Forum Settings
       
Reply To Thread

Game Sessions Not ExpiringFollow

#1 Oct 07 2013 at 11:43 AM Rating: Excellent
Anterograde Amnesia
Avatar
*****
12,363 posts
Pretty big news, this is a major flaw, hopefully it is fixed soon.

http://forum.square-enix.com/ffxiv/threads/103129-Security-Tokens-Authenticators-are-useless-SE-needs-to-fix-this-immediately
____________________________
"Choosy MMO's choose Wint." - Louiscool
The greatest trick the devil ever pulled was to convince the world he didn't exist.
Keyser Soze - Ultros
Guide to Setting Up Mumble on a Raspberry Pi
#2 Oct 07 2013 at 11:43 AM Rating: Excellent
Anterograde Amnesia
Avatar
*****
12,363 posts
Reddit discussion as well:

http://www.reddit.com/r/ffxiv/comments/1nwb94/authenticators_are_useless_against_viruses/
____________________________
"Choosy MMO's choose Wint." - Louiscool
The greatest trick the devil ever pulled was to convince the world he didn't exist.
Keyser Soze - Ultros
Guide to Setting Up Mumble on a Raspberry Pi
#3 Oct 07 2013 at 11:57 AM Rating: Decent
*****
12,824 posts
Wut.

Oh for ****'s sake SE! How did you ***** that up!??! I mean, HOW?!? Seriously! Like, literally this system is out there, used in tons of areas, works fine, yet yours doesn't? How in the ****??!?
____________________________
Twitter: http://www.twitter.com/pawkeshup
YouTube: http://www.youtube.com/pawkeshup
Twitch: http://www.twitch.tv/pawkeshup
Blog: http://pawkeshup.blogspot.com
Olorinus the Ludicrous wrote:
The idea of old school is way more interesting than the reality
#4 Oct 07 2013 at 11:58 AM Rating: Good
Scholar
****
4,506 posts
Well, it's good to get this out here some more since people continue to white-knight this over and over, but i thought this was pretty much public knowledge by now.

Accounts have been hacked before, regardless of tokens. Just because you have a generated code doesnt mean you should be reckless with your account info. A while back there was one particular virus that hijacked your login on XI (i think it was) the moment you logged in with it, crashed your client and send the data (and the code) to a third party who could then login with it.

Back on XI, there were only two reasons to get a token. Those reasons were more Inventory space from the mogsack reward, and being allowed an infinite amount of character recoveries opposed to just one. "Added Security" really wasnt one of those reasons.

Firefox/No-script/Blockaid and not clicking on links in your email that tell you to "LOGIN NAOW OR WEZ BAN U !1" and you're pretty much safe.

*edit* Grammer didnt make sense there at the end.

Edited, Oct 7th 2013 7:59pm by KojiroSoma
____________________________
[XI] Surivere of Valefor
[XIV] Sir Surian Bedivere of Behemoth
http://na.finalfantasyxiv.com/lodestone/character/2401553/
#5 Oct 07 2013 at 12:01 PM Rating: Good
*****
12,824 posts
KojiroSoma wrote:
Firefox/No-script/Blockaid and not clicking on links in your email that tell you to "LOGIN NAOW OR WEZ BAN U !1" and you're pretty much safe.


**** been doing that for as long as it has been around. I've never truly been worried about me losing my account. I've dealt with enough infections when I worked for Dell to know how to protect myself from it.
____________________________
Twitter: http://www.twitter.com/pawkeshup
YouTube: http://www.youtube.com/pawkeshup
Twitch: http://www.twitch.tv/pawkeshup
Blog: http://pawkeshup.blogspot.com
Olorinus the Ludicrous wrote:
The idea of old school is way more interesting than the reality
#6 Oct 07 2013 at 12:02 PM Rating: Excellent
Anterograde Amnesia
Avatar
*****
12,363 posts
While the post in the reddit thread gives an idea of possible combinations it still possible to write a brute force program to start chugging through them.

Edit: With enough data you could theoretically create rainbow lists of session IDs that could make it go even faster.

Edited, Oct 7th 2013 1:03pm by Wint
____________________________
"Choosy MMO's choose Wint." - Louiscool
The greatest trick the devil ever pulled was to convince the world he didn't exist.
Keyser Soze - Ultros
Guide to Setting Up Mumble on a Raspberry Pi
#7 Oct 07 2013 at 12:54 PM Rating: Excellent
Avatar
**
428 posts
The person that made that post on reddit seems to have missed the point. The authenticator is not meant to protect you from viruses and if you have a keylogger or a virus on your computer checking your session ids, then you have a major problem on your hands beyond just losing your FFXIV character.

With all this talk of bots and hacks, a lot people who seem to fancy themselves "computer experts" chiming in with complete nonsense. For instance, people keep claiming that Square puts too much trust in the client, allowing teleport bots, while they have no clue why it is necessary for the server to trust the client on that aspect. Theyre just parroting some words they heard somewhere else that they thought sounded intelligent.

Edited, Oct 7th 2013 2:59pm by OnyxFFXI
#8 Oct 07 2013 at 12:58 PM Rating: Good
**
576 posts
Wow.

That's a pretty rudimentary flaw. SE needs to go take InfoSec 101.
____________________________
FFXI, Siren: Pickins BST99.:~:.BLM75.:~:.RDM56
FFXIV, Siren: Miss Pickins - Builder of the Realm
#9 Oct 07 2013 at 1:02 PM Rating: Good
Avatar
**
428 posts
#10 Oct 07 2013 at 1:12 PM Rating: Excellent
Avatar
***
1,080 posts
I've always thought, considering the state of their abyssmal customer service, their convoluted account management site and the 4584908 steps (with confirmation emails and codes!) we all had to go thru just to open a freaking account was due to the fact that SE is basically still just a console game company.
Do they actually have an IT dept with people who are competent and up-to-date on the creation of these with current western standards of service? Same goes for the security standards built into the game itself. I honestly don't think they do. So, when's the next interview with Yoshi-P? Hopefully, it'll be with somebody who has the cojones to ask him these questions.
____________________________
A reader lives a thousand lives, the man who never reads lives only one. - George R.R. Martin
#11 Oct 07 2013 at 1:19 PM Rating: Decent
Avatar
**
428 posts
Vorkosigan wrote:
So, when's the next interview with Yoshi-P? Hopefully, it'll be with somebody who has the cojones to ask him these questions.


I'm certain Yoshi-P will chime in and explain how wrong this guys post is, without giving too many details on their server security of course. But really, why is everyone so quick to go "yea how stupid of you SE" when they have no idea what a session ID is.
#12 Oct 07 2013 at 1:38 PM Rating: Excellent
**
576 posts
OnyxFFXI wrote:
Vorkosigan wrote:
So, when's the next interview with Yoshi-P? Hopefully, it'll be with somebody who has the cojones to ask him these questions.


I'm certain Yoshi-P will chime in and explain how wrong this guys post is, without giving too many details on their server security of course. But really, why is everyone so quick to go "yea how stupid of you SE" when they have no idea what a session ID is.


Not all of us that are calling SE out are as ignorant as you claim.

I'm a software developer with a degree in CS and I still think this is a bush league mistake.
____________________________
FFXI, Siren: Pickins BST99.:~:.BLM75.:~:.RDM56
FFXIV, Siren: Miss Pickins - Builder of the Realm
#13 Oct 07 2013 at 1:46 PM Rating: Good
Avatar
**
428 posts
Here is what Blizzard said when the community had a similar episode of people claiming in the forums that accounts were being hacked through session-id spoofing. I can imagine the FFXIV dev team will have a similar response soon:

Quote:
Over the past couple of days, players have expressed concerns over the possibility of Battle.net® account compromises. First and foremost, we want to make it clear that the Battle.net and Diablo III servers have not been compromised. In addition, the number of Diablo III players who've contacted customer service to report a potential compromise of their personal account has been extremely small. In all of the individual Diablo III-related compromise cases we've investigated, none have occurred after a physical Battle.net Authenticator or Battle.net Mobile Authenticator app was attached to the player's account, and we have yet to find any situation where a Diablo III player's account was accessed outside of "traditional" compromise methods (i.e. someone logging using an account's login email and password).

To that end, we've also seen discussions regarding the possibility of account compromises occurring in ways that didn’t involve these "traditional" methods -- for example, by "session spoofing" a player’s identity after he or she joins a public game. Regarding this specific example, we've looked into the issue and found no evidence to indicate compromises are occurring in this fashion, and we've determined the methods being suggested to do so are technically impossible. However, you have our assurance that we’ll continue to investigate reports such as these and keep you informed of important updates.
#14 Oct 07 2013 at 1:54 PM Rating: Good
Avatar
***
1,080 posts
OnyxFFXI wrote:
Vorkosigan wrote:
So, when's the next interview with Yoshi-P? Hopefully, it'll be with somebody who has the cojones to ask him these questions.


I'm certain Yoshi-P will chime in and explain how wrong this guys post is, without giving too many details on their server security of course. But really, why is everyone so quick to go "yea how stupid of you SE" when they have no idea what a session ID is.


I don't have to know what a session ID is to know how messed up their customer service and account management site is.
I do read enough forums to know that a great many people are loving this game but are leaving because of their very bad experiences with SE's customer service, within the first month of service. Measuring the level of the horrible customer service against guesses about their security measures is a no-brainer IMO.

____________________________
A reader lives a thousand lives, the man who never reads lives only one. - George R.R. Martin
#15 Oct 07 2013 at 2:00 PM Rating: Excellent
Avatar
**
428 posts
Vorkosigan wrote:
Measuring the level of the horrible customer service against guesses about their security measures is a no-brainer IMO.

That's sort of what I'm getting at. People are buying into this session id nonsense, not because there is a bunch of proof to back it up, but because they have had a previous bad experience and want to believe anything negative. It's confirmation bias.
#16 Oct 07 2013 at 2:10 PM Rating: Excellent
*****
12,824 posts
OK, so I can try to replicate it tonight, and see if my fiancee can log into my account. Did you read the account of what they did? I mean, ZAM has better security than that..
____________________________
Twitter: http://www.twitter.com/pawkeshup
YouTube: http://www.youtube.com/pawkeshup
Twitch: http://www.twitch.tv/pawkeshup
Blog: http://pawkeshup.blogspot.com
Olorinus the Ludicrous wrote:
The idea of old school is way more interesting than the reality
#17 Oct 07 2013 at 2:35 PM Rating: Decent
Avatar
**
425 posts
SE really needs to change the game to be completely server side.
____________________________
FFXI character: Elathia ::F Tarutaru::87SCH/75RDM/70WHM/54BLM::Cerberus/Ragnarok/Bahamut::1/23/2004 - 3/25/2015 :: Retired
RDM First 75 Job :: RDM Maat victory: March 28, 2008 (1/3) :: San d'Oria R10 Long live King Destin :: Praise be to the late King Ranperre.
FFXIV character: Selene Silverstorm :: F Lalafell :: WAR60/WHM60/BLM60 :: Ragnarok :: 9/2013 -
Patch note archives for FFXIV: http://na.finalfantasyxiv.com/lodestone/special/patchnote_log/
#18 Oct 07 2013 at 2:45 PM Rating: Decent
*****
12,824 posts
Sadly, I'm thinking that needs to happen. It won't with FFXIV, that's really a lot more work than it may seem on the surface. Their model is good... if you have a small, honest population.
____________________________
Twitter: http://www.twitter.com/pawkeshup
YouTube: http://www.youtube.com/pawkeshup
Twitch: http://www.twitch.tv/pawkeshup
Blog: http://pawkeshup.blogspot.com
Olorinus the Ludicrous wrote:
The idea of old school is way more interesting than the reality
#19 Oct 07 2013 at 2:49 PM Rating: Decent
Scholar
Avatar
***
1,339 posts
TwilightSkye wrote:
SE really needs to change the game to be completely server side.


So go back to 1.0.
#20 Oct 07 2013 at 2:58 PM Rating: Excellent
**
576 posts
Viertel wrote:
TwilightSkye wrote:
SE really needs to change the game to be completely server side.


So go back to 1.0.


Exactly. 1.0 was terrible in part because everything was handled server-side.

You have to allow the client to handle some things or the lag becomes unbearable due either to network latency or the processing demands on the server.

The issue seems to be that SE isn't doing enough to validate the information coming from the client.

The fact that you can use the same session id from multiple IP addresses speaks to that. That should not be allowed.
____________________________
FFXI, Siren: Pickins BST99.:~:.BLM75.:~:.RDM56
FFXIV, Siren: Miss Pickins - Builder of the Realm
#21 Oct 07 2013 at 3:15 PM Rating: Decent
*****
12,824 posts
Pickins wrote:
Exactly. 1.0 was terrible in part because everything was handled server-side.

You have to allow the client to handle some things or the lag becomes unbearable due either to network latency or the processing demands on the server.

The issue seems to be that SE isn't doing enough to validate the information coming from the client.

The fact that you can use the same session id from multiple IP addresses speaks to that. That should not be allowed.


I hate the idea of server-side, but realistically, they have shown that they just have no idea what they are doing when it comes to proper validations. They finally did something in FFXI to deal with client-side pos-hacks to some small degree, but they still work. FFXIV appears to be rife for hacking. I don't want it either, but if they aren't going seal the holes... maybe server-side is how it needs to be...
____________________________
Twitter: http://www.twitter.com/pawkeshup
YouTube: http://www.youtube.com/pawkeshup
Twitch: http://www.twitch.tv/pawkeshup
Blog: http://pawkeshup.blogspot.com
Olorinus the Ludicrous wrote:
The idea of old school is way more interesting than the reality
#22 Oct 07 2013 at 3:17 PM Rating: Good
Needs More Smut
******
21,262 posts
I think this wasn't an issue with FFXI because they did not use HTML based updates in PlayOnline. Once the authentication logged into POL, the one time password was useless - there was no browser session.

XIV borrows the web browser code from Internet Explorer, essentially. So whatever team put the HTML code in the web browser dropped the ball.

I wonder if clearing your IE cache affects those sessions, then?
____________________________
FFXI: Catwho on Bismarck: Retired December 2014
Thayos wrote:
I can't understand anyone who skips the cutscenes of a Final Fantasy game. That's like going to Texas and not getting barbecue.

FFXIV: Katarh Mest and Taprara Rara on Lamia Server - Member of The Swarm
Curator of the XIV Wallpapers Tumblr and the XIV Fashion Tumblr
#23 Oct 07 2013 at 5:37 PM Rating: Excellent
***
1,606 posts

Now doesn't that carry just as much weight as the post that started all this in the first place?
#24 Oct 07 2013 at 6:48 PM Rating: Excellent
Anterograde Amnesia
Avatar
*****
12,363 posts
OnyxFFXI wrote:
Vorkosigan wrote:
So, when's the next interview with Yoshi-P? Hopefully, it'll be with somebody who has the cojones to ask him these questions.


I'm certain Yoshi-P will chime in and explain how wrong this guys post is, without giving too many details on their server security of course. But really, why is everyone so quick to go "yea how stupid of you SE" when they have no idea what a session ID is.


So you're ok with IDs seemingly never expiring? There are tests performed by folks in the comments with IDs that have so far not expired at all. I agree this isn't a huge issue at the moment since the sheer number of combinations makes it secure (for now), but that is hardly a good reason to leave them open.
____________________________
"Choosy MMO's choose Wint." - Louiscool
The greatest trick the devil ever pulled was to convince the world he didn't exist.
Keyser Soze - Ultros
Guide to Setting Up Mumble on a Raspberry Pi
#25 Oct 07 2013 at 11:48 PM Rating: Decent
***
2,081 posts
More troubling news concerning SE's massive ineptitude in customer service. They should outsource this entire division of their business, their current team is abysmal. It's a shame too because the game is amazing, sadly these silly issues will cause everyone to lose out and the game may never be able to reach its full potential.
____________________________


#26 Oct 07 2013 at 11:59 PM Rating: Good
Scholar
***
1,948 posts
KojiroSoma wrote:
Well, it's good to get this out here some more since people continue to white-knight this over and over, but i thought this was pretty much public knowledge by now.

Accounts have been hacked before, regardless of tokens. Just because you have a generated code doesnt mean you should be reckless with your account info. A while back there was one particular virus that hijacked your login on XI (i think it was) the moment you logged in with it, crashed your client and send the data (and the code) to a third party who could then login with it.

Back on XI, there were only two reasons to get a token. Those reasons were more Inventory space from the mogsack reward, and being allowed an infinite amount of character recoveries opposed to just one. "Added Security" really wasnt one of those reasons.

Firefox/No-script/Blockaid and not clicking on links in your email that tell you to "LOGIN NAOW OR WEZ BAN U !1" and you're pretty much safe.

*edit* Grammer didnt make sense there at the end.

Edited, Oct 7th 2013 7:59pm by KojiroSoma


To be honest, even business banking security token has been hacked. So now the bank gives me physical device to go along with the physical token where you need the device plugged in to your PC to log into the account AND THEN enter the one time password from the token. Which probably will be hacked in the near future as well.
____________________________




#27 Oct 08 2013 at 9:22 AM Rating: Excellent
*****
12,824 posts
Khornette wrote:
To be honest, even business banking security token has been hacked. So now the bank gives me physical device to go along with the physical token where you need the device plugged in to your PC to log into the account AND THEN enter the one time password from the token. Which probably will be hacked in the near future as well.


Back in school, one of my teachers said that the safest computer would be one not connected to any network, locked in a vault, and under constant armed guard... even then he'd not guarantee it. Basically, if someone wants something badly enough, they will get it. However, expiring sessions or denying a session once its IP changes are very rudimentary elements of security. Neither is all that hard, and the latter should be an absolute no brainer. "What, the client suddenly shifted IP ranges from a NA address to one in China? Oh who cares." That's.... very bad. **** Facebook won't let you do that, it will make you jump through hoops to login on a non-recognized device from another IP range, and it alerts the user that all this is happening. I'd hope that a service I am paying for would do at least that.
____________________________
Twitter: http://www.twitter.com/pawkeshup
YouTube: http://www.youtube.com/pawkeshup
Twitch: http://www.twitch.tv/pawkeshup
Blog: http://pawkeshup.blogspot.com
Olorinus the Ludicrous wrote:
The idea of old school is way more interesting than the reality
#28 Oct 08 2013 at 11:29 AM Rating: Excellent
The funny thig is, I am sure I remember getting locked out of beta once when trying to log in from a different ip.
____________________________
Thayos Redblade
Jormungandr
Hyperion
#29 Oct 08 2013 at 11:56 AM Rating: Excellent
Needs More Smut
******
21,262 posts
Thayos wrote:
The funny thig is, I am sure I remember getting locked out of beta once when trying to log in from a different ip.


So this was the solution to the problem. It's a feature, not a bug!
____________________________
FFXI: Catwho on Bismarck: Retired December 2014
Thayos wrote:
I can't understand anyone who skips the cutscenes of a Final Fantasy game. That's like going to Texas and not getting barbecue.

FFXIV: Katarh Mest and Taprara Rara on Lamia Server - Member of The Swarm
Curator of the XIV Wallpapers Tumblr and the XIV Fashion Tumblr
#30 Oct 08 2013 at 12:30 PM Rating: Excellent
Anterograde Amnesia
Avatar
*****
12,363 posts
Thayos wrote:
The funny thig is, I am sure I remember getting locked out of beta once when trying to log in from a different ip.


Pretty sure that would still happen. Running the game with a session ID doesn't require logging in, you only need to call the game's exe with certain command line options set. That's why this is so annoying. Token or no token you can log in to the game with only the session ID.
____________________________
"Choosy MMO's choose Wint." - Louiscool
The greatest trick the devil ever pulled was to convince the world he didn't exist.
Keyser Soze - Ultros
Guide to Setting Up Mumble on a Raspberry Pi
#31 Oct 08 2013 at 12:33 PM Rating: Good
*****
12,824 posts
It didn't. In the original post, the guy gave his session ID to another person on another ISP in another part of the country.

Quote:
I was able to give only an old, supposed to be expired, session ID to a friend and they were able to log into my account and characters from an entirely different location in the world.


From the summary of the article you posted.
____________________________
Twitter: http://www.twitter.com/pawkeshup
YouTube: http://www.youtube.com/pawkeshup
Twitch: http://www.twitch.tv/pawkeshup
Blog: http://pawkeshup.blogspot.com
Olorinus the Ludicrous wrote:
The idea of old school is way more interesting than the reality
#32 Oct 08 2013 at 12:56 PM Rating: Excellent
Anterograde Amnesia
Avatar
*****
12,363 posts
Pawkeshup the Meaningless wrote:
It didn't. In the original post, the guy gave his session ID to another person on another ISP in another part of the country.

Quote:
I was able to give only an old, supposed to be expired, session ID to a friend and they were able to log into my account and characters from an entirely different location in the world.


From the summary of the article you posted.


I'm not talking about logging in, I'm talking about running the exe for the game with the old session ID as the parameter. SE ID, password, and one time ID not needed. I would guess that the act of logging in with those credentials to get a new session ID would cause the issue Thayos is describing but not using just the session ID as the argument.
____________________________
"Choosy MMO's choose Wint." - Louiscool
The greatest trick the devil ever pulled was to convince the world he didn't exist.
Keyser Soze - Ultros
Guide to Setting Up Mumble on a Raspberry Pi
#33 Oct 08 2013 at 1:18 PM Rating: Decent
*****
12,824 posts
Hmm, I would assume would happen. I could try to login using my fiancee's account up here. I could get her to give it to me. I wasn't able to sort out how I'd copy my session ID (mainly because.... well I wanted to play last night XD), but this test could be quick...
____________________________
Twitter: http://www.twitter.com/pawkeshup
YouTube: http://www.youtube.com/pawkeshup
Twitch: http://www.twitch.tv/pawkeshup
Blog: http://pawkeshup.blogspot.com
Olorinus the Ludicrous wrote:
The idea of old school is way more interesting than the reality
#34 Oct 08 2013 at 1:29 PM Rating: Default
*
249 posts
Makes me wonder if the seesion ID was/is behind the infamous 3102 error? Perhaps their fix is what created this mess?
#35 Oct 08 2013 at 1:44 PM Rating: Excellent
Anterograde Amnesia
Avatar
*****
12,363 posts
Pawkeshup the Meaningless wrote:
Hmm, I would assume would happen. I could try to login using my fiancee's account up here. I could get her to give it to me. I wasn't able to sort out how I'd copy my session ID (mainly because.... well I wanted to play last night XD), but this test could be quick...


If you have a token the test won't work, somehow using a one time token skips the IP check. You can get the session ID using Process Explorer, it's a free download from Sysinternals/Microsoft.
____________________________
"Choosy MMO's choose Wint." - Louiscool
The greatest trick the devil ever pulled was to convince the world he didn't exist.
Keyser Soze - Ultros
Guide to Setting Up Mumble on a Raspberry Pi
#36 Oct 08 2013 at 1:48 PM Rating: Decent
*****
12,824 posts
Her account doesn't have a token as yet. Mine does. I play on PS3 so... yea... I can try to get the client running on my PC but last time I tried, it was not going so hot. My aging notebook just isn't going to have the power to keep up.
____________________________
Twitter: http://www.twitter.com/pawkeshup
YouTube: http://www.youtube.com/pawkeshup
Twitch: http://www.twitch.tv/pawkeshup
Blog: http://pawkeshup.blogspot.com
Olorinus the Ludicrous wrote:
The idea of old school is way more interesting than the reality
#37 Oct 08 2013 at 3:03 PM Rating: Decent
Scholar
***
1,910 posts
This is like someone taking your concert ticket out of the garbage and seeing the band play the next night, not only that but they tell everyone at the show that they're you...and they can do this indefinitely. The security guards don't even ask to see the ticket, they just get to walk in because they have one.

Now to you or me, unless our PC is compromised, it probably doesn't mean much...until (or unless) someone's figured out the algorithm used (unless it's random) to make the Session IDs. In which case they can generate a valid ID you were given, log into your PC, spam your contact list for gold sites, sell all your items and ship off all your gil...all without ever knowing your password, your account name, email, or having broken token auth.

Why this matters is because if your PC was otherwise compromised by a keylogger or somesuch your account should be safe because you have the One Time password--so external entities could have your password and do other nasty things, but not get into your account.
____________________________
Ultros: Brinna Vahn
#38 Oct 08 2013 at 3:14 PM Rating: Good
Guru
***
1,310 posts
Krycis wrote:
This is like someone taking your concert ticket out of the garbage and seeing the band play the next night, not only that but they tell everyone at the show that they're you...and they can do this indefinitely.


I don't think the concert ticket analogy really emphasizes the gravity of the situation. It's way worse than that. It's total identity theft. With a session ID someone could take over your account and there's not a ******* thing you can do about it. No amount of password obscurity can save you. Worse, any shenanigans the perpetrator performs (from advertising RMT to duping gil) is done in your name, and you're the one who'll get the lifetime ban from SE's online games, not the thief.

Depending on the computing power the attacker has (such as a botnet) and the length of the session IDs, it's possible they aren't compromising their victim's computers in any way. They could just be guessing the session IDs by running every combination completely unchallenged by any authentication.

Edited, Oct 8th 2013 5:53pm by Xoie
#39 Oct 08 2013 at 5:19 PM Rating: Excellent
Needs More Smut
******
21,262 posts
I'd hope SE would notice the same IP generating session IDs that don't actually work and lock out any computer spamming them after a few attempts. Won't help anyone with a legit session ID who gets hijacked, but would significantly hamper anyone trying to brute force it.
____________________________
FFXI: Catwho on Bismarck: Retired December 2014
Thayos wrote:
I can't understand anyone who skips the cutscenes of a Final Fantasy game. That's like going to Texas and not getting barbecue.

FFXIV: Katarh Mest and Taprara Rara on Lamia Server - Member of The Swarm
Curator of the XIV Wallpapers Tumblr and the XIV Fashion Tumblr
#40 Oct 08 2013 at 5:21 PM Rating: Excellent
***
3,438 posts
Catwho wrote:
I'd hope SE would notice the same IP generating session IDs that don't actually work and lock out any computer spamming them after a few attempts. Won't help anyone with a legit session ID who gets hijacked, but would significantly hamper anyone trying to brute force it.


They have to know the problem exists and IS a problem first.
____________________________
svlyons wrote:
If random outcomes aren't acceptable to you, then don't play with random people.
#41 Oct 08 2013 at 5:24 PM Rating: Decent
Scholar
Avatar
**
600 posts
So is it time to panic yet, or stay calm?
____________________________

Quote:
Fiddle Faddle!

#42 Oct 08 2013 at 5:38 PM Rating: Good
Scholar
**
525 posts
It's a problem, but can be prevented via the normal methods.

Don't let a virus get installed on your computer and the session ID can't be stolen in the first place.
____________________________
I used to care about my sig. Then I got mocked and ****-hurt. I shall commence with the self-pity now.
#43 Oct 08 2013 at 7:12 PM Rating: Excellent
Anterograde Amnesia
Avatar
*****
12,363 posts
Catwho wrote:
I'd hope SE would notice the same IP generating session IDs that don't actually work and lock out any computer spamming them after a few attempts. Won't help anyone with a legit session ID who gets hijacked, but would significantly hamper anyone trying to brute force it.


Doesn't sound like it:

Quote:
I was able to give only an old, supposed to be expired, session ID to a friend and they were able to log into my account and characters from an entirely different location in the world. I did not provide an account name, password, or one time password.
____________________________
"Choosy MMO's choose Wint." - Louiscool
The greatest trick the devil ever pulled was to convince the world he didn't exist.
Keyser Soze - Ultros
Guide to Setting Up Mumble on a Raspberry Pi
#44 Oct 08 2013 at 8:40 PM Rating: Decent
Scholar
***
1,910 posts
Xoie wrote:
I don't think the concert ticket analogy really emphasizes the gravity of the situation. It's way worse than that.

My analogy wasn't to belie the weight of the vulnerability, I wrote it to create an alternate narrative that someone might understand when the subject matter is technical and the audience may not necessarily understand. The point is that with little effort (removing a stub from the garbage) the person can impersonate you indefinitely.

Anyhow, you know what I meant. You know I wasn't making light of the situation and the implication otherwise is posturing. It's a software vulnerability they have to fix--if it's indeed true (as the originator has explained he or she can prove through replication). It needs be fixed, but the actual threat to the general populace is relatively unknown, hopefully low due to the variance in each SID generated, but the knowledge of the potential exploit does perhaps shed some light to the perceived increase in account hijacks outside the normal vectors of infiltration.
____________________________
Ultros: Brinna Vahn
#45 Oct 08 2013 at 10:02 PM Rating: Good
Needs More Smut
******
21,262 posts
On the "it's a bug, not a feature" note, you don't have to log back in to the game if you get disconnected due to inactivity. It kicks you back to the character selection screen. The non-expiring session ID is probably what allows that.
____________________________
FFXI: Catwho on Bismarck: Retired December 2014
Thayos wrote:
I can't understand anyone who skips the cutscenes of a Final Fantasy game. That's like going to Texas and not getting barbecue.

FFXIV: Katarh Mest and Taprara Rara on Lamia Server - Member of The Swarm
Curator of the XIV Wallpapers Tumblr and the XIV Fashion Tumblr
#46 Oct 08 2013 at 10:03 PM Rating: Excellent
Anterograde Amnesia
Avatar
*****
12,363 posts
Catwho wrote:
On the "it's a bug, not a feature" note, you don't have to log back in to the game if you get disconnected due to inactivity. It kicks you back to the character selection screen. The non-expiring session ID is probably what allows that.


Yep, a small boon, at least you don't have to use another token ID to log back in Smiley: thumbsup
____________________________
"Choosy MMO's choose Wint." - Louiscool
The greatest trick the devil ever pulled was to convince the world he didn't exist.
Keyser Soze - Ultros
Guide to Setting Up Mumble on a Raspberry Pi
#47 Oct 09 2013 at 4:14 AM Rating: Good
Scholar
****
4,506 posts
This whole keeping the session active and working does save your spot in a party, dungeon or instance when you disconnect however. Still feel there should be a way to disable this upon a proper /shutdown for sleep or so.
____________________________
[XI] Surivere of Valefor
[XIV] Sir Surian Bedivere of Behemoth
http://na.finalfantasyxiv.com/lodestone/character/2401553/
Reply To Thread

Colors Smileys Quote OriginalQuote Checked Help

 

Recent Visitors: 91 All times are in CST
ciraxl, Anonymous Guests (90)