Saturday, March 19, 2011

RIFT Executive Producer Scott Hartsman addresses login validation bug

In the wake of Friday's update to fix the player-discovered bug with login validation between the Rift client and server, Executive Producer Scott Hartsman posted the following statement:
Weekend Security Update

Hi, everyone -- I wanted to get an update out for the weekend after the last day of excitement around here.

On last night's fix -- I'm very happy to confirm that we did fix a login vulnerability, with significant assistance from an extremely clever user.

The root cause was a very subtle bug in error checking of our login validations deep in the server code. No personal information or any such was leaked out, and no outside attacker penetrated our servers, networks, or databases.

We'd definitely like to thank Mr. ManWitDaPlan for the well-timed assist. Sir, we salute you and offer our most heartfelt thanks.

The rest of what I'd like to add isn't to detract from the above well-deserved compliment, but it's important to include in the comprehensive picture.

The sobering fact is that account security remains a multifaceted issue, as attacks from other sources continue.

It's important to remember is that while a hole was identified and fixed as rapidly as we possibly could, there are still hackers and botnets trying account/password combinations from compromised web sites and past MMOs.

They are doing this right now. Those attacks have been coming constantly since we launched the game. The only thing that changes are how many hundreds of computers are trying to get into your account at any given moment, where they're coming from, and how many are succeeding.

We do block them as they are detected, but the fact that they are using distributed botnets (compromised computers from across the globe) means that this will remain something that we will continue keeping an eye on, forever.

For users getting hacked this way, Coin Lock is currently doing its job protecting people's belongings, provided that your RIFT password and EMail password are both complex and entirely different.

Both the login fix and the Coin Lock addition have been doing their part in signficantly reducing overall incidents over the last 18 hours.

Neither one is a silver bullet, but so far it is looking to be a solid one-two punch for the weekend.

Then, with two-factor authentication coming very soon, we expect security to be improved even further.

All totalled up, under 1% of accounts with characters have had characters impacted. However, 1% of a surprisingly large number is still very noticeable.

Our staff has been, and will continue to be, working around the clock to get those impacted back in shape. We'll continue hiring on even more people to help people with issues of all kinds, as quickly as we can. (Another round of hires begin on Monday, and there will be even more to follow.)

As always, thanks very much for your time, your attention, your assistance, and your patience!

- Scott Hartsman
Exec Producer, RIFT
Hartsman's statement makes clear the magnitude of the support issue created by the bug. He indicated that there is a backlog of people waiting on Customer Support to repair the damage to their characters inflicted by the hijackers. The total number of people affected could number in the low thousands, but the exact figure is unknown as Trion has not released numbers for its player base.

ZAM followed up with an extensive interview of the player who discovered and reported the security bug: Ex-Hacker Finds RIFT Account Flaw, Talks to ZAM

Trion Worlds patches security hole in Rift

On Friday a member of the Rift player community with the handle ManWitDaPlan discovered an exploit in the login protocol for Rift which allowed the Rift client to access accounts without authentication. He promptly communicated directly with Trion's technical staff to convey the details about the exploit. An update to the game was released Friday evening which closed the hole.

Shortly after Trion learned of the exploit, James "Elrar" Nichols, Assistant Community Manager, posted this statement:
We have some things in the works right now and have been passing on your feedback, concerns, and thoughts throughout the day (no matter how radical or unlikely).

Sharing sensitive information about our actions (no matter how broad) naturally also informs those carrying out these attacks. This puts us in a tight spot with how much information we can provide, and the questions we can answer.

Apologies we can't be more forthcoming at this time, but we appreciate your understanding - its always our goal to ensure you can play and enjoy the game securely, and unfettered.
Later in the evening ManWitDaPlan posted:
Got word back from Steve Chamberlin, the development lead for Rift. This hole is sealed...the issue I found is no more.
In recent days the official forums had seen a marked increase in the number of complaints of hijacked accounts—players wrote of logging in to find their characters broke, or naked, or missing. Some players wrote of struggling with the hijackers over control of their accounts.

The closing of this security hole and the recent implementation of the Coin Lock feature should sharply reduce the number of hijacked accounts.

The login exploit and resulting hijacked accounts is the first blemish on what had until now been a very smooth and successful launch by Trion.

The response by Trion to the report of the exploit was very quick; just a few hours elapsed on Friday between when Trion first learned the details of the exploit and the restart for the update which closed the hole.

Update:  On Saturday, RIFT Executive Producer Scott Hartsman posted a statement addressing the situation.