Disclaimer »

As you should all be aware of by now, the new EVE forums have been taken down and the old ones reactivated. You may also know I was somewhat involved on blowing the whistle on the security failures (I was not alone in this obviously) and one of the people that got to take a look at the security failure before the plug got pulled.

Multiple people have contacted me asking for a more in-depth explanation of what happened, so I am writing this post for everyone, possibly at the risk of my EVE account.

DISCLAIMER: I am not a computer security professional, I am not the person that found out how to do these things, I am not a hacker or a coder. That said I do have a functional knowledge of some things as they pertain to what transpired here. I am writing this post to inform and warn, and to show exactly what sort of danger CCP’s lack of best practices has put their users into.

So what happened then?

To answer this question, we will first need to look at what the new forums ARE, and look at the TWO security errors that caused the demise of the forum.
In short, CCP did not make these new forums, they built them on top of a free, Open Source, forum system called “Yet Another Forum” or YAF for short. YAF is a pretty common forum system to use when you cannot use the more usual PHP-based forum software such as the ubiquitous PHPBB because you are using windows systems. CCP is, at the core, a Microsoft-fuelled company, their use of Python for the game is the exception to the rule, everything else runs on Microsoft products (MSSQL, ASP.NET, IIS 7.0) which means they HAVE to use a forum system that runs on Active Server Pages.

There is nothing inherently more, or less, secure about using an ASP solution rather than a PHP solution mind you, the above is just to illustrate that CCP did not “develop” anything; they only adapted an existing forum and added on a new look.

And this is where the problems begin.

Because they cannot use the normal user management system (i.e. you register an account on the forum, and then you can start posting) they had to disable it and implement a solution of their own. And they failed at it miserably.

The second problem is that of code injection, as it turns out YAF has a vulnerability in this regard which allows a crafty person to inject pretty much any code they want into the signature field. Since the forum did not properly block the inclusion of code, this puts the users of the forums at risk of a variety of common cracker techniques to obtain personal data, hijack your browser, potentially install malware, or just simple manipulation to get you to divulge personal data. I will examine this in the second half of this post.

The great irony here is that THESE FLAWS WERE REPORTED during testing, and the only reason we even found them, was because we wanted to find a way to put pictures in our signatures.

I am not who I appear to be.

I do not really want to show people how this stuff was done, the damage is grave enough as it is, but in order for people to understand the scope and magnitude of this failure I will need to discuss some of the details.

When you log in to the new forums, your credentials are checked, and when they are approved a cookie is sent to your computer which will maintain your login session. This is pretty standard and in itself not insecure. But as I mentioned before, the normal user management was disabled by CCP, to allow them to let you post as your character instead.

The offending bit of cookie

How they did this was to include a line in the cookie with your EVE character ID number after logging in, when you make a post the system looks up this character ID number and then posts as the correct character. Sounds ok right?

But wait.

As it turns out, the system DOES NOT CHECK if the character ID you send to the server actually belongs to the account you logged in as. That’s right, you could put ANY valid character ID in the cookie and assume their identity. This is what Catari used to impersonate other posters, and eventually escalate his user privileges giving him access to moderator functions and forums which are normally invisible.

This is a COCKUP of monstrous proportions, I have no other words for it. To allow forum access rights to be defined by a single, alterable, human-readable string in a cookie, without having it checked against a database is truthfully so incompetent someone should be fired.

The only positive thing here is that this particular thing did not endanger you.

Unfortunately the same is not true of the second flaw.

The new forums put at risk every single person that used them.

Where we’re going, we don’t need security

I cannot put this in any clearer terms.

While CCP may say your user account was never at risk, they completely fail to mention that the computer of everyone that visited their forums most definitely WAS. I will tell you why.

As I mentioned the second vulnerability allowed people to insert code into their signatures. Any code they could have wanted. HTML, CSS even Javascript. This presents a vast multitude of potential vectors in which the computers of persons with inadequate protection could have been compromised.

CCP’s login server was indeed not at risk. BUT YOU WERE.

Why you ask? Because anyone with the skill to do so could have altered the page you were looking at provided they had a post in the thread you had on your screen.

We KNOW it was possible to insert CSS (Cascading Style Sheet) code into the signatures, this virtcode defines how the page looks. This code could have been used to add, alter or remove almost anything from the page.

Example: The missing sidebar.

You may have noticed the normal EVE-online sidebar does not appear on the new forum, a skilled coder could have inserted code into his signature to place a sidebar where previously there was none… except that the “account management” link in that sidebar would not take you to the real thing, rather it would take you to a visual copy of the actual page.

Congratulations, you have just entered your eve online login (and possibly your credit card number) into a fake site belonging to a hacker. Someone is now going to hawaii on your money.

Example: Login?
Using javascript and Ajax in his signature, a criminal has replaced the text reading “logged in” at the top of the page with two boxes: Username and Password. A popup now informs you your login has expired and you need to log in again.

Congratulations, you have just given a cracker your EVE account login, expect your isk to be gone within the hour, and I really hope you don’t use the same password for your email as you do for EVE.

Example: Install this plugin.
Again using javascript, you are informed you need to install a new plugin to properly use these fancy new forums. Anyone with a brain would not click yes… right?
Wrong, hundreds of people will just click yes and install whatever is offered… afterall, this is from a legit source right? Wrong.

Congratulations, you now have a keylogger on your system, and if you’re not running very up to date security software, someone will be buying ten tubs of lube and a deluxe set of golden dildoes off your account within the day.

Example: outdated browser
Let’s say you are not using the most modern and secure browser available… there is dozens and dozens of security holes in outdated software, some of which can allow others to hijack your browser or install spy/malware on your computer and use said computer (or your personal data) for ill.

Now let’s say you work at a place that doesn’t run very new versions of stuff… like a callcenter.

Congratulations, you now have a trojan on your system and the person that put it there can do whatever they please to and with your computer.

The list goes on and on. You may think this is hyperbole, but things like this DO happen every day on the internet; and by having a forum that is so deeply flawed as to allow people to insert whatever code they like into the page, CCP has put everyone at risk of these manipulations.

CCP has failed to ensure the security and safety of it’s customers with their new forums.

CCP has put you at a real, honest-to-god, financial risk.

CCP is now saying the following:

I’m not claiming. I’m stating outright that customer data was never at risk. We’ve also said there will be a blog which will detail what occurred and what was wrong. -CCP Sreegs

This is Demonstrably (as I have just done) a blantant lie.

Yes, their database was never at risk.

But every. single. fucking. one. of. you. WERE.

They are lying to you.
You were at risk. And they will never admit it, they will do everything to save face, to tell you it “wasn’t so bad”. And probably, it wasn’t so bad. We were lucky. We were lucky people found out soon, we were lucky that people like Virtuozzo and myself exhausted every possible means of contacting people we knew at CCP to have the plug pulled on this monstrosity.

This was more than just being terrible at making webpages, this was BLATANT disregard of safety practices, and an utter disregard of YOUR safety.

I’ll probably get banned for this post, but fuck it, I don’t want to sit here and watch them lie to our faces about how we were “never at risk”.

If you doubt me, go read up on things like code injection, educate yourselves, and you will see that CCPs incredibly poor standards put you all at risk.

This is simply the truth, and I don’t think a “woops we’re sorry, but you’re all fine” from Darius Johnson (who is even more incompetent than I am) is going to cut it this time

Helicity Boson – Original Post