Sony Online / Lithum / Matrix Online Forums Privacy Exploit
Few have much nice to say about Sony Online Entertainment. I will say that they try to give a decent product to their clients. Sometimes they succeed. Sometimes the excel (and then ruin it by changing it).
However this is about Sony Online Entertainment not protecting user privacy. You need to know how to protect yourself since they have chosen not to.
I sent a detailed email to SOE explaining how users can (and some were) log on to the Sony Online Matrix Online forums as other users and even administrators. It should be noted that I also sent this same information via the Sony Online Matrix Online Forum system as a Private Message to Walrus (He is essentially the head honcho for the gaming community relating to The Matrix Online). I never received a response so I sent an email to Bruce Economy since he seems to be the highest up email address I could find.
Here is the content of the email:
From: John Hasson [mailto:john@unigrep.com]
Sent: Monday, December 05, 2005 10:49 AM
To: Economy, Bruce
Subject: Found big exploit on forums (by accident even) -- Matrix Online -- can log in as admin or other user
Here is how it goes.
On my sig... I track the referring URL.
The recent list can be seen at http://mxoHouston.com
When someone is replying to a post with my sig the system passes their sessionId in the URL.-- (If they are logging in to reply to the message)
You will see something like this... the sessionServerID is what gets ya.
......action=view_main&id=11711&t=inbox&sessionServerID=JpVq3Ykr7cAfd%3FC0
If you click on that link with the SessionID around the same time period they have logged in then you are logged in as if you are them.
I noticed it by accident when I accidentally posted a reply as Harpalos
http://mxoboards.station.sony.com/matrix/board/message?board.id=mission&message.id=2076#M2080
I quickly edited it of course...
And tracked down what happened.
Suggestion:
Have the board set a cookie without passing the sessionId along the URL. That way it can't be taken advantage of.
If this is not fixed.. someone could log in as an Admin or a Moderator
If you cant fix it... I suggest making sure that the Admins or Mods make sure they log in first using the standard log in link on the main page before they start replying to messages. But players will still be able to take over each other's forum accounts.
John Hasson
john@unigrep.com
From: Economy, Bruce [mailto:beconomy@soe.sony.com]
Sent: Monday, December 05, 2005 11:58 AM
To: John Hasson
Subject: RE: Found big exploit on forums (by accident even) -- Matrix Online -- can log in as admin or other user
Hello,
Thanks for sending this to me. I’ll get it passed on to the right group.
Sincerely,
Bruce W Economy
Senior CS Supervisor
Star Wars Galaxies - Planetside - Matrix Online
Sony Online Entertainment
beconomy@soe.sony.com
http://www.station.sony.com/
I thought ok great. They will tell lithium (who makes the forum software) and they will get it fixed.
Well between then and now, I was banned. A few weeks later I got permission to come back. The game just wasn't the same anymore and eventually left the game again.
For those wondering if this is why I got banned. It isn't. It may have caused them to put a “watch” on my account, but I was banned for something else (that will go in a future post).
Well five months later it STILL isn't fixed. So I figure I'll send one more email to Bruce to see if he can light a fire to protect people's privacy.
Here it that message that I sent today.
From: John Hasson
Sent: Thursday, May 18, 2006 3:50 PM
To: 'Economy, Bruce'
Subject: RE: Found big exploit on forums (by accident even) -- Matrix Online -- can log in as admin or other user
And here is the reply.. well not much of a reply :)
Economy, Bruce on 5/18/2006 3:49 PM
The e-mail account does not exist at the organization this message was sent to. Check the e-mail address, or contact the recipient directly to find out the correct address.
...<beconomy@soe.sony.com>... User unknown>
This means two things. Either Bruce no longer works there or he changed his email address because too many
To summarize:
SOE has known about this privacy breach for 5 months now. That is plenty of time for them to fix it. So I am posting here to tell the users of lithium forum software how to protect themselves.
NEVER LOG IN WHEN REPLYING TO A MESSAGE. EVER!
Only log in from the main page and then browse the forums and reply after you have logged in.
3 possible ways for Lithium or SOE to fix it.
1) Don't pass the session in the URL before you set it as a cookie.
2) Don't allow users to link to external images for their forum signatures
3) Don't link to external images/links when processing a login
There may be other ways to fix it, but any of those will work.
Whats really sad is that this is not a really elaborate exploit.
Labels: Tech
Subscribe Via RSS
posted by John Hasson @ 5:43 PM
0 Comments
Links to this post
0 Comments:
Post a Comment
Links to this post:
Create a Link
<< Home