EI Interactive's troubles continue. A report was filed on August 24th, 2006 and sent to EI Interactive and previous owners Tulga Games that chronicled all the ways their client was vulnerable to outside intruders, a source within the original development team confirms. They also notified MMORPG.com of this report.
After a 60 day moritorium without action, the report was released online today. EI Interactive then took their game servers offline and replaced the login screen with an new version as seen here. Since then, their servers have been up and down. It is unclear whether the vulnerabilities still exist based on today's action.
|Horizons uses a SOAP API to interchange data/commands between the Application Server and several Clients. The API doesn't verify the source which does trigger functions, which opens up multiple abuse possibilities.
A vulnerability has been discovered in the Horizons SOAP API that allows an attacker to modify account and character information such as:
- change payment and subscription information
You can read the full report here.