'd understand that they probably just want to start a fresh than learn existing software that in reality they may or may not struggle to maintain in the long term. Wish them all the best tho!
