New Forum Security Blog - Cookie Derp
Greetings internet space people,
As most of you are well aware by now we had a bit of a situation with our new forum package. I want to spend some time with you going over a few things which will include the specific vulnerabilities which lead to the forums being shut down, what you should personally be concerned about, what the reality of the exploits vs. the current reported realities are and finally how to report an exploit.
I think we can all agree that the forums went live in a security state which was less than desirable. We're still probing our internal processes to determine how the breakdown occurred and how to ensure that the problem does not happen again. That will take some time and may or may not ever be made public as, strange as it may seem, internal corporate policies are not public record and shouldn't be. On behalf of CCP I'd like to extend our most sincere apologies for this and assure you that we are doing a lot of soul searching in order to ensure that a repeat does not occur. Playing loose with security-related functionality puts both CCP and you at risk and that is completely unacceptable. This episode should never have occurred and despite being rather humiliating if we're to look on the bright side it did teach us some rather poignant lessons from which we'll be drawing in the coming days and weeks.
When the forums went live the other day for the first time they were up for just over 30 hours or so before we were made aware of a player reporting vulnerability. We were able to track the user's activity, see that they were indeed taking advantage of vulnerability and shut down the forums in order to determine how the activity we were witnessing was being accomplished. A rather helpful player then sent us an actual notification with information which detailed a few available exploit conditions. We also discovered an additional one in our research. To break down what was possible during the time that the forum was up based on our investigation of what was done and analysis of a running codebase you could:
· Post as anyone.
· Read any forum anyone had access to.
· Inject HTML (NOT SCRIPT) into your signature.
· Inject HTML (and possibly script) in the post reporting feature. (Something someone without roles would not have been able to see i.e. not you unless you were exploiting)
· Edit anyone else's posts
People have reported that you were able to inject script into the signatures. While we didn't do validation to prevent the script tags from being inserted into the signature, we did encode the output so that the script was not executed on the client. Basically if you were to put (And this is REALLY simplified) I had some script here but the blog tool actually sanitized it so just pretend into your signature all that would happen is that the script, tags and all, would be rendered as text in your signature. If ANYONE has any evidence of this not being the case please shoot me an email to firstname.lastname@example.org but thus far our attempts to do so have shown that at least in that case, we were preventing what would have been a nasty vulnerability from occurring.
We do not see any evidence of anyone being able to access your personal information or credit cards, which are actually stored in a secure environment which isn't in the communication path for the forums in any way. In essence, the vulnerabilities were limited to people's ability to escalate their privileges on the forum itself and nowhere else. Even were someone able to have injected script the method by which your information would have been at risk would have been in the form of malware, session theft or keylogging of your local machine rather than some window into our secure environment. That being said, it's always a best practice to keep your computers safe from malware and your passwords changed on a regular basis and now's as good a time as any to scan that PC and change your password.
This takes me to vulnerability reporting, which has played an interesting role in this whole process. If you are aware of or discover a vulnerability in one of our systems you are encouraged to send an email to email@example.com, file a petition and/or a bug report. If you do this there are two items which are paramount to us having the information we need to respond properly.
1. You must provide us with details regarding the exploit including reproduction steps when possible.
2. You must not abuse the exploit in question once you've discovered it, whether as a "prank" or otherwise. CCP is a corporation and we must treat all exploitation of our corporate assets with extreme seriousness. What may be hilarious to you may also be a crime in whatever country you're pulling your masterful prank from.
I'm working internally to try to formalize a program to reward people who give us information which better helps us to secure our systems. In the meantime I've made it a personal habit to ensure that people who help us out are given some form of reward and that happened at least twice in this particular occurrence. Just to make sure we're clear here's an example of bad behavior and a bad/irresponsible exploit report:
Subject: YOU GUYS ARE IDIOTS LMAO
Body: Hey I just wanted to let you know how much you smell terrible and also how bad your posts are. I found a giant gaping hole in one of your systems. If you want to know how I did it you can go jump in a lake lmao!
And here is an example of a good exploit report:
Subject: Important - Vulnerability found in System X
Body: Hey guy I just wanted to let you know I've found an exploit in your posting. No matter what you post it comes out as garbage. Here's how I did it:
1. Make a post
2. Submit the post
3. Hang your head in shame as everyone laughs at you
In the "Bad" exploit report the user goes on to abuse the system until we have to shut him out. In the "good" exploit report the user merely tests his exploit then never touches it again. We recognize that we're blessed with a rather intelligent user community who can also be rather mischievous. We really don't want to have to action against accounts of people who feel they're pulling off the sweetest prank ever. In the course of an investigation however, the logs don't signal intent and that's what we have to go by so PLEASE observe the above standards and don't put your account at risk.
This is already really long and there will be a lot of follow up to this blog. For now I'm going to close it out and continue the investigation. I may do another blog in a day or so detailing the technical specifics of the exploits or following up with where we are but for now I felt it was important to get this information out to the community as there is a great deal of misinformation flowing around and basically, you deserve to know. I'll keep an eye on the thread as I can and respond to any questions, comments or concerns that you have. Thanks a bunch for your time and patience.