Distribution:Download | Retail Price:Free | Pay Type:Subscription
Desktop Client | System Req:
| ESRB:T
Istaria: Chronicles of the Gifted News - Client Vulnerability Report
Posted by Dana Massey on Oct 31, 2006 | 42 comments in our forums
EI Interactive's troubles continue. A report was filed on August 24th, 2006 and sent to EI Interactive and previous owners Tulga Games that chronicled all the ways their client was vulnerable to outside intruders, a source within the original development team confirms. They also notified MMORPG.com of this report.
After a 60 day moritorium without action, the report was released online today. EI Interactive then took their game servers offline and replaced the login screen with an new version as seen here. Since then, their servers have been up and down. It is unclear whether the vulnerabilities still exist based on today's action.
| Horizons uses a SOAP API to interchange data/commands between the Application Server and several Clients. The API doesn't verify the source which does trigger functions, which opens up multiple abuse possibilities.
A vulnerability has been discovered in the Horizons SOAP API that allows an attacker to modify account and character information such as: - change payment and subscription information |
You can read the full report here.
Thank you very much.
It just gets better and better.
And they are now just addressing these. Myself and quite a few others have known about these security issues since beta , we all logged multiple letters and bug reports and David Bowman yes the same Criminal some tards dare to defend looked the other way. He wouldn't do anything about them because he couldn't do anything. His team simply lacked the skills to fix the issues.
Bowman should not be trusted to man a McDonalds French Fry vat much less a MMORPG. I truly hope the criminal indictments start soon.
Hey... Ed Andercheck says you are all big fat liars and there was never any danger in the last report we read. Now this is out in the open and I am wondering what Ed's response is.
Posting the full report is incredibly irresponsible. All that was needed was the fact that such exists, and a possibly redacted quote of the conclusion.
Putting players' information at risk by publishing this does not advance a vendetta against the company, but against the players.
Edit: from the forum's rules: A major infraction
"Illegal Activities - Either committing, or the discussion of committing illegal activities at MMORPG.com will not be tolerated.
This got pulled from the VN boards for that reason. It should be pulled here also.
Contrary to the accusation that this has been the case since beta (this is a different launcher than the one in beta - personal agendas regarding David Bowman do not belong in this discussion), EII has known about this and as was indicated in the last article EII was notified. Those of us in the know warned people about the company; we warned people within the limits of the law that there were serious issues.
But, as you can see by EIIs inaction and the disbelief of those who still play, it wasn't taken seriously.
By posting it, it does open up accounts - those with KNOWN passwords to hacking.
However, it also forces EII to take the notification seriously and fix the vulnerability. There's a reason there is a mandatory 60-day waiting period before a notification like this can be made public. That time has passed.
They MUST fix this. It's a very sad state that it's steps like this that are needed for them to take their business seriously.
Oh, I got the point. The stated purpose could have been served by alluding to the report, and publishing a limited version of the conclusion. No more was needed to have made the warning public and it would have brought pressure to bear just as well.
And publishing something potentially harmful to PLAYERS shows that balance and proportion have been lost.
Dand3 I appreciate the sentiment of your report. But I think its made abundantly clear in the OP that this report has been published online and is being widely debated amongst anyone who would have the remotest interest in the topic.
As an industry news site (in part) it would actually be irresponsible of us NOT to inform the readers of our site of this development.
I am shelving your report for now, but just so this is in the open, as a junior Moderator I will leave any further comment to the senior staff.
Thanks
Dand3 I appreciate the sentiment of your report. But I think its made abundantly clear in the OP that this report has been published online and is being widely debated amongst anyone who would have the remotest interest in the topic.
As an industry news site (in part) it would actually be irresponsible of us NOT to inform the readers of our site of this development.
I am shelving your report for now, but just so this is in the open, as a junior Moderator I will leave any further comment to the senior staff.
Thanks
All those ends could have been served by a PARTIAL post, which did not include all necessary details. It's not discussion of the topic that I find so irresponsible, but the publication of the entire report. That was NOT necessary to bring the issue to the attention of the community. Since it is potentially damaging to the PLAYERS, using the entire report to pressure EI was terribly misguided. The players are not at fault, and should not be jeopardized.
Tell me, what puts the players more at risk... EI ignoring a security flaw (and thusly leaving it open for who knows how long) or EI being forced to no longer ignore it and actually DO something?
Clear things up a bit for you?
It boiled down to this for me - as I did consider not linking it...
If I don't post it, what's to stop someone from saying I just made it up?
Plus, anyone with a few lines of text could likely google and find it themselves.
dand3,
I believe the situation here is that MMORPG.com is not the body behind the public release of the report - the company that made it and submitted it to EII are. All MMORPG.com is doing is reporting to their members the situation in full. wether or nto they linked to the original report or not, it would eventually be done here and even if they kept removing/editing the links out the report IS public via the company that issued it and could still be found and viewed by anyone who wanted to.
You want to crucify someone for making it public, go after the ones ultimately responsible (which includes EII for their failure to act on the initial report.)
Furthermore, this is a PUBLIC document. MMORPG.com didn't break this news, they just pointed it out. That's their job. Personally, I approve of them bringing this to the attention of the community at large. Folks need to know about this sort of thing... not just current players of Horizons, but also anyone who would even consider playing.
It's EII's job to protect their current players. Apparently that wasn't a top priority for them. You've picked a fight worth fighting, but with the wrong people and for the wrong reason!
Dand3, first off, let me reiterate that the people here at mmorpg.com did nothing wrong with posting that report. It was and still is publically available. "Modify" it so it can't be googled? Not much internet experience, I take it. Also, I've browesed through all of your post (you don't have many, so it was easy) and what I find amusing is that you were happy as a rat in a cheese factory when Tulga took over, and you are as staunch a defender of EII as you were for Tulga. Every post you've made has been in defence or praise of Tulga/EI/ and Horizons. And no matter how you try to manipulate an angle to look like you are protesting out of concern for the players, you look more like someone who is a little peeved that this came to light at all. Tulga knew and did nothing. Then EI came along, knew, and did nothing. Were you here warning the players that they could be compromised, as I'm more than sure someone there since beta knew all of this too. Other players noticed and brought it to light all the way back with Tulga. Where were you? Oh, yes. That's right. You were here praising them. Your opinion of this situation means nothing to me, and quite frankly should mean nothing to mmorpg.com or the players of Horizons who were put at financial danger by both companies running their game.
Oh, and feel free to flame. I doubt you could do a very good job of it, but you can try.
yup, Googling does take you there. The site also says that the example is encrypted; wonder why it's not.No, I did not know about this; why should I?
And as for correcting the misstatements of those who have not played for a long time, if ever... just setting the record straight.
Those who have the facts on their side, argue the facts; those who don't have the facts, argue the law; those who have neither the facts nor the law, flame.
I just find it odd that someone who played since beta3, and obviously takes agreat deal of interest in the game he plays, had no idea that any of this was happening. Although other players were bringing it up on the forums, in irc, and here. As well, I'm sure, it was spoken of ingame as well. Guess you were lucky enough to only play at times it wasn't mentioned, avoided the forums, didn't go in irc, and didn't come here. Maybe you weren't as intersted in the game as you appear to be. Oh, well. My bad. And this isn't a flame. I am going off what is shown.
Lepidus post got my attention (the info part), but posting the sample hack codes was definitively a no-no in my book. And ideed it's first time I got the full "SOAP API" bit, and I admit I don't go to IRC (best way to get worms and hack to your system) and I don't support paying forums. I agree that posting the actual ack coding was irresponsible, in the sense that a "scrip junky" and the "wanna be a hacker" have tools they should not mess around. For the fairness and relative freedom of those still playing, this is not helping them. This post like may are strickly on a vendetta style attack from a disgruntle ex-employee or player that want a revenge for x reason. If your not happy with the skill set of the game owner/employee and/or they not listening to your screamings, just go away. What benifit do you get from trying to get the game shutdown (by re-distributing the hack code this is what your trying). The only benifit I see is a competing games for the base population. But even this reason does not sound true as most actual HZ game player have played the other games and returned to HZ because this game offer what they want and the HZ player has not found what he was seeking elsewhere. Nope definitivelly all this ring vendetta to my ears or someone trying to go to their site for more details and get information from your system. Personnally I will not try to get to those "console.cc" links (I have too much a bad feeling about it).
Just keep in mind folks that we have a couple of EI moles on this thread doing damage control...they are easily spotted , they are the ones that get pissed off when you Dis David Bowman and out right lie about the fact that this hasn't been going on since Beta.
If anyone doubts that this hasn't been a problem that has been ignored since beta just ask any of the members of the order of The Sacred Sword they broke this story in 2003 and got banned for it The entire guild banned because David Bowmans inability to fix his broken product, the same product that is ripping off what few members are left. I don't have an agenda against David Bowman just a strong desire to see him prosecuted for Fraud and racketeering, and every day that is becoming more of a possibility.
*sigh*
So now MMORPG.com is trying to shut down Horizons? Gimme a break. Keep your conspiracy theories where they belong... you know, that place where the sun don't shine.
I just don't understand why you people aren't attacking the *real* problem here, which is Tulga/EII's neglegence. Here are your options:
1) No one outs the exploit. EII continues to deny it (lying). Problems continue throughout the lifespan of Horizons... people who know about the hack continue to use it against other players without any kind of punishment... because after all the hack doesn't exist, right?
2) It is brought to public, forcing EII to fix the problem. Players are inconvenienced for a bit while EII does what they should have done a long time ago. Hell, what Tulga should have done a long time ago. The hack is fixed and players can continue to play in relative safety.
Which option sounds better to you? Sounds like some of you would rather be ignorant and let EII continue to ignore this problem and continue to let people exploit it. What a nice little naive world you must live in...
I also don't understand how you can try to pin this on MMORPG.com, who are only:
a) Reporting valid, breaking news.
b) Showing valid proof of the accusation.
c) Making the current and future players aware of the problem.
And you complain about MMORPG.com not caring about Horizon's players? LOL. Basically, ya'll just need to get over it. There's a huge problem with the Horizons client right now. EII wasn't going to fix it without their hand being forced. Guess what? Their hand has been forced. This all could have been avoided if Tulga or EII had fixed it when it should have been... a long, long time ago.
In summary, stop complaining about the honest people at MMORPG.com who were doing their job, and start complaining people at Tulga/EII who were NOT doing their job.
I, too, find it highly irresponsible to republish a step-by-step roadmap of how to hack into Horizons, or any other MMORPG. As has been observed previously in this thread, the purpose of warning the player base of a security vulnerability is served well enough by simply stating that the vulnerability exists, and the kind of damage that can result from the vulnerability.
Take the all-too frequent Windows security vulnerabilities as an illustration. Those are often reported by CNN and other mainstream news sites, but you will never see them print a roadmap on how to take advantage of the vulnerabilities. Well beyond the fact that the mainstream news networks' legal departments would undoubtedly prohibit the publishing of such a "report" as this one for all the legal woes printing it would entail, there is the plain old common sense issue of responsibility in journalism. While publishing this "report" does indeed embarrass EI (and I should imagine DB and the former dev team), it simultaneously places the subscribers to the game in serious jeopardy. Just as our troops should never be considered "collateral damage" in favor of printing some article adverse to the present administration's policies, so too should the security of the players of any MMO be lightly discarded in favor of publishing something derogatory to its past or present developers or owners.
In closing, I would mention how intriguing it is that the genesis of this report is a "source within the original development team," and its publication follows hard on the heels of an attempt by a former Tulga "source" to disrupt the game and its community by doling out god-like items in game . . . .
-MMORPG.COM DID NOT PUBLISH THIS REPORT FIRST.
-THE PLAYERS WERE ALREADY IN JEOPARDY.
-THIS REPORT FORCED EII TO FIX THE PROBLEM.
-WHEN PROBLEM IS FIXED, PLAYERS NO LONGER IN JEOPARDY.
-CELEBRATION.
Any better?
There were already people who knew about this exploit. There were people who were already using it. By making the community at large intimately aware of the details, EII was forced to bring down the server and fix it. Just telling them about the problem was obviously not enough... because people have been talking about it for years.
Also... please don't compare this incident to troop casualties in Iraq. I have family there, and if you think those are equal problems, then you need to see a shrink. Immediately.
Point is the people who "could" use this code already where (actually slightly diffrent) long before and I know this for fact and have never played the game.
How do I know this for fact? I use to be really big onto finding security holes without getting caught back in yester year so to speak. I long sense quit that activity to find more productive things to do with my life. However I stay current on latest issues and frequent alot of old sites that are still up. That being said this was already well known and talked about on some sites even before that reports release, much less the link here. And ya people were taking advantage of the issue.
You can believe me or not I don't really care but this just places it in the "authorities spot light" so someone actually fixes the problem instead of denying it ever existed in the first place or by sweeping it under the rug by just making general statements that ya it can be done.
60 days after the fact. Some idiot hacker already discovered this a long time ago and already got what they needed from the security hole.
Don't be a tool and know what you are talking about before posting such crap on what is and is not reponsible. If it took EII 60 days to fix such a major hole than MMORPG.com is not the one's you should be angry at. I feel sorry for anyone foolish enough to have an active account with Horizons at this time.
As much disdain as I have for Hadesprime's past flames/trolling of the Horizons boards, he and the other posters with similar opinions are absolutely right. Not only is MMORPG.com not at fault for posting this, but I believe it was their DUTY as an industry news source to do so.
I am surprised you can still log into the game at this point. I can only hope that someone is taking legal action to shut the servers down and secure or erase all of the comprimised personal data before anymore opportunity is created for massive identity theft. Keep in mind, Horizons may have a small current player-base, but there is likely 1000 times more accounts that are no longer in use that still remain on those servers.
"We reported this hole in beta and got banned to shut us up..."
"This has been known for years on underground web sites..."
"I knew about this report before the author wrote it..."
Yeah, riiiight....
Without analyzing previous versions of the launcher code, nobody can say for sure how long this specific weakness has existed. The web launcher was tweaked & updated several times after launch; the beta version didn't even use .NET, for example.
If this specific hole DID exist in beta, anyone who knew about it should have reported it. "This software has a bunch of security holes and everyone knows it!" isn't a valid bug report. A valid bug report is specific, detailed, and has all the information available to the submitter so that the programming team can reproduce the issue. I don't believe anyone who says they reported this and were banned or ignored, because other serious security issues were reported and were addressed. It's in the best interests of the company and the game to address issues like this as soon as possible, so punishing people for reporting them makes no sense whatsoever.
The vulnerability in question doesn't endanger players unless their password has been comprimised. Even then, most of the things this vulnerability allows someone to do are related to playing for free - which anyone can do now anyway, thanks to EI's billing system issues. The threat is to EI, but only from someone who has the server password. It's still a critical issue, but it's not a situation where the player base as a whole is threatened.
Without knowing when the vulnerability was introduced, without actual proof that a legitimate bug report about this specific issue was submitted prior to the report in question, the only facts available right now are that EI was advised of the issue in August and that the issue was still not addressed 60 days later. Tulga couldn't do anything about it; everyone who could have fixed it had already been fired by Chris Baker and all the game assets had been turned over to EI at that point. EI did not fix the issue and there is no evidence that they would have ever done so on their own.
That failure is totally on EI. Good luck getting it fixed; I doubt anyone who knows the code will be willing to take a contract with a company that has already bounced paychecks for two other contractors.
For this reason I laud MMORPG for reporting this. Perhaps some feel this should not
have been openly revealed, but such people don't want this known, since it might
upset the game they love. They fear the game will end, and don't want to believe
that it really could. Such a view is a denial of reality. All things end, including games.
Some posters are incorrect in thinking this hurts the players. If anything, it forces Eii
to actually learn to do their job.
I say learn, because it's very obvious that they have little clue what they are doing.
I cancelled my accounts last month. The happy little website said it was cancelled.
But just to be safe, I checked with PBT and, you guessed it, the change in status
was never uploaded to PBT to update thier records, so it was never really cancelled.
So, I ask PBT to cancel the accounts, and they were very happy to help. Next, I
check to see if my accounts are actually non functional, and lo and behold, I can
STILL login.
The short of it is, without even being able to successfully stop a player that has
cancelled thier accounts from logging in, do ANY of you actually believe that they
have the needed skills to fix the security hole reported on by MMORPG?
if your answer is yes, then it is obvious to all, that you are over-medicated.
But it can affect the players in that it allows the hacker to give themslves GM/WM powers - as indicated in the report.
Somehow, I think if this hole were known and being abused for years, this particular abuse would have been seen previously.
People do so like their shinies!
Sort of. That was a case of a player with a ton of money being given WM powers and allowed to play developer, though. It wasn't a hack, just one of the worst decisions in the history of the game.
The items recently discovered on Order were (as far as has been divulged by Amadan) created by someone who was given WM abilities but who was not a Tulga employee. This person abused the trust that was placed in them, and has been dealt with.
In both cases, the persons involved had been set up with a WM account by AE/Tulga. No hacks were involved.
THANK YOU MMORPG.COM! *big hug*
Really. Information like this needs to be out in the public. Game companies give consumers the run around all the time and only through efforts like this are we going to see them begin to change.
I can only think of one other business that can treat it's customer base so badly but still get the business and that is drug dealers. Maybe less of a difference in the 2 than we think. (people do get addicted to a games)
Again, thank you. Thank you for keeping the thread going. Thank you for not removing the link. Thank you for helping us, the players, have a voice.
The writer of this report gave EI 60 days to resolve this issue before making it public. EI either ignored it, or was incapable of fixing it. Sometimes people need a smack on the head to get things done, and guess what, the smack seems to have worked.
People can bash AE/Tulga/Bowman, etc until they're blue in the face. But they're all gone now, and this is EI's game now. This was published under their watch and they did nothing about it.
naaah good on em for posting it. Otherwise people would ask "Where is the document"
A big "thank you" to the staff of mmorg.com for some excellent reporting on the *huge* problems in this sorry piece of gaming, ie, "Horizons". The replies by the EI staff said it all.
And may I say that the few fanboi's that posted here in Horizons defense gave us all a good insight into the mind of people in deep, deep denial.
Man, those were some feeble attempts at justifying their weak positions!
*snicker*
I am soo confused by all the post.
We are simply looking for a new game to play, we love AE but hate the lag. We like tradeskills, and some fighting too. No pvp though. suggestionS? is this game one to check out or not?
Not.
Ok well after 5 hours I got the game dl and tried to check it out only to find if I did not enter my CC info I could not even try it. Sooo this game will not make my tested list
Any suggestions on decent games?