Jump to content

Alex, please start thinking about platform security.


Blutarch Mann
 Share

Recommended Posts

  

40 minutes ago, Alex said:

At this time, I don't see any evidence that anyone "new" accessed @Leo the Great's account. Certainly, there is no evidence of any "hacking" (which isn't really possible, at least not directly through the game. I, obviously, cannot control who you tell your password to or give access to your account to of course.)

J4I8.png

Here is you admitting there was a security flaw with your website where files were being downloaded to user's computers by simply visiting a nation page in game. This occurred at the same time as this Leo hack. This flaw has since been fixed from what we can tell.

I would expect you to understand what this means but you prefer to play dumb every time we report something that requires you to put work in unless we have a smoking gun(and even then, that doesn't always work), so I'll spell it out for you:

A user was distributing malware on your web site. You were aware of this, and took action to remove it.

Another user on that website immediately did a bunch of incredibly odd things(sending away his resources, booting 80 people from his alliance), then reports it when he logs on again.

The logs show that all the actions occurred from the user's IP address, yes?

You're a computer science guy, so I assume you know what RAT malware is.

Connect the dots, dude. It's obvious that these two incidents are connected, because whatever was downloaded was a RAT, and was used to do the reported incident in this thread.

Additionally, when GOONS started changing our passwords for security reasons, we found out something absolutely abhorrent:
Your password changing system does not force log out all old sessions 100% of the time.

This is a severe breach of security. If my password is compromised, I can't do anything about it after changing my passwords except hoping that the people who are logged into my account accidentally delete their cookies.

What is wrong with you, @Alex? This is basic info security stuff you should know being a veteran site webhost.

Edited by Blutarch Mann
Link to comment
Share on other sites

1 minute ago, Alex said:

There was not a security flaw with the website. A user chose to link to a city image from a sketchy website which was identified by anti-malware software as malicious. Mostly likely, it was malicious in that it attempted to infect the user's site with a trojan computer virus. I determined that there was no reason to believe that the user did this intentionally, and that most likely it was the result of looking up city images via Google Images or similar and copying a URL to an image from a sketchy Vietnamese website.

Your website allowing straight embeds like that allowed the drive-by download you described to happen. You have the forums make a sanitized embed of the image via imageproxy.php. Why didn't you implement this on the game part of the website when you clearly had time to implement it on the forums for this very reason? Letting users arbitrarly embed web-pages with no backing, even if it is just an "innocent" image, is absurd. This is still a security flaw on your end.

5 minutes ago, Alex said:

We already have proof that the user who was "hacked" had given their credentials to a banking script that was configured to make bank withdrawals and kick inactive users. Sure, another player probably abused the script UI to get the "hacked" player's nation to do some things that weren't intended when the script was setup, but that's the fault of whoever made the script in the first place and the player who allowed their credentials to be used for it. There's no evidence to suggest that the player was infected by a trojan virus which was used to screw up their Politics & War nation.

An account breach is an account breach. A user has to pay you money to reset their API key if their API key is leaked or used in a compromised script, such as this one.

mJbn.png

If I have to pay you money to fix API key account breaches, then you better not tell me it's not your fault when an API key account breach happens.

11 minutes ago, Alex said:

It's also entirely ridiculous to think that someone is creating trojan viruses and spreading them through the site to infect user's computers and get them to withdraw bank funds and kick users from the alliance. Like, completely absurd. If you were going to commit that much time and energy into "hacking" the game, why would you do it in this manner? Why wouldn't you just target my account and use it to generate whatever you wanted, or make a direct attack on the site? You're insane if you think that these things are related and someone went through this much effort to commit such meaningless, traceable, and reversible actions in-game.

I would normally agree that this seems absurd, but you have players in this game who personally have spent 3 thousand dollars on credits, so they claim.

As a software engineer myself, I've had to deal with situations where angry users try to tamper with small communites out of spite, anger, or just plain boredom. At Space Station 13, a user named rshoe homebrewed a hacking client for BYOND, a crappy 1999 era game engine, just so that he could grief a community of about 300-500 people. This guy spent a ton of time developing a specialized app just to inject into BYOND and grief ss13 servers. We've had to repeatedly patch his exploits he uses.

People on the internet can get crappy, dumb, and incredibly obsessive over perceived slights, and will definitely do incredibly illegal things with security breaching to get revenge.

Additionally, the reason nobody targets your account is because you're the administrator. You've got enough back-end access that you can make your account physically unable to log in unless it's coming from your computer and your IP address. I routinely set this up on game servers I run to ensure that even if my passwords are compromised, someone can't break into my game servers and set up spyware for users. Speaking of password compromising,

15 minutes ago, Alex said:

There is no breach of security. Your password is not compromised, and all passwords are stored using the latest hashing algorithms. Believe it or not, Politics & War is set up very securely, thanks to ss23 who has far more experience than I do on the matter. For example, the forum isn't even hosted on the same server as the game so that if there was ever even a forum software vulnerability, it wouldn't impact the game whatsoever. You are spreading panic and false rumors, either out of stupidity or plain malicious intent to hurt the games reputation through fearmongering.

I see a lot of talk about how awesome your password hashing is thanks to SS23.

You know what I don't see?

Anything addressing the security flaw I brought up.

You know, the one where changing your password doesn't sign out all your other sessions on that account.

26 minutes ago, Blutarch Mann said:

  Your password changing system does not force log out all old sessions 100% of the time.

This is a severe breach of security. If my password is compromised, I can't do anything about it after changing my passwords except hoping that the people who are logged into my account accidentally delete their cookies.

You can accuse me of fear mongering all you want, but it doesn't change the fact that you just completely glossed over the specific issue I highlighted for you in bold text to ramble for 4 paragraphs about how the security breach that let users drive-by download files isn't your fault, and how awesome your hashing algorithm is.

Link to comment
Share on other sites

17 minutes ago, Alex said:

You are spreading panic and false rumors, either out of stupidity or plain malicious intent to hurt the games reputation through fearmongering.

Generally, resorting to conspiracy theory and insults is supposed to be beneath an admin.

Link to comment
Share on other sites

  • Administrators
8 minutes ago, Blutarch Mann said:

Your website allowing straight embeds like that allowed the drive-by download you described to happen. You have the forums make a sanitized embed of the image via imageproxy.php. Why didn't you implement this on the game part of the website when you clearly had time to implement it on the forums for this very reason? Letting users arbitrarly embed web-pages with no backing, even if it is just an "innocent" image, is absurd. This is still a security flaw on your end.

An account breach is an account breach. A user has to pay you money to reset their API key if their API key is leaked or used in a compromised script, such as this one.

mJbn.png

If I have to pay you money to fix API key account breaches, then you better not tell me it's not your fault when an API key account breach happens.

I would normally agree that this seems absurd, but you have players in this game who personally have spent 3 thousand dollars on credits, so they claim.

As a software engineer myself, I've had to deal with situations where angry users try to tamper with small communites out of spite, anger, or just plain boredom. At Space Station 13, a user named rshoe homebrewed a hacking client for BYOND, a crappy 1999 era game engine, just so that he could grief a community of about 300-500 people. This guy spent a ton of time developing a specialized app just to inject into BYOND and grief ss13 servers. We've had to repeatedly patch his exploits he uses.

People on the internet can get crappy, dumb, and incredibly obsessive over perceived slights, and will definitely do incredibly illegal things with security breaching to get revenge.

Additionally, the reason nobody targets your account is because you're the administrator. You've got enough back-end access that you can make your account physically unable to log in unless it's coming from your computer and your IP address. I routinely set this up on game servers I run to ensure that even if my passwords are compromised, someone can't break into my game servers and set up spyware for users. Speaking of password compromising,

I see a lot of talk about how awesome your password hashing is thanks to SS23.

You know what I don't see?

Anything addressing the security flaw I brought up.

You know, the one where changing your password doesn't sign out all your other sessions on that account.

You can accuse me of fear mongering all you want, but it doesn't change the fact that you just completely glossed over the specific issue I highlighted for you in bold text to ramble for 4 paragraphs about how the security breach that let users drive-by download files isn't your fault, and how awesome your hashing algorithm is.

I don't disagree with you that direct image linking like exists at some places in the game is a security vulnerability, and it's largely been displaced by direct image uploading (and the intent is to continue that universally across the game, we just haven't gotten there yet.) I didn't create the forum software image proxy, that's just part of the forum software.

As to the rest of your post, I'm not giving out API keys, if you give someone else your API key that's your fault. It specifically says on the page not to share your API key with anybody.

I'll also agree with you that changing your password should invalidate all other sessions, and I'll add it to my to-do list.

However, making some weird connection between a user who inadvertently had a trojan virus linked to their nation page and someone else who had a 3rd party tool with bugs is still ridiculously irresponsible.

  • Like 2
  • Upvote 3

Is there a bug? Report It | Not understanding game mechanics? Ask About It | Got a good idea? Suggest It

Forums Rules | Game Link

Link to comment
Share on other sites

6 minutes ago, Alex said:

I don't disagree with you that direct image linking like exists at some places in the game is a security vulnerability, and it's largely been displaced by direct image uploading (and the intent is to continue that universally across the game, we just haven't gotten there yet.) I didn't create the forum software image proxy, that's just part of the forum software.

Good. Get this fixed.

6 minutes ago, Alex said:

I'll also agree with you that changing your password should invalidate all other sessions, and I'll add it to my to-do list.

Good. This also needs fixed.

6 minutes ago, Alex said:

However, making some weird connection between a user who inadvertently had a trojan virus linked to their nation page and someone else who had a 3rd party tool with bugs is still ridiculously irresponsible.

No. It is perfectly reasonable to make a connection between you reporting a malware incident on your website and an account breach incident within a short timespan.

6 minutes ago, Alex said:

As to the rest of your post, I'm not giving out API keys, if you give someone else your API key that's your fault. It specifically says on the page not to share your API key with anybody.

If someone grabs a user's password off of a dump, and logs in on their mobile device, they can grab your API key no problem.
Is it the user's fault that the password was breached? Yes.

Is it the user's fault that they can now never change their API key that was stolen without giving you money, or grinding for the money to pay for a new API key?

NO. That's your fault. API keys should be free to refresh. I should not have to pay you money to fully fix an account breach.

Edited by Blutarch Mann
Link to comment
Share on other sites

  • Administrators
3 minutes ago, Blutarch Mann said:

Is it the user's fault that they can now never change their API key that was stolen without giving you money, or grinding for the money to pay for a new API key?

NO. That's your fault. API keys should be free to refresh. I should not have to pay you money to fully fix an account breach.

The API is a luxury, not a necessity. It is not integral for gameplay. I don't care if you don't get to use the API.

  • Haha 3

Is there a bug? Report It | Not understanding game mechanics? Ask About It | Got a good idea? Suggest It

Forums Rules | Game Link

Link to comment
Share on other sites

4 minutes ago, Alex said:

The API is a luxury, not a necessity. It is not integral for gameplay. I don't care if you don't get to use the API.

This seems like incredibly backwards thinking, but lets go with it for a second. Lets say New-B goes in, joins an alliance, and creates and gives out his API key - trusting in the website to keep him safe. Lets then say that what happened above happens to him. What recourse does he have to deal with a compromised key? He can't delete it after all.

You are forcing people to pay you money for things that happen to them because of your own security problems.

Link to comment
Share on other sites

  • Administrators
15 minutes ago, Erev said:

This seems like incredibly backwards thinking, but lets go with it for a second. Lets say New-B goes in, joins an alliance, and creates and gives out his API key - trusting in the website to keep him safe. Lets then say that what happened above happens to him. What recourse does he have to deal with a compromised key? He can't delete it after all.

You are forcing people to pay you money for things that happen to them because of your own security problems.

image.png

No one should be giving out their API key in the first place, which is my point. If you give your API key to someone else, that's your fault.

  • Upvote 3

Is there a bug? Report It | Not understanding game mechanics? Ask About It | Got a good idea? Suggest It

Forums Rules | Game Link

Link to comment
Share on other sites

6 minutes ago, Alex said:

image.png

No one should be giving out their API key in the first place, which is my point. If you give your API key to someone else, that's your fault.

So if you have an account breach occur via some method, be it your password stolen, PNW itself somehow being compromised, getting MiTM'd at a public hotspot, etc.

What is that user's recourse for his key getting stolen if the breacher chooses to copy it?

He can't disable his API key even if he doesn't care about using the API.

He can't get a new key without buying a credit.

Does the user deserve to just forever have their API key out there in the open where anyone can use it forever now?
Give us a way to either

1. reset our api key for free, be it on a weekly timer, or just one free refresh like with renames or whatever

2. disable our API key entirely if we don't give a crap about using the API

 

Edited by Blutarch Mann
Link to comment
Share on other sites

  • Administrators
1 minute ago, Blutarch Mann said:

So if you have an account breach occur via some method, be it your password stolen, PNW itself somehow being compromised, getting MiTM'd at a public hotspot, etc.

What is that user's recourse for his key getting stolen if the breacher chooses to copy it?

He can't disable his API key even if he doesn't care about using the API.

He can't get a new key without buying a credit.

Does the user deserve to just forever have their API key out there in the open where anyone can use it forever now?

 

No, there should probably be a delete key option. But, it hasn't been an issue to this point, and it's a relatively low priority for me.

Is there a bug? Report It | Not understanding game mechanics? Ask About It | Got a good idea? Suggest It

Forums Rules | Game Link

Link to comment
Share on other sites

9 minutes ago, Alex said:

No, there should probably be a delete key option. But, it hasn't been an issue to this point, and it's a relatively low priority for me.

Cool, thanks.

That's all three security concerns handled, reported, and acknowledged by you with a game plan to fix them. Great work. Thanks for exceeding expectations. See you around.

Edited by Blutarch Mann
Link to comment
Share on other sites

Guest Elijah Mikaelson

Anyone worried about their API key, 22m on the trade market problem solved wont even cost you real money. or be smart and do not give it out :)

Link to comment
Share on other sites

2 minutes ago, Bjorn Ironside said:

Anyone worried about their API key, 22m on the trade market problem solved wont even cost you real money. or be smart and do not give it out :)

That credit on the market was still purchased with cash by a player at some point, and "not giving it out" doesn't work in the event of security breaches as mentioned before.

Edited by Blutarch Mann
Link to comment
Share on other sites

Guest Elijah Mikaelson
2 minutes ago, Blutarch Mann said:

That credit on the market was still purchased with cash by a player at some point, and "not giving it out" doesn't work in the event of security breaches as mentioned before.

people buy credits as they want a boost, if it be avoiding city timers or getting cash, they did not buy them with resetting the API in mind.

I agree on the need for security breaches need fixing, I disagree that Leo was infected by anything or anyone did it to him. I personally do not click other images people put in cities or such so never effected by these sort of issues.

Link to comment
Share on other sites

Just now, Bjorn Ironside said:

 I personally do not click other images people put in cities or such so never effected by these sort of issues.

For the record, you wouldn't of needed to click anything. The issue with the compromised image that Alex mentioned in that discord screenshot is that if you navigated to the nation's page, it would immediately load the fake image and trigger the download. Drive-by attacks like that are fairly common on malicious websites.

Link to comment
Share on other sites

Guest Elijah Mikaelson
37 minutes ago, Blutarch Mann said:

For the record, you wouldn't of needed to click anything. The issue with the compromised image that Alex mentioned in that discord screenshot is that if you navigated to the nation's page, it would immediately load the fake image and trigger the download. Drive-by attacks like that are fairly common on malicious websites.

Ok I did not know that, and thats insane people are able to do that.

@Alex anyway we are able to disable custom images until this is sorted, as i personally do not want to visit someones page and find it tries to down load something

Link to comment
Share on other sites

54 minutes ago, Bjorn Ironside said:

Ok I did not know that, and thats insane people are able to do that.

@Alex anyway we are able to disable custom images until this is sorted, as i personally do not want to visit someones page and find it tries to down load something

Just install Avast or another firewall, and it's also good practice to run a noscript extension. That should keep you reasonably safe.

Link to comment
Share on other sites

2 hours ago, Sir Scarfalot said:

Just install Avast or another firewall, and it's also good practice to run a noscript extension. That should keep you reasonably safe.

This does nothing in certain circumstances. That big windows security breach yesterday was a bug that let hijackers completely fool the cryptography libraries which is critical for AVs to work properly. 

Link to comment
Share on other sites

  • Alex locked this topic
Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use and the Guidelines of the game and community.