Guild Wars 2

My game client just crashed (Windows 10, 64 bit client), and I took a look at the details of the crash report and it included the full command line, which in my case includes -email and -password (for auto login). Sanitized output below:

Anet – please tell me your crash reporter does not send my password to you in plaintext?

*--> Crash <--*
Assertion: Validate(id) 
File: ..\..\..\Engine\Frame\FrMsg.cpp(604)
App: Gw2-64.exe 
Pid: 9600
Cmdline: -email user@domain.com -password <my_actual_password> -nopatchui
BaseAddr: 00007FF6A2820000
ProgramId: 101
Build: 78457
When: 2017-06-24T14:45:23Z 2017-06-25T00:45:23+10:00
Uptime:   0 days  2:09:37
Flags: 0

They already have your password. One of the warnings given about using that command line argument is that it makes your password and email visible.

For an individualized official response, you can contact the CS Team via the ‘Support’ link above/below.

Good luck.

You also shouldn’t need to use the -password or -email command line options (unless you’re using it to switch between multiple accounts on one computer).

To log in automatically without having your password in plain text on the command line, put -autologin to the command line instead. As long as the ‘Remember Account Name’ and ‘Remember Password’ boxes are ticked in the launcher, it will log you in automatically.

I have multiple accounts, hence -password and -email.

Yes, doing this is extra risk, but a crash reporter sending the full command line without cleaning up fields it knows are sensitive is sloppy.

Also I would hope that Anet do NOT store my password. They should be storing a salted hash of my password (seems they bcrypt from reading the crash log), not the password itself.

Besides that, my login data would be on a secure system without general access, while a crash report would be send to their QA system. I expect the security levels of these two systems to be very different.

Not to mention there are plenty of cases of people pasting the crash logs to the official forums or reddit – if someone did that without realising the command line is included in the crash output it would be Very Bad.

As an aside, wonder if GW2 needs to comply with GDPR and what (if anything) Anet are doing about it.

o_o i’m not sure about how the crash reports work and who has access to them and stuff, but that is…yikes

Why would they even need that?

Oxylus.7985:

I have multiple accounts, hence -password and -email.

Yes, doing this is extra risk, but a crash reporter sending the full command line without cleaning up fields it knows are sensitive is sloppy.

Also I would hope that Anet do NOT store my password. They should be storing a salted hash of my password (seems they bcrypt from reading the crash log), not the password itself.

Besides that, my login data would be on a secure system without general access, while a crash report would be send to their QA system. I expect the security levels of these two systems to be very different.

Not to mention there are plenty of cases of people pasting the crash logs to the official forums or reddit – if someone did that without realising the command line is included in the crash output it would be Very Bad.

As an aside, wonder if GW2 needs to comply with GDPR and what (if anything) Anet are doing about it.

Here’s the information on ArenaNet’s Privacy Policy, including addresses to contact them should you have any questions/concerns: https://www.guildwars2.com/en/legal/arenanet-privacy-policy/

Good luck.

Crycerasobs.7864:

o_o i’m not sure about how the crash reports work and who has access to them and stuff, but that is…yikes

Why would they even need that?

It’s not they need that, it’s just that Crash Report just copy the whole command line used to run the game. Wiki even warns that using that param could reveal your password in plain text.

Inculpatus cedo.9234:

Oxylus.7985:

I have multiple accounts, hence -password and -email.

Yes, doing this is extra risk, but a crash reporter sending the full command line without cleaning up fields it knows are sensitive is sloppy.

Also I would hope that Anet do NOT store my password. They should be storing a salted hash of my password (seems they bcrypt from reading the crash log), not the password itself.

Besides that, my login data would be on a secure system without general access, while a crash report would be send to their QA system. I expect the security levels of these two systems to be very different.

Not to mention there are plenty of cases of people pasting the crash logs to the official forums or reddit – if someone did that without realising the command line is included in the crash output it would be Very Bad.

As an aside, wonder if GW2 needs to comply with GDPR and what (if anything) Anet are doing about it.

Here’s the information on ArenaNet’s Privacy Policy, including addresses to contact them should you have any questions/concerns: https://www.guildwars2.com/en/legal/arenanet-privacy-policy/

Good luck.

i’ve never read that in full, yikes there’s a scary amount of tracking that they do

Looks like this was fixed in a recent build. Password is now star-ed out.

Would be nice if they acknowledged the report.