Horizons: Special Report, Part II
Article by Carolyn Koh
Editor's Note: This is the second article in a series that looks at Horizons and what has gone on with it and its new owners since EI Interactive purchased the game from Tulga earlier this year. You can read part one here.
Act Two, Scene 1.
MMORPG.com published a link to the SOAP vulnerability that had been reported to EI Interactive. Speculation began to run rampant, forcing a public statement from EI Interactive in which they reassure subscribers that their account information is safe.
“…the vulnerability described in the article allows for only individual account exploits. The vulnerability requires foreknowledge of account information, e.g. a valid username and password.”
Just what is SOAP and how does it affect anyone? Simple Object Access Protocol or SOAP is a protocol for accessing a web service. I spoke to the publisher of the report, Bernd Kilga who works as a security consultant, in order to learn how he discovered the vulnerability.
”I participated in a couple of Horizons tools, like the rather popular Horizons Crafting Calculator (HCC) (http://hcc.reclamation.dk/) and tons of other stuff: live statistics (http://reclamation.dk/horizons/livestats/) and character exporters (http://reclamation.dk/horizons/arcat/). We even received permission from Tulga to bundle game assets such as game-graphics/icons/data with HCC. My primary motivation was the excellent communication with Tulga which allowed me to get a great peek behind the game development industry, something which does interest me a lot. Working on tools like this, naturally leads to understanding the game-database and the various debug logs. During our work on HCC we reported several data-anomalies to Tulga. This gave me the experience needed to test various security aspects.”
Previous to this find, Kilga discovered a major security hole which he worked closely with Tulga to fix.
“That allowed the read out of any userdata (password + username) by providing a fake HTTP request. This issue was addressed by Tulga with high priority and resolved in 1-2 weeks. It did please me a lot that this issue got fixed right away and in a very professional manner: I was in MSN chat with the lead developer who also requested that I test the patch before its public release.”
The SOAP vulnerability as published by Kilga allows any HTTP client (e.g. a web browser) to interact with the SOAP API: It isn't restricted to specific clients (should be login website and standalone launcher ONLY) and offers methods which you can't do as a regular user. A simple example: Rename your character.
At the time the vulnerability was reported to EI the original payment system was still in place, so at that time it was possible to do actual changes to subscription data. Today a different payment API is in place and is not directly connected to the login website.
We asked if the security loophole was fixed by that EI Interactive’s action.
“Not exactly,” Kilga told us. “First off, there is no real danger for the customers of Horizons: It's not possible to retrieve any userdata (passwords) without any brute force attacks. However, since SOAP allows interaction by any client, it's very possible to write simple scripts which performs brute force attacks and tries to guess passwords of a) users and b) the master password which protects the moderation commands.”
We asked if Kilga had made the vulnerability known to Tulga or EI Interactive. Unknown to him, Horizons had already been sold, however, David Bowman recommended that Kilga inform EI Interactive and provided him contact information.
“Mr. Bowman told me: ‘This type of problem is significant and must be fixed immediately.’ He's 100% correct, it's not about what such a vulnerability offers to the untrained hacker, it's about 'a type of security hole' which can lead to abuses if a person is skilled and evil minded,” Kilga explained.
“After notifying EI I got a response from Mr. Rask, informing me that the executive GM will contact me shortly. This never happened.”
So what did he do then?
“I waited 60 days,” he said, “then I published it and I informed you.”
Ed Andercheck of EI Interactive/Pixel Magic saw this in a different light.
“[The SOAP vulnerability is] a non-event from the standpoint of security,” Andercheck told MMORPG.com. “It’s being closed.”
He noted that the hole only allows players to change their own accounts, and mostly only information they could have changed anyway. He told us that it was opened when the billing changed from IPlay to PayByTouch.