Nexon.net is one of the most “successful” online gaming company in america. Their hit, MapleStory, was once owned by Wizet- a great company that sold it to Nexon when it was transferred to America, or Global. These guys make tons of money everyday but have a terrible investment process. Their customer support- sucks ass. It will take literally 2 weeks to a month to receive a reply from a Game Master (GM) or a technical person. Whenever they patch their games, it will usually take them longer than expected to complete their patches. If you look at the “Update” log on their website, you will notice every notice is “extended”. Profoundly, I’ve noticed them about many exploits in the past and they will still take 3 weeks to respond to me. Seeing this as a risk (and the fact that I don’t play their games anymore), I’ve decided to go ahead and release this exploit because 1) they don’t have a security team, 2) they lack customer support, 3) you kids.
A multimillion dollar company with a two dollar customer support system. Yeah really.
Anyways, let’s get to the good stuff shall we?
Programs used:
Mac OSX (you can use windows)
TextEdit/NotePad
Firefox
FF Plugin: Live HTTP Headers
That’s it. Simple eh?
Now to do this, you’ll need two accounts: one of these accounts you’ll need access for and the other one is the one you are trying to reset.
Head over to nexon.net and login with the account you have email access to.
Go to your account information page where the “PIC/PIN” reset button is. Open Live HTTP Headers.
Have a clear page for Live HTTP headers (click clear duh) and then click the Reset PIC/Pin Button.
After you do that, look at live http headers and look for a POST output that says something like
POST /MP.ASPX?PART=%2fMyMaple%2fModifyPrivacy HTTP/1.1
Click the replay button and copy the first and bottom text boxes into notepad/textedit.
The box should look something like this if you’re wondering
Now close Live HTTP Headers and log out of that account.
Login the account you’d like to reset the PIC to and head over to info page. Load Live HTTP Headers again, clear any info and hit the reset button. Look for the same POST info and hit replay.
Here’s where the magic happens:
Replace everything in the SECOND box with everything you copied from notepad. In the first box, look for something that says “NPP=NP12:authblahlblablah…==;” session= username;
Change session to the username you logged in with before and replace the the NPP information stuff with the things you wrote from notepad and press replay.
Check your email, yay for reset huh? Now this just resets back to the original pin (or 0000 sometimes, weird) so you’ll still have to know the pin to access the account.
If you notice when you look on the page, you’ll see the account of the info you know to show up but if you refresh it’ll be the one you logged into.
Yet another flaw on Nexon’s part for poorly underpaying their korean workers.
Now you may have to fiddle around with the header information but as of Feb 27, 2010, this exploit works and took me 10 minutes to find. Don’t ask me to help you because I won’t and yes, I’ve sent this into Nexon on Feb 24, 2010 but have received no replies so all is fair until I get that DMCA right?
4 Comments
i cant open maple now
it doesnt work for me
i cannot find the “POST /MP.ASPX?PART=%2fMyMaple%2fModifyPrivacy HTTP/1.1 ”
and i am confused as to where my account info page is on nexon.net
when i try access my account info page inorder to get the PIC/PIN RESET button, my browser leads me to http://www.maplestory.nexon.net.. which is NOT the same browser you are on
please help me with this issue
Hello. I was wondering if you could help me with something. I use MobileMe for my email, and I am trying to recover my nexon password, but it’s not sending me the email, or I’m not getting it. Is there anything I could do to speed this up?
@Elaine, No I cannot help you
@Brian, MapleStory is email racists, use gmail.