Major RIFT Security Hole Plugged with help from Player

20 Mar 2011 at 00:47:21 by Paul Younger

Any MMO launch is daunting for an MMO developer and since RIFT launched TRION has been battling issues with players having their accounts hacked and compromised.

This weekend things took a positive turn after a member of the RIFT community identified a security hole in RIFT's authentication system which allowed a hacker access to a player’s character login without the need for any credentials whjich could have been one of the causes of the massive ammount of hacking reports.

A player going by the name of ManWitDaPlan got in touch with TRION once he had verified the process worked and informed them of the hole. TRION hopped in the case last night and released a new hotfix patch to resolve the issue.

At the same time as plugging the hole, TRION implemented the new Coin Lock system which prevents hackers accessing an account from an unknown IP and then selling on the account owners items or deleting a character.

When the patch rolled out every account was set to Coin Lock and players had to request an unlock code via email. When the system launched there was an initial problem with emails arriving without the code inside the email. TRION had also forgotten to disable the delete character option so players were finding their characters missing when they eventually logged back in and their account had been compromised.

The Coin Lock issues have now all been resolved and the major security bug squashed thanks to the help of a community member.

This evening RIFT's Executive Producer Scott Hartsman also issued a statement to confirm all the actions that have been taken.

Hi, everyone — I wanted to get an update out for the weekend after the last day of excitement around here.

On last night’s fix — I’m very happy to confirm that we did fix a login vulnerability, with significant assistance from an extremely clever user.

The root cause was a very subtle bug in error checking of our login validations deep in the server code. No personal information or any such was leaked out, and no outside attacker penetrated our servers, networks, or databases.

We’d definitely like to thank Mr. ManWitDaPlan for the well-timed assist. Sir, we salute you and offer our most heartfelt thanks.

The rest of what I’d like to add isn’t to detract from the above well-deserved compliment, but it’s important to include in the comprehensive picture.

The sobering fact is that account security remains a multifaceted issue, as attacks from other sources continue.

It’s important to remember is that while a hole was identified and fixed as rapidly as we possibly could, there are still hackers and botnets trying account/password combinations from compromised web sites and past MMOs.

They are doing this right now. Those attacks have been coming constantly since we launched the game. The only thing that changes are how many hundreds of computers are trying to get into your account at any given moment, where they’re coming from, and how many are succeeding.

We do block them as they are detected, but the fact that they are using distributed botnets (compromised computers from across the globe) means that this will remain something that we will continue keeping an eye on, forever.

For users getting hacked this way, Coin Lock is currently doing its job protecting people’s belongings, provided that your RIFT password and EMail password are both complex and entirely different.

Both the login fix and the Coin Lock addition have been doing their part in signficantly reducing overall incidents over the last 18 hours.

Neither one is a silver bullet, but so far it is looking to be a solid one-two punch for the weekend.

Then, with two-factor authentication coming very soon, we expect security to be improved even further.

All totalled up, under 1% of accounts with characters have had characters impacted. However, 1% of a surprisingly large number is still very noticeable.

Our staff has been, and will continue to be, working around the clock to get those impacted back in shape. We’ll continue hiring on even more people to help people with issues of all kinds, as quickly as we can. (Another round of hires begin on Monday, and there will be even more to follow.)

As always, thanks very much for your time, your attention, your assistance, and your patience!

- Scott Hartsman

Exec Producer, RIFT

It is heartening to see a community member help TRION resolve the security hole instead of posting the information freely on the Internet which could have caused major problems for TRION. The new Coin Lock feature is also an excellent idea and with any luck it will put pay to a lot of the account hack attempts and platinum selling.

The downside of the Coin Lock is the in-game chat could become gold seller spam heavy so I hope TRION's filtering and reporting system works efficiently over the coming weeks.

Comment