Forum Settings
       
« Previous 1 2
Reply To Thread

Game Sessions Not ExpiringFollow

#1 Oct 07 2013 at 11:43 AM Rating: Excellent
Pretty big news, this is a major flaw, hopefully it is fixed soon.

http://forum.square-enix.com/ffxiv/threads/103129-Security-Tokens-Authenticators-are-useless-SE-needs-to-fix-this-immediately
#2 Oct 07 2013 at 11:43 AM Rating: Excellent
Reddit discussion as well:

http://www.reddit.com/r/ffxiv/comments/1nwb94/authenticators_are_useless_against_viruses/
#3 Oct 07 2013 at 11:57 AM Rating: Decent
Ken Burton's Reject
*****
12,834 posts
Wut.

Oh for ****'s sake SE! How did you ***** that up!??! I mean, HOW?!? Seriously! Like, literally this system is out there, used in tons of areas, works fine, yet yours doesn't? How in the hell??!?
____________________________
Twitter: http://www.twitter.com/pawkeshup
YouTube: http://www.youtube.com/pawkeshup
Twitch: http://www.twitch.tv/pawkeshup
Blog: http://pawkeshup.blogspot.com
Olorinus the Ludicrous wrote:
The idea of old school is way more interesting than the reality
#4 Oct 07 2013 at 11:58 AM Rating: Good
Scholar
****
4,511 posts
Well, it's good to get this out here some more since people continue to white-knight this over and over, but i thought this was pretty much public knowledge by now.

Accounts have been hacked before, regardless of tokens. Just because you have a generated code doesnt mean you should be reckless with your account info. A while back there was one particular virus that hijacked your login on XI (i think it was) the moment you logged in with it, crashed your client and send the data (and the code) to a third party who could then login with it.

Back on XI, there were only two reasons to get a token. Those reasons were more Inventory space from the mogsack reward, and being allowed an infinite amount of character recoveries opposed to just one. "Added Security" really wasnt one of those reasons.

Firefox/No-script/Blockaid and not clicking on links in your email that tell you to "LOGIN NAOW OR WEZ BAN U !1" and you're pretty much safe.

*edit* Grammer didnt make sense there at the end.

Edited, Oct 7th 2013 7:59pm by KojiroSoma
____________________________
[XI] Surivere of Valefor
[XIV] Sir Surian Bedivere of Behemoth
http://na.finalfantasyxiv.com/lodestone/character/2401553/
#5 Oct 07 2013 at 12:01 PM Rating: Good
Ken Burton's Reject
*****
12,834 posts
KojiroSoma wrote:
Firefox/No-script/Blockaid and not clicking on links in your email that tell you to "LOGIN NAOW OR WEZ BAN U !1" and you're pretty much safe.


Hell been doing that for as long as it has been around. I've never truly been worried about me losing my account. I've dealt with enough infections when I worked for Dell to know how to protect myself from it.
____________________________
Twitter: http://www.twitter.com/pawkeshup
YouTube: http://www.youtube.com/pawkeshup
Twitch: http://www.twitch.tv/pawkeshup
Blog: http://pawkeshup.blogspot.com
Olorinus the Ludicrous wrote:
The idea of old school is way more interesting than the reality
#6 Oct 07 2013 at 12:02 PM Rating: Excellent
While the post in the reddit thread gives an idea of possible combinations it still possible to write a brute force program to start chugging through them.

Edit: With enough data you could theoretically create rainbow lists of session IDs that could make it go even faster.

Edited, Oct 7th 2013 1:03pm by Wint
#7 Oct 07 2013 at 12:54 PM Rating: Excellent
**
428 posts
The person that made that post on reddit seems to have missed the point. The authenticator is not meant to protect you from viruses and if you have a keylogger or a virus on your computer checking your session ids, then you have a major problem on your hands beyond just losing your FFXIV character.

With all this talk of bots and hacks, a lot people who seem to fancy themselves "computer experts" chiming in with complete nonsense. For instance, people keep claiming that Square puts too much trust in the client, allowing teleport bots, while they have no clue why it is necessary for the server to trust the client on that aspect. Theyre just parroting some words they heard somewhere else that they thought sounded intelligent.

Edited, Oct 7th 2013 2:59pm by OnyxFFXI
#8 Oct 07 2013 at 12:58 PM Rating: Good
**
576 posts
Wow.

That's a pretty rudimentary flaw. SE needs to go take InfoSec 101.
#9 Oct 07 2013 at 1:02 PM Rating: Good
**
428 posts
http://www.reddit.com/r/ffxiv/comments/1nx8u9/in_regards_to_the_authenticators_are_useless/
#10 Oct 07 2013 at 1:12 PM Rating: Excellent
***
1,080 posts
I've always thought, considering the state of their abyssmal customer service, their convoluted account management site and the 4584908 steps (with confirmation emails and codes!) we all had to go thru just to open a freaking account was due to the fact that SE is basically still just a console game company.
Do they actually have an IT dept with people who are competent and up-to-date on the creation of these with current western standards of service? Same goes for the security standards built into the game itself. I honestly don't think they do. So, when's the next interview with Yoshi-P? Hopefully, it'll be with somebody who has the cojones to ask him these questions.
#11 Oct 07 2013 at 1:19 PM Rating: Decent
**
428 posts
Vorkosigan wrote:
So, when's the next interview with Yoshi-P? Hopefully, it'll be with somebody who has the cojones to ask him these questions.


I'm certain Yoshi-P will chime in and explain how wrong this guys post is, without giving too many details on their server security of course. But really, why is everyone so quick to go "yea how stupid of you SE" when they have no idea what a session ID is.
#12 Oct 07 2013 at 1:38 PM Rating: Excellent
**
576 posts
OnyxFFXI wrote:
Vorkosigan wrote:
So, when's the next interview with Yoshi-P? Hopefully, it'll be with somebody who has the cojones to ask him these questions.


I'm certain Yoshi-P will chime in and explain how wrong this guys post is, without giving too many details on their server security of course. But really, why is everyone so quick to go "yea how stupid of you SE" when they have no idea what a session ID is.


Not all of us that are calling SE out are as ignorant as you claim.

I'm a software developer with a degree in CS and I still think this is a bush league mistake.
#13 Oct 07 2013 at 1:46 PM Rating: Good
**
428 posts
Here is what Blizzard said when the community had a similar episode of people claiming in the forums that accounts were being hacked through session-id spoofing. I can imagine the FFXIV dev team will have a similar response soon:

Quote:
Over the past couple of days, players have expressed concerns over the possibility of Battle.net® account compromises. First and foremost, we want to make it clear that the Battle.net and Diablo III servers have not been compromised. In addition, the number of Diablo III players who've contacted customer service to report a potential compromise of their personal account has been extremely small. In all of the individual Diablo III-related compromise cases we've investigated, none have occurred after a physical Battle.net Authenticator or Battle.net Mobile Authenticator app was attached to the player's account, and we have yet to find any situation where a Diablo III player's account was accessed outside of "traditional" compromise methods (i.e. someone logging using an account's login email and password).

To that end, we've also seen discussions regarding the possibility of account compromises occurring in ways that didn’t involve these "traditional" methods -- for example, by "session spoofing" a player’s identity after he or she joins a public game. Regarding this specific example, we've looked into the issue and found no evidence to indicate compromises are occurring in this fashion, and we've determined the methods being suggested to do so are technically impossible. However, you have our assurance that we’ll continue to investigate reports such as these and keep you informed of important updates.
#14 Oct 07 2013 at 1:54 PM Rating: Good
***
1,080 posts
OnyxFFXI wrote:
Vorkosigan wrote:
So, when's the next interview with Yoshi-P? Hopefully, it'll be with somebody who has the cojones to ask him these questions.


I'm certain Yoshi-P will chime in and explain how wrong this guys post is, without giving too many details on their server security of course. But really, why is everyone so quick to go "yea how stupid of you SE" when they have no idea what a session ID is.


I don't have to know what a session ID is to know how messed up their customer service and account management site is.
I do read enough forums to know that a great many people are loving this game but are leaving because of their very bad experiences with SE's customer service, within the first month of service. Measuring the level of the horrible customer service against guesses about their security measures is a no-brainer IMO.

#15 Oct 07 2013 at 2:00 PM Rating: Excellent
**
428 posts
Vorkosigan wrote:
Measuring the level of the horrible customer service against guesses about their security measures is a no-brainer IMO.

That's sort of what I'm getting at. People are buying into this session id nonsense, not because there is a bunch of proof to back it up, but because they have had a previous bad experience and want to believe anything negative. It's confirmation bias.
#16 Oct 07 2013 at 2:10 PM Rating: Excellent
Ken Burton's Reject
*****
12,834 posts
OK, so I can try to replicate it tonight, and see if my fiancee can log into my account. Did you read the account of what they did? I mean, ZAM has better security than that..
____________________________
Twitter: http://www.twitter.com/pawkeshup
YouTube: http://www.youtube.com/pawkeshup
Twitch: http://www.twitch.tv/pawkeshup
Blog: http://pawkeshup.blogspot.com
Olorinus the Ludicrous wrote:
The idea of old school is way more interesting than the reality
#17 Oct 07 2013 at 2:35 PM Rating: Decent
**
425 posts
SE really needs to change the game to be completely server side.
#18 Oct 07 2013 at 2:45 PM Rating: Decent
Ken Burton's Reject
*****
12,834 posts
Sadly, I'm thinking that needs to happen. It won't with FFXIV, that's really a lot more work than it may seem on the surface. Their model is good... if you have a small, honest population.
____________________________
Twitter: http://www.twitter.com/pawkeshup
YouTube: http://www.youtube.com/pawkeshup
Twitch: http://www.twitch.tv/pawkeshup
Blog: http://pawkeshup.blogspot.com
Olorinus the Ludicrous wrote:
The idea of old school is way more interesting than the reality
#19 Oct 07 2013 at 2:49 PM Rating: Decent
Scholar
Avatar
***
1,339 posts
TwilightSkye wrote:
SE really needs to change the game to be completely server side.


So go back to 1.0.
#20 Oct 07 2013 at 2:58 PM Rating: Excellent
**
576 posts
Viertel wrote:
TwilightSkye wrote:
SE really needs to change the game to be completely server side.


So go back to 1.0.


Exactly. 1.0 was terrible in part because everything was handled server-side.

You have to allow the client to handle some things or the lag becomes unbearable due either to network latency or the processing demands on the server.

The issue seems to be that SE isn't doing enough to validate the information coming from the client.

The fact that you can use the same session id from multiple IP addresses speaks to that. That should not be allowed.
#21 Oct 07 2013 at 3:15 PM Rating: Decent
Ken Burton's Reject
*****
12,834 posts
Pickins wrote:
Exactly. 1.0 was terrible in part because everything was handled server-side.

You have to allow the client to handle some things or the lag becomes unbearable due either to network latency or the processing demands on the server.

The issue seems to be that SE isn't doing enough to validate the information coming from the client.

The fact that you can use the same session id from multiple IP addresses speaks to that. That should not be allowed.


I hate the idea of server-side, but realistically, they have shown that they just have no idea what they are doing when it comes to proper validations. They finally did something in FFXI to deal with client-side pos-hacks to some small degree, but they still work. FFXIV appears to be rife for hacking. I don't want it either, but if they aren't going seal the holes... maybe server-side is how it needs to be...
____________________________
Twitter: http://www.twitter.com/pawkeshup
YouTube: http://www.youtube.com/pawkeshup
Twitch: http://www.twitch.tv/pawkeshup
Blog: http://pawkeshup.blogspot.com
Olorinus the Ludicrous wrote:
The idea of old school is way more interesting than the reality
#22 Oct 07 2013 at 3:17 PM Rating: Good
I think this wasn't an issue with FFXI because they did not use HTML based updates in PlayOnline. Once the authentication logged into POL, the one time password was useless - there was no browser session.

XIV borrows the web browser code from Internet Explorer, essentially. So whatever team put the HTML code in the web browser dropped the ball.

I wonder if clearing your IE cache affects those sessions, then?
#23 Oct 07 2013 at 5:37 PM Rating: Excellent
***
1,606 posts
OnyxFFXI wrote:
http://www.reddit.com/r/ffxiv/comments/1nx8u9/in_regards_to_the_authenticators_are_useless/

Now doesn't that carry just as much weight as the post that started all this in the first place?
#24 Oct 07 2013 at 6:48 PM Rating: Excellent
OnyxFFXI wrote:
Vorkosigan wrote:
So, when's the next interview with Yoshi-P? Hopefully, it'll be with somebody who has the cojones to ask him these questions.


I'm certain Yoshi-P will chime in and explain how wrong this guys post is, without giving too many details on their server security of course. But really, why is everyone so quick to go "yea how stupid of you SE" when they have no idea what a session ID is.


So you're ok with IDs seemingly never expiring? There are tests performed by folks in the comments with IDs that have so far not expired at all. I agree this isn't a huge issue at the moment since the sheer number of combinations makes it secure (for now), but that is hardly a good reason to leave them open.
#25 Oct 07 2013 at 11:48 PM Rating: Decent
More troubling news concerning SE's massive ineptitude in customer service. They should outsource this entire division of their business, their current team is abysmal. It's a shame too because the game is amazing, sadly these silly issues will cause everyone to lose out and the game may never be able to reach its full potential.
#26 Oct 07 2013 at 11:59 PM Rating: Good
***
1,948 posts
KojiroSoma wrote:
Well, it's good to get this out here some more since people continue to white-knight this over and over, but i thought this was pretty much public knowledge by now.

Accounts have been hacked before, regardless of tokens. Just because you have a generated code doesnt mean you should be reckless with your account info. A while back there was one particular virus that hijacked your login on XI (i think it was) the moment you logged in with it, crashed your client and send the data (and the code) to a third party who could then login with it.

Back on XI, there were only two reasons to get a token. Those reasons were more Inventory space from the mogsack reward, and being allowed an infinite amount of character recoveries opposed to just one. "Added Security" really wasnt one of those reasons.

Firefox/No-script/Blockaid and not clicking on links in your email that tell you to "LOGIN NAOW OR WEZ BAN U !1" and you're pretty much safe.

*edit* Grammer didnt make sense there at the end.

Edited, Oct 7th 2013 7:59pm by KojiroSoma


To be honest, even business banking security token has been hacked. So now the bank gives me physical device to go along with the physical token where you need the device plugged in to your PC to log into the account AND THEN enter the one time password from the token. Which probably will be hacked in the near future as well.
« Previous 1 2
Reply To Thread

Colors Smileys Quote OriginalQuote Checked Help

 

Recent Visitors: 287 All times are in CST
Anonymous Guests (287)