Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Fuzzy Avatars Solved! Please re-upload your avatar if it was fuzzy!

Horizons: Client Vulnerability Report

DanaDana Halifax, NSPosts: 2,415Member

EI Interactive's troubles continue. A report was filed on August 24th, 2006 and sent to EI Interactive and previous owners Tulga Games that chronicled all the ways their client was vulnerable to outside intruders, a source within the original development team confirms. They also notified MMORPG.com of this report.

After a 60 day moritorium without action, the report was released online today. EI Interactive then took their game servers offline and replaced the login screen with an new version as seen here. Since then, their servers have been up and down. It is unclear whether the vulnerabilities still exist based on today's action.




Horizons uses a SOAP API to interchange data/commands between the Application Server and several Clients. The API doesn't verify the source which does trigger functions, which opens up multiple abuse possibilities.

A vulnerability has been discovered in the Horizons SOAP API that allows an attacker to modify account and character information such as:

- change payment and subscription information
- create bogus/non-charged/unverified billings
- rename characters
- retrieve sensitive server/shard information
- activate/ban the account
- change account status like trial,
- add promotions (free, military, other promotions etc.)
- change/add keys

You can read the full report here.

Dana Massey
Formerly of MMORPG.com
Currently Lead Designer for Bit Trap Studios

«1

Comments

  • ShadrakShadrak Hometown, ALPosts: 375Member

    Thank you very much.

  • ZorvanZorvan nowhere, CAPosts: 8,912Member

    It just gets better and better.::::07::

  • scaramooshscaramoosh rhhdhfPosts: 3,424Member
    Anyone who plays this game is stupid anyways.

    ---------------------------------------------
    image
    Don't click here...no2

  • martinj63martinj63 Saint Albans, VTPosts: 83Member

    And they are now just addressing these.  Myself and quite a few others have known about these security issues since beta , we all logged multiple letters and bug reports and David Bowman yes the same Criminal  some tards dare to defend looked the other way. He wouldn't do anything about them because he couldn't do anything. His team simply lacked the skills to fix the issues.

    Bowman should not be trusted to man a McDonalds French Fry vat much less a MMORPG.  I truly hope the criminal indictments start soon.

     

  • LiddokunLiddokun San Francisco, CAPosts: 1,665Member Uncommon
    According to some reports... this guy David Bowman was fired from Turbine for trying to climb the corporate ladder... then Artifact Entertainment picked him up and apparently he was the CEO until Artifact Entertainment bankrupted. They made a new company named Tulga games with the same guys at the helm and apparently the same guy managed to secure new fundings until they went bankrupt again and sold the Artifact Entertainment assets to EI Interactive.
  • RageMonsterRageMonster Worden, ILPosts: 120Member

    Hey... Ed Andercheck says you are all big fat liars and there was never any danger in the last report we read.  Now this is out in the open and I am wondering what Ed's response is.

    1

  • xmoleculexxmoleculex Greenville, SCPosts: 98Member
    Take note people! Banning your own account like this may be the only way to keep EI from charging your account after you cancel. =P



  • dand3dand3 San Rafael, CAPosts: 241Member

    Posting the full report is incredibly irresponsible.  All that was needed was the fact that such exists, and a possibly redacted quote of the conclusion. 

    Putting players' information at risk by publishing this does not advance a vendetta against the company, but against the players. 

     

    Edit: from the forum's rules: A major infraction

    "Illegal Activities - Either committing, or the discussion of committing illegal activities at MMORPG.com will not be tolerated.

    This got pulled from the VN boards for that reason.   It should be pulled here also.

  • OpheleaOphelea Eugene, ORPosts: 85Member

    Originally posted by dand3
    Posting the full report is incredibly irresponsible.  All that was needed was the fact that such exists, and a possibly redacted quote of the conclusion.  Putting players' information at risk by publishing this does not advance a vendetta against the company, but against the players.    Edit: from the forum's rules: A major infraction "Illegal Activities - Either committing, or the discussion of committing illegal activities at MMORPG.com will not be tolerated. This got pulled from the VN boards for that reason.   It should be pulled here also.
    Mayhaps you are missing the point.

    Contrary to the accusation that this has been the case since beta (this is a different launcher than the one in beta - personal agendas regarding David Bowman do not belong in this discussion), EII has known about this and as was indicated in the last article EII was notified. Those of us in the know warned people about the company; we warned people within the limits of the law that there were serious issues.

    But, as you can see by EIIs inaction and the disbelief of those who still play, it wasn't taken seriously.

    By posting it, it does open up accounts - those with KNOWN passwords to hacking.

    However, it also forces EII to take the notification seriously and fix the vulnerability. There's a reason there is a mandatory 60-day waiting period before a notification like this can be made public. That time has passed.

    They MUST fix this. It's a very sad state that it's steps like this that are needed for them to take their business seriously.


  • dand3dand3 San Rafael, CAPosts: 241Member

    Oh, I got the point.  The stated purpose could have been served by alluding to the report, and publishing a limited version of the conclusion.  No more was needed to have made the warning public and it would have brought pressure to bear just as well. 

    And publishing something potentially harmful to PLAYERS shows that balance and proportion have been lost.

  • RazorbackRazorback OutbackPosts: 5,253Member



    Originally posted by dand3

    And publishing something potentially harmful to PLAYERS shows that balance and proportion have been lost.



    Dand3 I appreciate the sentiment of your report. But I think its made abundantly clear in the OP that this report has been published online and is being widely debated amongst anyone who would have the remotest interest in the topic.

    As an industry news site (in part) it would actually be irresponsible of us NOT to inform the readers of our site of this development.

    I am shelving your report for now, but just so this is in the open, as a junior Moderator I will leave any further comment to the senior staff.

    Thanks

    +-+-+-+-+-+
    "MMOs, for people that like think chatting is like a skill or something, rotflol"
    http://purepwnage.com
    image
    -+-+-+-+-+-+
    "Far away across the field, the tolling of the iron bell, calls the faithful to their knees. To hear the softly spoken magic spell" Pink Floyd-Dark Side of the Moon

  • dand3dand3 San Rafael, CAPosts: 241Member



    Originally posted by Razorback



    Originally posted by dand3

    And publishing something potentially harmful to PLAYERS shows that balance and proportion have been lost.


    Dand3 I appreciate the sentiment of your report. But I think its made abundantly clear in the OP that this report has been published online and is being widely debated amongst anyone who would have the remotest interest in the topic.

    As an industry news site (in part) it would actually be irresponsible of us NOT to inform the readers of our site of this development.

    I am shelving your report for now, but just so this is in the open, as a junior Moderator I will leave any further comment to the senior staff.

    Thanks



    All those ends could have been served by a PARTIAL post, which did not include all necessary details.  It's not discussion of the topic that I find so irresponsible, but the publication of the entire report.  That was NOT necessary to bring the issue to the attention of the community.  Since it is potentially damaging to the PLAYERS, using the entire report to pressure EI was terribly misguided.  The players are not at fault, and should not be jeopardized. 
  • xmoleculexxmoleculex Greenville, SCPosts: 98Member

    EI Interactive did not take this security hole seriously. Now they have no choice.

    Tell me, what puts the players more at risk... EI ignoring a security flaw (and thusly leaving it open for who knows how long) or EI being forced to no longer ignore it and actually DO something?

    Clear things up a bit for you?

  • DanaDana Halifax, NSPosts: 2,415Member

    Originally posted by dand3
    Originally posted by Razorback
    Originally posted by dand3
    And publishing something potentially harmful to PLAYERS shows that balance and proportion have been lost.

    Dand3 I appreciate the sentiment of your report. But I think its made abundantly clear in the OP that this report has been published online and is being widely debated amongst anyone who would have the remotest interest in the topic.

    As an industry news site (in part) it would actually be irresponsible of us NOT to inform the readers of our site of this development.

    I am shelving your report for now, but just so this is in the open, as a junior Moderator I will leave any further comment to the senior staff.

    Thanks


    All those ends could have been served by a PARTIAL post, which did not include all necessary details.  It's not discussion of the topic that I find so irresponsible, but the publication of the entire report.  That was NOT necessary to bring the issue to the attention of the community.  Since it is potentially damaging to the PLAYERS, using the entire report to pressure EI was terribly misguided.  The players are not at fault, and should not be jeopardized. 

    It boiled down to this for me - as I did consider not linking it...

    If I don't post it, what's to stop someone from saying I just made it up?

    Plus, anyone with a few lines of text could likely google and find it themselves.


    Dana Massey
    Formerly of MMORPG.com
    Currently Lead Designer for Bit Trap Studios

  • sartoriussartorius Lancaster, CAPosts: 199Member



    Originally posted by dand3



    Originally posted by Razorback



    Originally posted by dand3

    And publishing something potentially harmful to PLAYERS shows that balance and proportion have been lost.


    Dand3 I appreciate the sentiment of your report. But I think its made abundantly clear in the OP that this report has been published online and is being widely debated amongst anyone who would have the remotest interest in the topic.

    As an industry news site (in part) it would actually be irresponsible of us NOT to inform the readers of our site of this development.

    I am shelving your report for now, but just so this is in the open, as a junior Moderator I will leave any further comment to the senior staff.

    Thanks



    All those ends could have been served by a PARTIAL post, which did not include all necessary details.  It's not discussion of the topic that I find so irresponsible, but the publication of the entire report.  That was NOT necessary to bring the issue to the attention of the community.  Since it is potentially damaging to the PLAYERS, using the entire report to pressure EI was terribly misguided.  The players are not at fault, and should not be jeopardized. 


    dand3,

       I believe the situation here is that MMORPG.com is not the body behind the public release of the report - the company that made it and submitted it to EII are.  All MMORPG.com is doing is reporting to their members the situation in full.  wether or nto they linked to the original report or not, it would eventually be done here and even if they kept removing/editing the links out the report IS public via the company that issued it and could still be found and viewed by anyone who wanted to.

    You want to crucify someone for making it public, go after the ones ultimately responsible (which includes EII for their failure to act on the initial report.)

     

    image
    "Death is a dignitary who when he comes announced is to be received
    with formal manifestations of respect, even by those most familiar with him.
    "
    - Ambrose Gwinnett Bierce

  • dand3dand3 San Rafael, CAPosts: 241Member



    Originally posted by Lepidus
     

    It boiled down to this for me - as I did consider not linking it...

    If I don't post it, what's to stop someone from saying I just made it up?  Your considerable reputation for thoroughness and fairness. 

     And a partial, redacted, publication would have been enough in any event; modifying enough to prevent googling would have been a good idea; but the key point is that players are potentially jeopardized in order to get EI off the dime.  The players did nothing wrong; and protecting them should always have been your first priority.   That could have been done without compromising editorial standards or putting subscribers at risk. 

    Plus, anyone with a few lines of text could likely google and find it themselves.



  • xmoleculexxmoleculex Greenville, SCPosts: 98Member

     Your considerable reputation for thoroughness and fairness.   And a partial, redacted, publication would have been enough in any event; modifying enough to prevent googling would have been a good idea; but the key point is that players are potentially jeopardized in order to get EI off the dime.  The players did nothing wrong; and protecting them should always have been your first priority.   That could have been done without compromising editorial standards or putting subscribers at risk. 

    Modifying enough to prevent Googling? Are you serious? Should they have reported that the vulnerability was for EQ or DAoC? You can't "modify" news to mislead people... fabrication would hurt that "considerable reputation for thoroughness and fairness" that you pointed out yourself. How is it "thorough" or "fair" to mislead their readers?

    Furthermore, this is a PUBLIC document. MMORPG.com didn't break this news, they just pointed it out. That's their job. Personally, I approve of them bringing this to the attention of the community at large. Folks need to know about this sort of thing... not just current players of Horizons, but also anyone who would even consider playing.

    It's EII's job to protect their current players. Apparently that wasn't a top priority for them. You've picked a fight worth fighting, but with the wrong people and for the wrong reason!


  • ZorvanZorvan nowhere, CAPosts: 8,912Member


    Originally posted by dand3
    Originally posted by Lepidus
     
    It boiled down to this for me - as I did consider not linking it...If I don't post it, what's to stop someone from saying I just made it up?  Your considerable reputation for thoroughness and fairness. 
     And a partial, redacted, publication would have been enough in any event; modifying enough to prevent googling would have been a good idea; but the key point is that players are potentially jeopardized in order to get EI off the dime.  The players did nothing wrong; and protecting them should always have been your first priority.   That could have been done without compromising editorial standards or putting subscribers at risk.  Plus, anyone with a few lines of text could likely google and find it themselves.



    Dand3, first off, let me reiterate that the people here at mmorpg.com did nothing wrong with posting that report. It was and still is publically available. "Modify" it so it can't be googled? Not much internet experience, I take it. Also, I've browesed through all of your post (you don't have many, so it was easy) and what I find amusing is that you were happy as a rat in a cheese factory when Tulga took over, and you are as staunch a defender of EII as you were for Tulga. Every post you've made has been in defence or praise of Tulga/EI/ and Horizons. And no matter how you try to manipulate an angle to look like you are protesting out of concern for the players, you look more like someone who is a little peeved that this came to light at all. Tulga knew and did nothing. Then EI came along, knew, and did nothing. Were you here warning the players that they could be compromised, as I'm more than sure someone there since beta knew all of this too. Other players noticed and brought it to light all the way back with Tulga. Where were you? Oh, yes. That's right. You were here praising them. Your opinion of this situation means nothing to me, and quite frankly should mean nothing to mmorpg.com or the players of Horizons who were put at financial danger by both companies running their game.
    Oh, and feel free to flame. I doubt you could do a very good job of it, but you can try.::::02::

  • dand3dand3 San Rafael, CAPosts: 241Member

    yup, Googling does take you there.  The site also says that the example is encrypted; wonder why it's not.No, I did not know about this; why should I?  

    And as for correcting the misstatements of those who have not played for a long time, if ever... just setting the record straight. image

    Those who have the facts on their side, argue the facts; those who don't have the facts, argue the law; those who have neither the facts nor the law, flame.

  • SupergohanSupergohan ZwollePosts: 54Member
    well... atleast something is being done...image

    You aint much, if you aint Dutch
    www.mmozone.nl
    image

  • ZorvanZorvan nowhere, CAPosts: 8,912Member


    Originally posted by dand3
    No, I did not know about this; why should I?  

    I just find it odd that someone who played since beta3, and obviously takes agreat deal of interest in the game he plays, had no idea that any of this was happening. Although other players were bringing it up on the forums, in irc, and here. As well, I'm sure, it was spoken of ingame as well. Guess you were lucky enough to only play at times it wasn't mentioned, avoided the forums, didn't go in irc, and didn't come here. Maybe you weren't as intersted in the game as you appear to be. Oh, well. My bad. And this isn't a flame. I am going off what is shown.

  • NalrachNalrach LaSalle, QCPosts: 3Member

    Lepidus post got my attention (the info part), but posting the sample hack codes was definitively a no-no in my book. And ideed it's first time I got the full "SOAP API" bit, and I admit I don't go to IRC (best way to get worms and hack to your system) and I don't support paying forums. I agree that posting the actual ack coding was irresponsible, in the sense that a "scrip junky" and the "wanna be a hacker" have tools they should not mess around. For the fairness and relative freedom of those still playing, this is not helping them. This post like may are strickly on a vendetta style attack from a disgruntle ex-employee or player that want a revenge for x reason. If your not happy with the skill set of the game owner/employee and/or they not listening to your screamings, just go away. What benifit do you get from trying to get the game shutdown (by re-distributing the hack code this is what your trying). The only benifit I see is a competing games for the base population. But even this reason does not sound true as most actual HZ game player have played the other games and returned to HZ because this game offer what they want and the HZ player has not found what he was seeking elsewhere. Nope definitivelly all this ring vendetta to my ears or someone trying to go to their site for more details and get information from your system. Personnally I will not try to get to those "console.cc" links (I have too much a bad feeling about it).

  • martinj63martinj63 Saint Albans, VTPosts: 83Member

    Just keep in mind folks that we have a couple of  EI moles  on this thread doing damage control...they are easily spotted , they are the ones that get pissed off when you Dis David Bowman and out right lie about the fact that this hasn't been going on since Beta.

    If anyone doubts that this hasn't been a problem that has been ignored since beta just ask any of the members of the order of The Sacred Sword they broke this story in 2003 and got banned for it The entire guild banned because  David Bowmans  inability  to fix his broken product, the same product that is ripping off what few members are left.  I don't have an agenda against David Bowman just a strong desire to see him prosecuted for Fraud and racketeering, and every day that is becoming more of a possibility.

     

  • xmoleculexxmoleculex Greenville, SCPosts: 98Member

    Originally posted by Nalrach
    Lepidus post got my attention (the info part), but posting the sample hack codes was definitively a no-no in my book. And ideed it's first time I got the full "SOAP API" bit, and I admit I don't go to IRC (best way to get worms and hack to your system) and I don't support paying forums. I agree that posting the actual ack coding was irresponsible, in the sense that a "scrip junky" and the "wanna be a hacker" have tools they should not mess around. For the fairness and relative freedom of those still playing, this is not helping them. This post like may are strickly on a vendetta style attack from a disgruntle ex-employee or player that want a revenge for x reason. If your not happy with the skill set of the game owner/employee and/or they not listening to your screamings, just go away. What benifit do you get from trying to get the game shutdown (by re-distributing the hack code this is what your trying). The only benifit I see is a competing games for the base population. But even this reason does not sound true as most actual HZ game player have played the other games and returned to HZ because this game offer what they want and the HZ player has not found what he was seeking elsewhere. Nope definitivelly all this ring vendetta to my ears or someone trying to go to their site for more details and get information from your system. Personnally I will not try to get to those "console.cc" links (I have too much a bad feeling about it).
    *sigh*

    So now MMORPG.com is trying to shut down Horizons? Gimme a break. Keep your conspiracy theories where they belong... you know, that place where the sun don't shine.

    I just don't understand why you people aren't attacking the *real* problem here, which is Tulga/EII's neglegence. Here are your options:

    1) No one outs the exploit. EII continues to deny it (lying). Problems continue throughout the lifespan of Horizons... people who know about the hack continue to use it against other players without any kind of punishment... because after all the hack doesn't exist, right?

    2) It is brought to public, forcing EII to fix the problem. Players are inconvenienced for a bit while EII does what they should have done a long time ago. Hell, what Tulga should have done a long time ago. The hack is fixed and players can continue to play in relative safety.

    Which option sounds better to you? Sounds like some of you would rather be ignorant and let EII continue to ignore this problem and continue to let people exploit it. What a nice little naive world you must live in...

    I also don't understand how you can try to pin this on MMORPG.com, who are only:

    a) Reporting valid, breaking news.
    b) Showing valid proof of the accusation.
    c) Making the current and future players aware of the problem.

    And you complain about MMORPG.com not caring about Horizon's players? LOL. Basically, ya'll just need to get over it. There's a huge problem with the Horizons client right now. EII wasn't going to fix it without their hand being forced. Guess what? Their hand has been forced. This all could have been avoided if Tulga or EII had fixed it when it should have been... a long, long time ago.

    In summary, stop complaining about the honest people at MMORPG.com who were doing their job, and start complaining people at Tulga/EII who were NOT doing their job.


  • I, too, find it highly irresponsible to republish a step-by-step roadmap of how to hack into Horizons, or any other MMORPG.  As has been observed previously in this thread, the purpose of warning the player base of a security vulnerability is served well enough by simply stating that the vulnerability exists, and the kind of damage that can result from the vulnerability. 

    Take the all-too frequent Windows security vulnerabilities as an illustration.  Those are often reported by CNN and other mainstream news sites, but you will never see them print a roadmap on how to take advantage of the vulnerabilities.  Well beyond the fact that the mainstream news networks' legal departments would undoubtedly prohibit the publishing of such a "report" as this one for all the legal woes printing it would entail, there is the plain old common sense issue of responsibility in journalism.  While publishing this "report" does indeed embarrass EI (and I should imagine DB and the former dev team), it simultaneously places the subscribers to the game in serious jeopardy.  Just as our troops should never be considered "collateral damage" in favor of printing some article adverse to the present administration's policies, so too should the security of the players of any MMO be lightly discarded in favor of publishing something derogatory to its past or present developers or owners.

    In closing, I would mention how intriguing it is that the genesis of this report is a "source within the original development team," and its publication follows hard on the heels of an attempt by a former Tulga "source" to disrupt the game and its community by doling out god-like items in game . . . .

«1
Sign In or Register to comment.