Security Tokens/Authenticators are useless; SE needs to fix this immediately.

Like people said you should of just sent a report in. If anything left out HOW you found this out etc because now I could do it without issue if I chose to.

Good find though because this and teleport hack are like "omfg really?" issues lol....

Quote:

---

Originally Posted by eyloi

Sessions are not IP locked. I'm able to use my friend's account from Texas, and he lives in Japan.

If I tried that in WoW, it would auto lock the account.

---

It did IP lock in 1.0 if you tried to log in from a new IP your account was locked untilyou changed your password

Is this for real, if so it needs to be fixed asap!

Using the Security token / Software token is still a better protection then having non.

Some ppl seem to forget the main purpose many ppl use the token setup is so they can avoid the IP lock, so if you get the session ID of someone who used a token it no longer checks the IP. This is almost reversal logic, I would rather have my account lock when it logs in from a diff IP than the alternate.

You could almost argue the token makes your security worse if you have virus's...

Quote:

---

Originally Posted by Blimbeard

That's kind of like saying 'I always wear my seatbelt and I've never had a car crash therefore seatbelts completely prevent car crashes'. You shouldn't really accuse people of being mentally challenged when you obviously have no actual comprehension of what the issue detailed in this thread is.

Security tokens such as this are not useless, and it is always good practice to exercise safe browsing and PC security. However, anyone with a technical understanding of how these things work can see that there is indeed an issue here. There's no good reason that a session id shouldn't expire after logoout in this sort of context of usage. I would certainly hope that SE address this issue swiftly.

---

Don't try to reason with it.

People who say things like "just don't get hacked or it's your own fault" are missing the point here. The security token is supposed to be an extra layer of security that the user can set up to prevent outside sources from accessing your account. So that even if someone were to obtain your user name and password, they would not be able to easily access your account. If a hacker can easily grab an unencrypted session ID that never expires and use that and only that to access your account indefinitely, it bypasses the token and makes it essentially worthless. Yes, users should take precautions not to get hacked, but SE should also take the necessary steps in ensuring that the security options they're giving to the users are working properly.

Interesting. I agree having a token is still good enough, but yah this must be address asap.

Quote:

---

Originally Posted by Ronyx

Interesting. I agree having a token is still good enough, but yah this must be address asap.

---

Physical tokens are not bullet proof: RSA which served many Fortune 500 companies had their tokens hacked. Millions were affected, DoD contractors, banks, businesses, etc.. http://www.secureworks.com/cyber-thr...rsacompromise/ more here also: http://www.securenvoy.com/blog/2012/...logy-turnpike/ Tokens can be an extra layer of protection, but that is all they are, an extra layer, you still need to take precautions and SE still needs to patch up holes on their end. It is a 2-way street.

Well. Ppl need to stop going to porn sites. That'll save you from 90% of the viruses in the internet.

Wow.... man, just wow... Thank you so much for bringing this up, I just, just simply can't grasp my mind around the fact that SE let this slip thru their fingers, this is like the most basic rule of security... you just can't have a session ID not expiring like that... granted, for easy use some websites allow you to keep your old session ID but these are exceptions.
And I really hope SE gets into fixing this ASAP, I personally don't like the launcher but it works, anyway....

BTW! For anyone who reads this, just know this is NOT an issue with the tokens, but it's rooted deeper into the game system, it renders tokens useless as you can easily bypass them.

Also, just saying, like the guy with the very long post said, more than likely, any form of malware infection targetted for SE/FFXIV will come from enviroments around SE/FFXIV so yeah.. HamHam, we can't ban the very own internet's reason to be (aside from the CIA spying on us all @.@ lol jkjk for those paranoids out there)

Also, I had to cut off half my post... why the hell do we have a 1000 limit? When does it get raised? if anyone knows...

BTW! For anyone who reads this, just know this is NOT an issue with the tokens, but it's rooted deeper into the game system, it renders tokens useless as you can easily bypass them.

Either way don't be scared, try to keep your PC clean of viruses, maybe you can scan it once a week, and just be more wary of the sites you visit. Just be cautious.

Read this post if you're more interested, since it'll get passed by peolpe who doesnt check all pages.

Quote:

---

Originally Posted by Misteyes

-snip-

---

Just skip more tecnical aspects if you don't understand em.

Quote:

---

Originally Posted by NeruMew

Also, I had to cut off half my post... why the hell do we have a 1000 limit? When does it get raised?

---

When you click Edit. Cut excess text, post first part, edit, paste excess text back in, no limit.

Quote:

---

Originally Posted by Bixby

When you click Edit. Cut excess text, post first part, edit, paste excess text back in, no limit.

---

lol I thought about it right after posting, cause I saw the edit no the lnog posts, that's just glitchy and wrong... lol

But thanks alot :) Good tip :3

Quote:

---

Originally Posted by HamHam

Well. Ppl need to stop going to porn sites. That'll save you from 90% of the viruses in the internet.

---

This man right here has the solution. Only I'd say it would save you from 100% and stay away from gold seller sites.

Take this advice, don't porn up your PC and you'll be a happy camper.

Quote:

---

Originally Posted by HamHam

Well. Ppl need to stop going to porn sites. That'll save you from 90% of the viruses in the internet.

---

Quote:

---

Originally Posted by CSX

This man right here has the solution. Only I'd say it would save you from 100% and stay away from gold seller sites.

Take this advice, don't porn up your PC and you'll be a happy camper.

---

Sorry but you gotta love the ignorance, porn sites are not the only source of malicious software nor phishing nor whatever the hell you wanna blame it for. I mean, just, gah. Lol.. I know I'm not providing any feasible evidence but come on man. Just funny :)

Cute lil Falafells :D

While I agree an encrypted session ID is a much more formidable way of securing pivotal information, the simple fact(s) still remain in that people just need to be smart. Things like making long, difficult passwords (NOT TIED TO ANYTHING such as e-mail), and changing it every 30 days or so goes a long way. Also, using AV software and updating virus defs goes a long way. Do not visit shady websites, and do not loan your account info to anyone, even a friend. If they use your account info on THEIR PC and their pc is infected, kiss your account good bye. Don't download shady things either. I have followed these rules for the past 15 years of playing MMO's and never been hacked. Bottom line, don't be dumb.

Quote:

---

Originally Posted by TaalAzura

FFXIV Game Client

The launcher invokes the game client by executing ffxiv.exe with extra command line parameters. It appends DEV.TestSID=xxxx, where xxx is the session ID, to the launch command. Here is the issue with that. That session ID is now plainly visible with any basic process inspector such as Microsoft's Process Explorer. No special memory viewers to get this information. This means it is incredibly easy for any virus that is on the computer to obtain the information. This also means it is possible to bypass the launcher to load the game client by just repeating the same command at the command line.

---

Sorry but clearly you haven't verified your facts before posting them. This does not work. I've tried to launch the game this way twice (once before and once after getting the authenticator app) and both times it does not get anywhere.

Quote:

---

Originally Posted by Issac

Yep, this is dead on and by far the easiest. Make the SID valid only for the IP it was granted to. Anything else is just plain retarded. Encrypt it as well for good measure.

Basic security 101. ><

---

Encrypt yes, IP lock is also a decent idea, but IPs are easily spoofed and if they have a virus to capture the SID, then they can also capture the IP and spoof it. Encryption would be the better option, or move the login to the game client itself (best option).

RIFT ran into this when they released, their login is on a web browser setup as well and you could get the SID of the login bypassing passwords and such. Matter of fact, the RIFT issues didn't even have virus. Hackers would just run a script that would start counting at 00000 (example only) and add one trying each one until it successfully logged in.

Quote:

---

Sorry but clearly you haven't verified your facts before posting them. This does not work. I've tried to launch the game this way twice (once before and once after getting the authenticator app) and both times it does not get anywhere.

---

It does work. Had to do this to bypass the launcher on Linux awhile back, before I could get Wine to open the actual launcher. Opened up the game on windows and got the SID. Then passed it to the linux machine and logged in just fine.

Why do you expect SE to fix something that would be purely your fault? (i.e. if you have a virus on your system)

The authenticator prevents hacking that isn't your fault (hackers getting your passwords from website databases for instance).

The point that he is trying to get across is that the Session ID's don't expire, and can be reused indefinitely. A simple "fix" would be to expire the Session ID's upon logout/dc.

Quote:

---

Originally Posted by Bufkus

Why do you expect SE to fix something that would be purely your fault? (i.e. if you have a virus on your system)

The authenticator prevents hacking that isn't your fault (hackers getting your passwords from website databases for instance).

---

To improve the quality of service and security of their systems? Gee Idk... Why would we ever want to move forward and become better? OH MY!

Because it's ridiculous that old sessions don't expire, not in any decent amount of time (and it should be upon disconnection).

Quote:

---

Originally Posted by DragonFlyy

It does work. Had to do this to bypass the launcher on Linux awhile back, before I could get Wine to open the actual launcher. Opened up the game on windows and got the SID. Then passed it to the linux machine and logged in just fine.

---

I wanted to call BS on this, but seems relaunching immediately let's this work. So to extend this theory, I launched it with a new session ID from the launcher and then launched the old session id at the same time... Error 3102 if I try to select the character that is logged in. However it lets me login to any other character.

Welp, guess we just figured out how the spammers are able to assault the servers so quickly. Maybe SE can leverage that fact and add "expire all sessions on logout"

Hey OP guess what.... tried to duplicate your test, it don't work. The session ID expires as soon as i logged out. Neither me nor a friend of mine who is an IT/Programer were able to reuse it. As the message was given that that session id is no longer active. As well he tried it while i was logged in to test your second claim. Again the message was given that the ID is currently in use and that he DOES NOT have the rights to use it, yet alone log in while i play. Only thing you prove in your OP is that you happily give out your account info despite it being a bad idea. If you have taken the time to set up you PC security, and SE account security, if anyone who is not on your PC tries to log in... your account should get locked until you unlock it.

Quote:

---

Originally Posted by Twiddle

Hey OP guess what.... tried to duplicate your test, it don't work. The session ID expires as soon as i logged out. Neither me nor a friend of mine who is an IT/Programer were able to reuse it. As the message was given that that session id is no longer active.

---

See that's what happened when I originally tried and the basis for my earlier comment about it not working. I even recorded video of it and was like "the f...."

This begs the question... Is it against the ToS to multiclient/multibox from the same account.

Quote:

---

Originally Posted by Bufkus

Why do you expect SE to fix something that would be purely your fault? (i.e. if you have a virus on your system)

The authenticator prevents hacking that isn't your fault (hackers getting your passwords from website databases for instance).

---

If the authenticator was a strong measure of security, it would aid in preventing both. People would expect SE to fix this issue because they expect their security measures to be kept up to par. If you can fault the user for accidentally getting a virus, then you can certainly fault SE for providing sloppy security options, considering they should have people who are hired to know what they are doing.

Quote:

---

Originally Posted by NeruMew

To improve the quality of service and security of their systems? Gee Idk... Why would we ever want to move forward and become better? OH MY!

Because it's ridiculous that old sessions don't expire, not in any decent amount of time (and it should be upon disconnection).

---

Doesn't matter, because you're not going to be compromised unless you were already compromised.

Quote:

---

The point that he is trying to get across is that the Session ID's don't expire, and can be reused indefinitely. A simple "fix" would be to expire the Session ID's upon logout/dc.

---

And my point is that it doesn't matter.

Quote:

---

If the authenticator was a strong measure of security, it would aid in preventing both. People would expect SE to fix this issue because they expect their security measures to be kept up to par. If you can fault the user for accidentally getting a virus, then you can certainly fault SE for providing sloppy security options, considering they should have people who are hired to know what they are doing.

---

Is this some kind of joke?

Quote:

---

Originally Posted by Bufkus

Is this some kind of joke?

---

I'm not quite sure why you find the thought of SE providing tight security options on their end to be a joke, but no, it is not.

Ok I want to make a pause here, we are all speculating ourselves since we can't really prove what is happening, some say this is possible to re-use some others say it's not. Other people are bringing up to light the issue about logging in multilpe times on the same account, which is another matter of great importance.

And for those who say, if you got infected it's your fault, please if you're not going to add anything productive just stand back and keep it to yourself, a lot of people don't know how to protect themselves or what security preventive measures to adopt, and on top of that, you are always vulnerable, it's just that by keeping some basic measures you can reduce the risk chances a lot. Anyway, please if you do know so much, enlighthen the others with your knowledge.

And again, it doesn't matter if the user got infected by their own doing, it still doesn't justify SE not doing what they can to prevent and help all these situations. After all it's their service and their business, if they don't help taking care of their customers, there wouldn't be much of a service anymore. SE should implement every reasonable security measure they can in order to make this a more secure enviroment.

Quote:

---

Originally Posted by Issac

Yep, this is dead on and by far the easiest. Make the SID valid only for the IP it was granted to. Anything else is just plain retarded. Encrypt it as well for good measure.

Basic security 101. ><

---

I'd rather see them invalidate the Session ID after a successful logout. They would burn through more sessions but since IPs can be spoofed and the hack would be originating from the machine where the virus is, thus the IP can be logged, it would be a more secure option.

Being a moderate in all things (and therefore a very boring person), I think people are taking things a little too far here. This is a problem that does need to be fixed, but only because all security vulnerabilities should be patched as soon as possible. As far as vulnerabilities go, though, this one is not as bad as it first seems. It's been mentioned already several times by people more well informed on the subject than me, but Man in the Middle attacks will still be a threat even if SIDs expired and were 100% secure. This vulnerability is predicated on the client machine being infected by malware, something that is always a danger.

On that topic, if you'll excuse the hyperbolic comparison, internet security is like going to a war torn region of the world. Is it your fault that someone shot you? No, it's their fault. But is it your fault that you got hurt because you weren't wearing a bullet proof vest? Well, yeah, sort of. Everyone needs to take some responsibility for their own safety when using the internet. SE need to take responsibility for making the environment as safe as possible, but that does not exonerate you from your individual responsibility to preserve your own safety.

Quote:

---

Originally Posted by HamHam

Well. Ppl need to stop going to porn sites. That'll save you from 90% of the viruses in the internet.

---

Quote:

---

Originally Posted by CSX

Take this advice, don't porn up your PC and you'll be a happy camper.

---

As soon as you can show me how to do this, I will happily comply. Gotta have something to do whilst waiting in DF. AMIRITE GUYS?!?! :D

Quote:

---

Originally Posted by Mjollnir

As soon as you can show me how to do this, I will happily comply. Gotta have something to do whilst waiting in DF. AMIRITE GUYS?!?! :D

---

I really would rather not think about what you are implying about people who say "One second guys" when they get into a Duty Finder party.

Quote:

---

Originally Posted by eyloi

Sessions are not IP locked. I'm able to use my friend's account from Texas, and he lives in Japan.

If I tried that in WoW, it would auto lock the account.

---

Oh good grief...bad SE, bad, bad. Fix this, and encrypt the communication between game and server. Come on SE, do it now!

Quote:

---

Originally Posted by Kosmos992k

Oh good grief...bad SE, bad, bad. Fix this, and encrypt the communication between game and server. Come on SE, do it now!

---

The only thing that needs to be encrypted is the handshake and credential exchange; which, according to this, is. After that, it's all just icing on the cake. There's not much a potential exploiter or account thief could learn from the normal game traffic, even unencrypted. Hmmm, I take that back, they could learn if you were an acceptable mark based on your gil and transaction history. But it's not going to get them any closer to stealing your account. The session ID is only exposed during the original exchange done by the launcher, which is encrypted. The risk is of a program on the client machine stealing the session ID, which makes encryption worthless (local encryption does nothing, as it is akin to placing the key on top of the safe).

Quote:

---

Originally Posted by Daragust

I'd rather see them invalidate the Session ID after a successful logout. They would burn through more sessions but since IPs can be spoofed and the hack would be originating from the machine where the virus is, thus the IP can be logged, it would be a more secure option.

---

Works this way for GM convenience (piggybacking) a GM could in theory just generate a session and log into it. That said...

Quote:

---

Originally Posted by Hulan

The risk is of a program on the client machine stealing the session ID, which makes encryption worthless

---

Why even go through the bother? All they have to do do is MITM when ffxiv.exe is launched by grabbing the string from the launcher the same way any other tool can see it. There is a logical fix to this:
a) don't use a launcher or
b) write the session to a memory file, have the client read this file.

Anyhow the weakness in this is the client which you can't trust anyway.

Quote:

---

Originally Posted by KisaiTenshi

Why even go through the bother? All they have to do do is MITM when ffxiv.exe is launched by grabbing the string from the launcher the same way any other tool can see it.

---

Well, I excluded MitM attacks because I was responding to the comment about encryption. If you can MitM the launcher, all of your information is at risk, not just the session ID. It's not my area of expertise, so I wouldn't say it's completely unavoidable, but as far as I know, MitM attacks aren't something SE can easily prevent beyond the measures they are already taking. That's why I said the only real risk associated with this vulnerability is from client machine infection.

Quote:

---

Originally Posted by Hulan

That's why I said the only real risk associated with this vulnerability is from client machine infection.

---

Basically, security-wise, it's not possible for SE to secure the client machine (or PS3.) If someone already has a rootkit on that system, absolutely nothing is going to stop the account from being stolen if that's specifically what they're looking for. The Authenticator is only "worthless" in this sense because the machine itself is worthless.

Quote:

---

Originally Posted by KisaiTenshi

Basically, security-wise, it's not possible for SE to secure the client machine (or PS3.) If someone already has a rootkit on that system, absolutely nothing is going to stop the account from being stolen if that's specifically what they're looking for. The Authenticator is only "worthless" in this sense because the machine itself is worthless.

---

Yes, but if the Session ID was invalidated on logout, the Authenticator wouldn't be useless as the stolen Session ID would not longer work and a new Session ID would need to be generated with the Authenticator to log back on.

The system's not impervious to advanced attacks, but a virus that invisibly sits in the background and only sends the 32-digit string it's read off the process tree is very easy to write and will be a lot easier to get onto people's systems as more and more plug-ins and tools are downloaded *especially* if just one of those is kept on an unsecure server where someone could upload a subtly modified copy of the software.

Pretty sure invalidation of the Session ID on logout is the easiest and most sensible way to prevent this system being taken advantage of.

Quote:

---

Originally Posted by Hulan

The only thing that needs to be encrypted is the handshake and credential exchange;

---

No, according to another topic, there is a way to inject D/B queries to modify your character because the communication between the game client and servers - including character D/B updates are not protected and can be easily manipulated by an unscrupulous player to gain levels, items and gil. In other words cheat. So yes, I'd like to see some level of encryption between client and server, as well as stronger session key security.