Security Tokens/Authenticators are useless; SE needs to fix this immediately.

[Nanga]

I can tell you didn't even read the post.

I know, right? Some people just make it way too easy and obvious.

[Nanga]

So... all you have to do is get a (very specific) virus?

Unless SE's official sites get infected, I'm not seeing the issue here.

Uhm, no. Just accept the fact that you don't really understand how viruses, trojans, etc work (incidentally, it's not actually called a "virus" in this case, either), and understand that anyone can be vulnerable and not realize it.

[Ryios]

Note to self: Nuke Token from ffxiv.exe parameters after launching the game....

[Ryios]

They should at least encrypted the session key with some random salt....

E.g. They should take your machine key, some random bytes of salt, and encrypt that session id before they pass it to ffxiv.exe. Then at least hackers would need to look at the x86 of the game to see how it desalts/decrypts it.

Even then, this is a really bad design. They should use a named pipe or tcp/ip to send the session from the launcher to the game, not a command line parameter.

[Trasias]

You know, technically, you broke the rules...


Can't have more than one person share an account :rofl:

[Reiterpallasch]

You know, technically, you broke the rules...


Can't have more than one person share an account :rofl:

That's nice. Who cares, exactly?

[Mjollnir]

Great, no need to go through those bothersome login screens any more. It's fine to keep this in a shortcut on my desktop, right..? (j/k!)

At least it explains how hackers have been managing to gain control of people's accounts, even though they have security tokens on. I wonder which website it is that's been compromised?

[Remilia_Nightfall]

Great, no need to go through those bothersome login screens any more. It's fine to keep this in a shortcut on my desktop, right..? (j/k!)

At least it explains how hackers have been managing to gain control of people's accounts, even though they have security tokens on. I wonder which website it is that's been compromised?

The official forums.

DU DU DUUNNN

[Trasias]

That's nice. Who cares, exactly?

Probably SE, random.

[Kosmos992k]

I was able to give only an old, supposed to be expired, session ID to a friend and they were able to log into my account and characters from an entirely different location in the world. I did not provide an account name, password, or one time password. I was also able to log into my account while my friend was logged into it at the same time with a different session ID.

Man in the middle attacks are not something that viruses accomplish, you're talking about a piece of malware specifically designed to harvest session IDs for the purpose of spoofing or hijacking an account. These pieces of software use some of the same techniques that viruses use to infect targets and hide themselves, but they are not viruses.

There is an easy fix to this - especially now that we have an auto-logout feature. Invalidate all session keys associated with an account as soon as a logout or disconnect event is detected. What bothers me about this issue is that this is something that any good internet forum admin realizes about spammers, they login to your forum, and establish a session, then, even if you ban their account, they can continue to access the forum as long as they never logout - for as long as your session ID is valid. Therefore you implement something to purge session IDs when you ban an accuont, and you put a limited life on session IDs to reduce the vulnerability. this is not difficult, ity's a server side fix. whenever they ban an account, they should be invalidating the session IDs on the login/lobby/instance/game servers so that even if the RMT or bot is logged in when the ban is executed, their connection will be dropped as soon as the session ID is invalidated.

Oh, BTW, this type of attack on accounts is only really valid on PCs, PS3 users are not vulnerable to this since their system is not infested with malware. To perform a man in the middle attack stealing a sessioID from a PS3 gamer, you'd have to have access to their firewall so you could trap the session ID and spoof their session while they were active, which is much, much harder - and not entirely worthwhile to do since it exposes the attacker far more than an anonymous piece of malware capturing session IDs on a PC does.