The hacking mystery has been solved:
Player identifies "huge security hole" in RIFT's authentication system, Trion seals it (Massively)
|
|
|
|
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
The hacking mystery has been solved:
Player identifies "huge security hole" in RIFT's authentication system, Trion seals it (Massively)
Cool article. Here's hoping that's the only major problem with this game. That would be sweet.
great. now restore my character so I can play again. I haven't been able to play my main for about a week now.
oh and I want to know what he found and how he did it. I hate being so ignorant of network security. One of these days I am going to have to find out more about it.
Another article! Ex-Hacker Finds RIFT Account Flaw, Talks to ZAM
In a nutshell, Bashir (though I don't know the nitty-gritty details), this is how I understand it: once you provide good credentials at login, the game gives you a "token" to say you're an ok guy. Think browser cookies, or better yet, you visit some high security place and they give you a badge you have to wear so the security guys can see it or they'll kick you out. From there on out, each transaction with the server has to reference that token in order to "prove" you have a right to be there. What this guy found is that if you have a pre-validated token (i.e., you log in as yourself), you could then just replace the account ID (a unique number assigned by Trion to your account) in that token with that of someone else,and not have to re-validate to "become" that person. No one accessed particulars of any Trion database (as far as anyone can tell), so it's thought that the hackers were just trying random account IDs, hit or miss, until they found one that worked.
Got it. I have a bit of an understanding of tokens from a basic understanding of VPN connections so that makes sense.
BTW folks, the fact that this hole was found and fixed does NOT mean that there aren't other issues with security. It is still up to you to take normal precautions for your own security. For example NEVER use the same email address for two games. People have been selling WoW email addresses for years, if you use the same email address for Rift, you may well already be on some hackers list. Unique email address and strong passwords (also unique) go a long way to keeping you safe.
I gave in a few days ago and created an email just for rift. Still think they are making a mistake using email addy as account names.
The ZAM interview was great to read. Granted Coin-Locked now every day cause I play from home and work. But I can deal with it if it makes it more secure game overall.
