Saturday, March 19, 2011

RIFT Executive Producer Scott Hartsman addresses login validation bug

In the wake of Friday's update to fix the player-discovered bug with login validation between the Rift client and server, Executive Producer Scott Hartsman posted the following statement:
Weekend Security Update

Hi, everyone -- I wanted to get an update out for the weekend after the last day of excitement around here.

On last night's fix -- I'm very happy to confirm that we did fix a login vulnerability, with significant assistance from an extremely clever user.

The root cause was a very subtle bug in error checking of our login validations deep in the server code. No personal information or any such was leaked out, and no outside attacker penetrated our servers, networks, or databases.

We'd definitely like to thank Mr. ManWitDaPlan for the well-timed assist. Sir, we salute you and offer our most heartfelt thanks.

The rest of what I'd like to add isn't to detract from the above well-deserved compliment, but it's important to include in the comprehensive picture.

The sobering fact is that account security remains a multifaceted issue, as attacks from other sources continue.

It's important to remember is that while a hole was identified and fixed as rapidly as we possibly could, there are still hackers and botnets trying account/password combinations from compromised web sites and past MMOs.

They are doing this right now. Those attacks have been coming constantly since we launched the game. The only thing that changes are how many hundreds of computers are trying to get into your account at any given moment, where they're coming from, and how many are succeeding.

We do block them as they are detected, but the fact that they are using distributed botnets (compromised computers from across the globe) means that this will remain something that we will continue keeping an eye on, forever.

For users getting hacked this way, Coin Lock is currently doing its job protecting people's belongings, provided that your RIFT password and EMail password are both complex and entirely different.

Both the login fix and the Coin Lock addition have been doing their part in signficantly reducing overall incidents over the last 18 hours.

Neither one is a silver bullet, but so far it is looking to be a solid one-two punch for the weekend.

Then, with two-factor authentication coming very soon, we expect security to be improved even further.

All totalled up, under 1% of accounts with characters have had characters impacted. However, 1% of a surprisingly large number is still very noticeable.

Our staff has been, and will continue to be, working around the clock to get those impacted back in shape. We'll continue hiring on even more people to help people with issues of all kinds, as quickly as we can. (Another round of hires begin on Monday, and there will be even more to follow.)

As always, thanks very much for your time, your attention, your assistance, and your patience!

- Scott Hartsman
Exec Producer, RIFT
Hartsman's statement makes clear the magnitude of the support issue created by the bug. He indicated that there is a backlog of people waiting on Customer Support to repair the damage to their characters inflicted by the hijackers. The total number of people affected could number in the low thousands, but the exact figure is unknown as Trion has not released numbers for its player base.

ZAM followed up with an extensive interview of the player who discovered and reported the security bug: Ex-Hacker Finds RIFT Account Flaw, Talks to ZAM

No comments:

Post a Comment