3Likes+111111111 repOriginally Posted by ManWitDaPlan
I don't understand why trolls keep trying to blame legitimate users when this is clearly a widespread issue.
+111111111 rep
I don't understand why trolls keep trying to blame legitimate users when this is clearly a widespread issue.
I'm getting a little sick of this whole ordeal.
Being blamed for the compromised account and unable to play the game for 3 going on 4 days.
No official word from the dev team.
The praised coin lock feature which was obviously rushed out the door ahead of schedule and not working and impeding legitimate users from accessing the code in their emails.
I love this game and Trion's handling of the community up to this point but as of right now i cant play the game i paid for. This is not so much a rage post as it is a depressing and sad one
It is seriously making me reconsider putting up with all this.
hey, i didn't know where to post this so here it goes:
i am one of the unfortunate that got my account hacked, my lvl 50 mage lost all his gear and money.. all i got from contactic a GM was a reference number..
so when can i expect my character to be reset and be playable again?
Because people often get mentally "stuck" into a specific viewpoint that a sudden deviation from the norm won't fit, and try to force the deviation to fit the norm instead of adapting to the change. You can't have tunnel vision if you do any sort of work in IT security, as that leaves you blind to the threat you don't expect. Such I suspect is the case with Rift - Trion obviously built its authentication system without any consideration for what would happen if it's attacked, and once it was, that was it.
I have shareware applications on the intarwebs that have been "in the wild" yet uncracked, for years. Why? Because I built my protection around the "how would I attack this?" approach.
Yes, you keep saying that, and there have been some people claiming that they can log in again if on their own PC without re-entering their user id and password. No one has yet shown that they have an attack that can work remotely.
The unfortunate truth is that the majority of hacks are normally from key loggers and the like. There have even been a number of people who have had the balls to include the fact that they did have a key logger that their AV did not originally find.
I am not saying that Trion do not have a security hole, most security system have (at the very least) theoretical, if not always practical, security holes. I am, however, saying that there has been way too much in the way of unsubstantiated accusations going on. This is especially true considering the nature of some of the current attack vectors out there with popular software such as Flash.
C.
This is meant to be entertainment, not a life substitute. (lordofeyes)
Disclaimer:
These opinions are my own. I reserve the right to sprinkle the odd fact in amongst my opinions to confuse the reader.
I can tell you this much:
If you gave me the key they're using to sign stuff, I'm pretty sure I could log in on any account. Without knowing the email address or password. (I wouldn't know which account, but why would the attackers care?)
It's not really unsubstantiated. It's not proven, but... They have an authentication mechanism of a type known to be vulnerable to attacks, it has at least one of the bugs that would be necessary for an attacker to exploit this, and there's other evidence that some of the system has, at the least, not gone through a thorough security audit. (e.g., the custhelp site using http: and submitting passwords and account names in cleartext).I am not saying that Trion do not have a security hole, most security system have (at the very least) theoretical, if not always practical, security holes. I am, however, saying that there has been way too much in the way of unsubstantiated accusations going on. This is especially true considering the nature of some of the current attack vectors out there with popular software such as Flash.
That, plus the number of people who actually do run the sorts of security stuff that would normally be needed to catch or prevent these attacks, or who only play RIFT on a dedicated gaming machine that does nothing but play games, and who are getting hit anyway, sort of leads to the suggestion that the exploit is, at the very least, worth considering as an explanation.
6 days, 3 tickets and 2 phone calls and my character is still naked. **** normal circumstances. This is horrible service. For all of you out there waiting for someone to take care of your problem don't bother. I'm going to go play naked and just get new gear. I wish I would have come to this decision sooner. The GMs wont help you. For those of you who already got all their stuff back I don't know how you did it but that's awesome.
i keep having to log in the lock code as well. Comcast and at&t wireless modem for laptop. i dont mind the concept but it needs work
When all is said and done ... too much is said than done.
Rome wasn't created by meetings. They did it by killing their enemies.
I did say it should not be ruled out, but the amount of ranting that has gone on from some other people is beyond a joke. It is absolutely worth considering, but there needs to be someone reputable claiming an authentic break in Trion's authentication mechanism that can be used remotely - not on your own PC.
With all the self-proclaimed security experts out there I am sure there must be someone capable of doing it in 5 minutes.
The reality is that even security 'experts' get their accounts compromised because they have a lax moment, or encounter a zero day attack delivered by a popular site that they visited. This too cannot be ruled out.
The real problem here is that there will be several attack vectors going on. If I was going to have a sneaking suspicion I would say one of them had to do with people keeping the same passwords from Beta and their being an issue with one of the Beta clients if this was on Trion's end.
C.
This is meant to be entertainment, not a life substitute. (lordofeyes)
Disclaimer:
These opinions are my own. I reserve the right to sprinkle the odd fact in amongst my opinions to confuse the reader.
Ok before leaving for the weekend here what i found after some packets decoding!
Basically, the patcher/launcher is negociating your credentials, in pure HTTPS over an auth-server somewhere at trionworlds, which is perfect at this point. No way someone is stealing password over a HTTPS communication, that's WAYYYY too much complicated.
On the other, once you're logged into the launcher/patcher, it shows some patch notes etc... runs some updates if needed and then allow to run the game!
How they do this exactly?
They use what we can call a "token", basically they don't want to use HTTPS for all the communications, since HTTPS add a load on all communications, and could make the game more lagging and more demanding on server side, and honestly it would be stupid to encrypt all traffic!
They're sending for each packet an authentication token, which include some informations:
1. Your email
2. A big string of random chars (that string is reused in ALL communication with Trion so i'm guessing this is where they hide your password and authentication credentials)
3. IP address
4. Token date creation
5. Token date expiration
From now, i don't want to go further, cause that would be against the TOS, and that's really not my objective here, i just needed to clarify something with all of you!
EDIT: At this point i don't know if it would be possible to change these info and inject some packets in there to gain access to others account without password, that's outside my scope!
- Trion databases haven't been compromised
- Your credit cards are secured
- Trion ARE working on the issue
- There's people who's account got hacked because of them not being careful
- There's people who's account got hacked for unknown reasons (yet)
I want to stipulate here, that the Trion manage the auth/negociation is perfectly normal, and it's the way MOST software do it, you encrypt the user/pass exchange, and then only pass a token that shows that you're the right person.
I'm not a big fan of really big scale hacks going on here, cause even mmo's hacking can give good revenue, it's not worth it, think about the real spam industry (fake pills, etc...) that bring more than millions PER DAY! That is a business in which hackers will put A LOT of money, because that will bring a LOT of money.
So they hack that is happening here, have to be quite simple ... and can include a lot of different scenarios (compromised websites/compromised emails/compromised PC) etc... honestly i this point there's no way to know that!
I remember some 0-day threats about PDF documents i had to deal with in the past, and it's always a freaking mess, even with the best team ever, so bare with Trion and give them the time to makes things right!
Last edited by Unibroue; 03-18-2011 at 12:08 PM.
Why Trion is not doing what any other MMO did? What hackers are after is in-game currency, right?
Trion could implement their own ATM inside the game. IF people want more currency to play their game the way they want, they can do it. They could sell currency from their website and send you a one time use code to enter at the ATM machine or special vendor.
That could cut the grass under the hackers' feet and be gone with it.
Just a thought!
ATTENTION TRION - I HAVE VERIFIED THE AUTHENTICATION SYSTEM CAN BE BYPASSED, BY SUCCESSFULLY LOGGING INTO ANOTHER ACCOUNT WITHOUT NEEDING ITS CREDENTIALS.
Just successfully logged into a friend's account (with his permission, and while he watched) without knowing his username or password, by bypassing the auth system entirely. Worse, all it took was about thirty seconds of time once I got all of the details locked down.
I did trigger Coin Lock, but I was fully able to access that handy delete-character button, so this exploit is a griefer's dream.
This is a huge security hole. Accounts can be accessed without needing any information at all from clients.
I will not post details on how to do this (so don't ask), but I'm positive that I can reproduce this at will and likely on any account on the system. Someone at Trion probably needs to send me a PM, very, very quickly so we can go over the exploit's specifics and how to detect - and stop - it. (Or I could always log into a GM account and watch the fun that would ensue.)
As an aside, this is one of those times I wish I wasn't correct about a suspicion...
Last edited by ManWitDaPlan; 03-18-2011 at 12:33 PM.
By username you mean email address correct? Since they use emails not usernames. So changing your email wouldn't help either?
I don't need email addresses at all. In fact, I used a dummy address that isn't even real.
Well, I don't know if this is true or not (no offense ManWitDaPlan) but I certainly want to keep reading about this. Subscribed so I can watch this develop into something useful or troll meal.ATTENTION TRION - I HAVE VERIFIED THE AUTHENTICATION SYSTEM CAN BE BYPASSED, BY SUCCESSFULLY LOGGING INTO ANOTHER ACCOUNT WITHOUT NEEDING ITS CREDENTIALS.
Just successfully logged into a friend's account (with his permission, and while he watched) without knowing his username or password, by bypassing the auth system entirely. Worse, all it took was about thirty seconds of time once I got all of the details locked down.
I did trigger Coin Lock, but I was fully able to access that handy delete-character button, so this exploit is a griefer's dream.
This is a huge security hole. Accounts can be accessed without needing any information at all from clients.
I will not post details on how to do this (so don't ask), but I'm positive that I can reproduce this at will and likely on any account on the system. Someone at Trion probably needs to send me a PM, very, very quickly so we can go over the exploit's specifics and how to detect - and stop - it. (Or I could always log into a GM account and watch the fun that would ensue.)
As an aside, this is one of those times I wish I wasn't correct about a suspicion...
Posting Permissions
Bookmarks