Security Tokens/Authenticators are useless; SE needs to fix this immediately.

Excellent info. I will begin work on a new application with this information you provided.

Quote:

---

Ask Reinhart just how much more gets posted in the JP threads from the devs than the English ones, looking over everything he's translated we get about 1 post for every 3 they get even though we have the exact same topics over here(some of which are just as high profile to all countries and not just Japan).

---

That's just because the devs speak japanese, so it's much easier for them to communicate. That does NOT however mean that stuff doesn't get read on the NA forums nor does it mean that our excellent community reps don't communicate any of our concerns to them.

Why hack anyone? Just look at your session ID and then using some common sense write an application that generates random session IDs and tests them against the server for validity reporting back which ones are good.

Seems apple got into trouble with this a while back and whomever discovered it got in a load of trouble if I recall.

SE Fix this please.

Wow, Yeah gotta agree, this needs fixed fast.

Quote:

---

Originally Posted by Eekiki

Hard not to when I've seen it with my own eyes.

---

Was not expecting to see a link to my post in here... XD

Quote:

---

Originally Posted by Ebon_Drake

Why hack anyone? Just look at your session ID and then using some common sense write an application that generates random session IDs and tests them against the server for validity reporting back which ones are good.

Seems apple got into trouble with this a while back and whomever discovered it got in a load of trouble if I recall.

SE Fix this please.

---

Because session IDs are 32 hex digit GUIDs with 2^128 possible combinations. Good luck finding an active one especially since the server isn't going to let you check them at any kind of reasonable rate.

Quote:

---

Originally Posted by Ladon

Because session IDs are 32 hex digit GUIDs with 2^128 possible combinations. Good luck finding an active one especially since the server isn't going to let you check them at any kind of reasonable rate.

---

my point is it's not impossible.

How long does it take 20 people, 50 people, 100 people trying this method from as many computers before hitting on 1 valid ID that doesn't belong to them. Are you suggesting that since it took so long to get one ID that it's ok? Is it fair to the person whose account they stole?

It shouldn't be possible at all.

Quote:

---

Originally Posted by Ebon_Drake

my point is it's not impossible.

How long does it take 20 people, 50 people, 100 people trying this method from as many computers before hitting on 1 valid ID that doesn't belong to them. Are you suggesting that since it took so long to get one ID that it's ok? Is it fair to the person whose account they stole?

It shouldn't be possible at all.

---

How long? Uh, many, many years. I don't think you realize the magnitude of the probability we are talking about here. Do you realize how many of the 2^128 GUIDs are actually active at the moment? What a million at the very very most? That's a .000000000000001% chance you are going to hit an active GUID.

Social engineering people into giving you their credentials is going to be far more successful then trying to brute force a 32 digit HEX GUID.

Quote:

---

Originally Posted by Ladon

How long? Uh, many, many years. I don't think you realize the magnitude of the probability we are talking about here. Do you realize how many of the 2^128 GUIDs are actually active at the moment? What a million at the very very most? That's a .000000000000001% chance you are going to hit an active GUID.

Social engineering people into giving you their credentials is going to be far more successful then trying to brute force a 32 digit HEX GUID.

---

Well I guess we're safe then, whew.. That's a load of my back.

Quote:

---

Originally Posted by Livilda

Twelvedamn. I can't really think of any other game with such a huge security hole. I'll have to try playing around with this myself when I get home.

---

Rift was bad for the first month or so. Same thing like this one...a player found it and explained it. They were bypassing the Log-In screen pretty much as well.

wow....... yeah this is bad... very bad... This needs to be sorted out asap, like right now! *bump*

Quote:

---

Originally Posted by Alhanelem

That's just because the devs speak japanese, so it's much easier for them to communicate. That does NOT however mean that stuff doesn't get read on the NA forums nor does it mean that our excellent community reps don't communicate any of our concerns to them.

---

Someone's trying to get invited to Bayohne's house for Thanksgiving dinner.

Glad someone posted about this. I hope SE fixes this ASAP.

This really should be a high priority I hope we get a response soon.

Quote:

---

Originally Posted by Ladon

Because session IDs are 32 hex digit GUIDs with 2^128 possible combinations. Good luck finding an active one especially since the server isn't going to let you check them at any kind of reasonable rate.

---

It's highly likely it only uses a subset of all possible combinations, it may be a hash function instead of a truly random number.

In which case by looking at valid session ID's and trying around those numbers it makes it much more likely to find a "hit".

Also consider that there may be no maximum attempts like a password system, allowing a hacker to try hundreds of possible session ID's a second.

This is much like finding a wireless encryption key.

Why did they remove the IP lock used in version 1.0? Any time your ip changed you had to change your password to unlock your account.

I was able to find this in literally five clicks. Two to start the software, one to select FFXIV, one to open the context menu and one to hit 'properties'. Furthermore, I was able to close the game, copypasta the command line into a console, and it worked.

Also, to all those freaking out over being able to hack SIDs, it's far more likely that someone will try to just use one you've already been using. Someone could just grab the one I found below and use it after I log out; the issue is not the ability to brute-force or guess, it's that the SIDs don't expire upon logout.

http://i.imgur.com/a0wSIm2.png

Quote:

---

Originally Posted by TaalAzura

What does this all mean?

I was able to give only an old, supposed to be expired, session ID to a friend and they were able to log into my account and characters from an entirely different location in the world. I did not provide an account name, password, or one time password. I was also able to log into my account while my friend was logged into it at the same time with a different session ID. ...... If the computer gets infected with a virus targeted at stealing FFXIV accounts then it is too late. No amount of changing passwords or generating new one time passwords will help.

---

This part scares me the most, and if true, is the most ameteurish thing I have ever seen in an MMO. O M G.

Session ID's should ALWAYS become invalid at the end of a session. yikes!

Bumping for the night/evening crew. This needs to be fixed please.

http://i1207.photobucket.com/albums/...MaxBumpGIF.gif

I'd like to hear some proper comments on this. How secure are actual logins if this all is true? Is there any point in having a security token at all until then? How afraid do I have to be on every login before this gets fixed (if it is an issue that needs fixing in the first place)?

This is very scary. Seems like a slip up on SE's part. I'm glad people are bringing this up so they can fix it.

For everyone else, be careful when you log into or go onto FFXIV related sites. Make sure they're trustworthy. Like the OP said, sounds like they don't even have to phish or keylog it. Just a virus from a browser vunerability might be enough to get around your security.

Quote:

---

Originally Posted by TaalAzura

I can tell you didn't even read the post.

---

I know, right? Some people just make it way too easy and obvious.

Quote:

---

Originally Posted by Amyas

So... all you have to do is get a (very specific) virus?

Unless SE's official sites get infected, I'm not seeing the issue here.

---

Uhm, no. Just accept the fact that you don't really understand how viruses, trojans, etc work (incidentally, it's not actually called a "virus" in this case, either), and understand that anyone can be vulnerable and not realize it.

Note to self: Nuke Token from ffxiv.exe parameters after launching the game....

They should at least encrypted the session key with some random salt....

E.g. They should take your machine key, some random bytes of salt, and encrypt that session id before they pass it to ffxiv.exe. Then at least hackers would need to look at the x86 of the game to see how it desalts/decrypts it.

Even then, this is a really bad design. They should use a named pipe or tcp/ip to send the session from the launcher to the game, not a command line parameter.

You know, technically, you broke the rules...


Can't have more than one person share an account :rofl:

Quote:

---

Originally Posted by Trasias

You know, technically, you broke the rules...


Can't have more than one person share an account :rofl:

---

That's nice. Who cares, exactly?

Great, no need to go through those bothersome login screens any more. It's fine to keep this in a shortcut on my desktop, right..? (j/k!)

At least it explains how hackers have been managing to gain control of people's accounts, even though they have security tokens on. I wonder which website it is that's been compromised?

Quote:

---

Originally Posted by Mjollnir

Great, no need to go through those bothersome login screens any more. It's fine to keep this in a shortcut on my desktop, right..? (j/k!)

At least it explains how hackers have been managing to gain control of people's accounts, even though they have security tokens on. I wonder which website it is that's been compromised?

---

The official forums.

DU DU DUUNNN

Quote:

---

Originally Posted by Reiterpallasch

That's nice. Who cares, exactly?

---

Probably SE, random.

Quote:

---

Originally Posted by TaalAzura

I was able to give only an old, supposed to be expired, session ID to a friend and they were able to log into my account and characters from an entirely different location in the world. I did not provide an account name, password, or one time password. I was also able to log into my account while my friend was logged into it at the same time with a different session ID.

---

Man in the middle attacks are not something that viruses accomplish, you're talking about a piece of malware specifically designed to harvest session IDs for the purpose of spoofing or hijacking an account. These pieces of software use some of the same techniques that viruses use to infect targets and hide themselves, but they are not viruses.

There is an easy fix to this - especially now that we have an auto-logout feature. Invalidate all session keys associated with an account as soon as a logout or disconnect event is detected. What bothers me about this issue is that this is something that any good internet forum admin realizes about spammers, they login to your forum, and establish a session, then, even if you ban their account, they can continue to access the forum as long as they never logout - for as long as your session ID is valid. Therefore you implement something to purge session IDs when you ban an accuont, and you put a limited life on session IDs to reduce the vulnerability. this is not difficult, ity's a server side fix. whenever they ban an account, they should be invalidating the session IDs on the login/lobby/instance/game servers so that even if the RMT or bot is logged in when the ban is executed, their connection will be dropped as soon as the session ID is invalidated.

Oh, BTW, this type of attack on accounts is only really valid on PCs, PS3 users are not vulnerable to this since their system is not infested with malware. To perform a man in the middle attack stealing a sessioID from a PS3 gamer, you'd have to have access to their firewall so you could trap the session ID and spoof their session while they were active, which is much, much harder - and not entirely worthwhile to do since it exposes the attacker far more than an anonymous piece of malware capturing session IDs on a PC does.

Seems compete amateurs made the net/server code of this game. I mean this and those excessive teleport hacks shouldn't be possible at all.

I don't think posting the thread was the right thing to do OP. There are channels you should have used to report it directly to SE (and by that I don't mean the bug report forums but the ingame "contact us" -> "report a bug" form in the game helpdesk.)

He already did that - he's in my FC

Bumperella!

Long post incoming. I work with people who have done network security professionally in the past, and I got some of their opinions. SE's use of SIDs is basically as prescribed by the OAuth standard, which is secure against most forms of attack. The system itself is not unsound, but some of the parameters SE has chosen are unsuitable for a service like FFXIV. I'd like to talk about what attack vectors this opens up and, more importantly, what we can do to protect ourselves from them.

Likely Attack Vectors:
Embedding Viruses in Hacks/Bots - Easy (but costly). Projected Captures: Hundreds
Yeah, this probably happens. Don't download bots, don't buy gil, don't give your password to gilsellers for powerlevelling. Duh. However, this is probably not how most people get hacked. There's plenty of good reasons not to buy gil - not least of which is that you're paying people to hack other people's accounts - but personal safety isn't one of them. Gilsellers value customers a lot more than they value gil, and people who buy gil once tend to be the kind of people who buy gil twice. It's unlikely that they'd steal a customer's account, because that means they lose a customer in exchange for gil. (Botting programs probably do come with viruses, since people who download bots are not repeat customers.)

Social Engineering - Very Easy. Projected Captures: Depends
Social engineering is the practice of tricking users into giving their password voluntarily. This can take many forms, but there's enough information out there already about password security, so I won't get into that. Quick summary: Don't enter your password into sites that you're not sure are legitimate, don't re-use the same password for anything, don't click links in e-mails and then enter your password into them.

Browser Based Exploits - Moderately Difficult. Projected Captures: Tens of thousands. <--Most Likely Attack!
Depending on your browser, flash player version, java version, security settings, Windows version, etc. there are vulnerabilities that can be exploited from a browser to harvest data. This is the most likely attack vector, and I'll get into more about how to defend yourself from it later.

Things not to worry about:
Guessing SIDs - Effortless. Projected Captures: Nobody ever
I wouldn't worry about this one. In theory, anyone could just start entering random SIDs and hope they get one, however, the odds of actually getting a match are so close to zero that even with a giant multi-thousand computer array guessing until the heat death of the universe, it's unlikely to capture anyone.

Coffee-Shop Attack - Effortless. Projected Captures: Almost nobody ever
The easiest "man in the middle" attack: The hacker finds an unecrypted wireless network (such as at Starbucks) and sit there with a program that listens to all traffic (even the traffic not meant for him) until someone logs in to XIV. He harvests their SID for later use. The problem is that your average Starbucks probably gets an average of 0 people logging into it per day. This sort of attack just isn't worth any commercial hacker's time. If someone's stealing accounts by this method, they probably aren't doing it for money (though they might still steal all your gil for themselves). The odds of you personally running into anyone snooping for XIV SIDs is almost nil, but you still might not want to log in at coffee shops, just to be safe.

MitM - Compromised Local Router - Moderately Difficult. Projected Captures: Not enough to be worth it.
The classic "Man in the Middle" attack. The hacker starts randomly dialing IP addresses until they find your (or anyone's) router. Query that router's firmware, google to find known attacks for that version of that router (assuming it isn't up to date), compromise the router, and have it split connections to SE's server to go to them as well. Then, sit and listen and harvest SIDs. I wouldn't worry about this one either, because it basically requires a moderately competent hacker to personally spend time hacking your particular home router. Unless you're a crafting baron with hundreds of millions of gil and your IP address is public knowledge, you're probably safe from this one. If you are in that category, you might want to update the firmware on your router.

MitM - Compromised Backbone Router - Almost Impossible. Projected Captures: All of them
"Man in the Middle" attack, extreme version. Like the above, but the hacker compromises a backbone router, like, say, one that routes international traffic between America and Japan, and harvests all SIDs of all American players. The problem with this one is that backbone routers tend to be up-to-date on their security, and there aren't any known exploits for them. I wouldn't worry about it, because anyone who has the ability to compromise backbone routers probably is after much more valuable things than your FFXIV account. ;)

Compromised Client Machine - Difficult. Projected Captures: Very few
This is the attack form that beat WoW's authenticators a couple years ago, so it's not impossible. The hacker modifies your launcher to connect to his machine instead of to SE. He then forwards information back and forth until you attempt to log-in, at which point he throws you an error, while usurping your login information for his own login session. I don't consider this one a "man in the middle" attack since the attack occurs on the client machine, which is an endpoint and not the middle, even if it does involve placing his machine in "the middle." I wouldn't worry about this one because all of the same defenses apply to this as apply to browser based exploits, and it's much harder for a hacker to install software on your machine via Flash or Java than it is for them to harvest data from your machine using Flash or Java. Also, this has nothing to do with SIDs; if someone is capable of doing this to you, it doesn't matter what Square-Enix does; with this method, the hacker could steal your account, password, and one-time key just as easily (as they did with World of Warcraft).

How to protect yourself from browser-based exploits
The guiding mantra here is "assume that nothing about your browser is secure." Any website that runs any kind of script content could potentially be harvesting data from your system. Java and Flash are generally pretty good, but occasionally exploits do get discovered, and it can take a day or two for a patch to get pushed out (and even longer for all users to install that patch). On any given day, you can't count on even staples like Flash, Java, or HTML5 to be secure. This doesn't mean hijacks are easy, but reading shared data on your system is very possible.

There are three important things to consider before visiting any website:
1. Who is capable of posting scripts to this website? Usually, this will only be the website operator, however, some fan forums and guild hosting sites allow users to imbed flash scripts into their posts. Many many websites allow flash-based banner ads, and not every flash banner ad service actually checks them for vulnerabilities.
2. Do I trust all those people, both not to steal my data, and to keep their own access safe? Most website operators are not malicious. However, many website operators use outdated versions of server software, with known vulnerabilities. I can't tell you what websites are safe and what websites aren't, but even the Curse network has been hacked a couple times, and they have a security team. I would be very wary of low-budget fansites and guild forum hosting sites.
3. What demographics does this site target? A site that targets FFXIV players is much more likely to be an FFXIV account harvesting site (or be a target for FFXIV account harvesting hackers) than a site that sells clothing.

You can make yourself safer by installing things like FlashBlock or NoScript, but remember the mantra: Assume nothing about your browser is secure. Recognize that you are potentially giving someone access to your system every time you visit a new site. If a banner ad seems more interested in getting you to click it than it does in selling a product - remember those nearly-pornographic Evony Online ads? Or, more recently, Wartune? - the website operator might have an ulterior motive besides pushing the product they claim to be selling. Be very wary of any advert on an FFXIV-related site.

Should we be mad at Square-Enix?
If you bought a security token, changed your password ever, or took any other measure to keep your account safe, you have a right to be (especially if you still got hacked). The way in which they use SIDs makes you vulnerable to all of the same attacks (besides some forms of social engineering) as you would be if you had no security token, as well as a few more.

What could (should) Square-Enix be doing to protect us?
In order of importance
1. The biggest thing is, as many people have pointed out, invalidating the SIDs after a logout/disconnect. If a flash program harvests your SID, that should not give them indefinite access to your account, in spite of a password change and authenticator.
2. The other important thing would be to scrub the SID from shared memory after the launcher passes it to the game. I understand why they have a launcher, and I understand why login isn't done within the game (the reasons are too technical even for this post). The SID will have to be passed from the launcher to the game, so it has to live in some public space at some point, but once the game has it, there is no reason why that SID should persist in a space where it can be harvested by any rogue flash script. The game client should scrub it after copying it to non-shared memory.
3. Tying SIDs to IP addresses seems feasible to me, but I didn't get that idea checked by my colleagues and it's not prescribed by the OAuth standard, so there's probably some difficulty there that's not obvious to me. If it can be done, there's no good reason not to do it.
4. Encrypting the channel would protect against the Coffee-Shop attack and other Man in the Middle attacks (though not compromised client). If the other things are done (even just 1 and 2), we'll be safe from any commercial-scale attack, but some people might want to log in from a coffee shop without worrying about someone stealing their account. An extra layer of security never hurts. However, if this is done and 1 and 2 are not done, it will provide no protection at all except against MitM.

Did anyone post this in the bug report section? My search didn't turn up anything.

Just to add that, I am able to verify Livilda's screenshot as well.

Sounds like someone needs to invest in some security software. If your new to computers, or don't have a clue what your doing. I'm sure someone at some point has told you to invest in a Anti Virus. Most ISP's now adays provide them for free.

If your computer is riddled that bad with Virus's You need to not be playing video games and get ur machine fixed. If you don't run an Anti Virus then it's nobodies fault but your own when you loose your bank account / gaming accounts.

It is ALL over the internet. Ignorance is NOT an excuse.

Tested this with a 10 minute old key and it worked. On the bright side, we can bypass the launcher and login. ;) I'm kidding, though... SE may already be tracking SIDs for compromised accounts, so logging in with the same key multiple times (especially from different locations) may be a good way to get your account locked for investigation.

This doesn't look like a problem born of negligence, but SE's way of cutting costs on their authentication servers. I know the curiosity can drive some people crazy, but please don't ever visit any of the sites the RMT spammers advertise, even if you don't intend to buy. Browsers are constantly being patched for security holes, and scanning active processes is one of the milder things cutting edge malicious code can do.

Just asking would Ccleaner help to remove session ID from your browser or similar such programs?

Sessions are not IP locked. I'm able to use my friend's account from Texas, and he lives in Japan.

If I tried that in WoW, it would auto lock the account.