Potential smoking gun found for Guild Wars security issues

by Eliot Lefebvre on Jan 2nd 2010 10:00AM

Fantasy, Guild Wars, Exploits, News Items, Rumors

It started as a surprise. Guild Wars players reported suddenly finding themselves hacked, their accounts cleaned out, no indication of what could have caused the problem. NCsoft and ArenaNet offered suggestions, security safeguards, new measures being taken, hints that the problem lay in a popular third-party website with an undisclosed name. But with the recent rash of problems that Aion players have been having regarding security, new facts have begun coming to light, and they paint a picture that isn't pretty.

Specifically, some players seem to be finding that it doesn't take any skill to wind up hacking someone's account accidentally. And all it takes is a few log-in attempts to find yourself with access to someone's account name, password, and billing information for all of a player's NCsoft games.
Aion fans first began reporting that they were finding themselves getting accidentally logged in to the master accounts of other players. It didn't take long to put two and two together -- after all, an unscrupulous player or two could easily exploit this to drain Guild Wars accounts dry without ever being detectable. Poster Erys Vasburg on the Guild Wars Guru forum wrote a lengthy post detailing many of the pieces of evidence suggesting that the source of the much-feared hacks have been just that, despite repeated statements from Support Liason Gaile Gray to the contrary.

Community Manager Regina Buenaobra has officially posted a response that re-states the position that ArenaNet has held since the beginning: the account hacks are unrelated to the NCsoft master account and the recent events are simply a coincidence. Oddly, however, she also mentions that changes have been made directly to the NCsoft master account page and password change procedure in response to their escalation of the issue, which raises further questions about how much truth there might be to the rumor. We've e-mailed a few questions to ArenaNet in hopes of getting a more definitive response, but thus far none has been received.

Until everything is resolved, many posters are suggesting that you store any and all valuable items in a second Guild Wars account not linked to an NCsoft account. Kill Ten Rats has an excellent post consolidating a number of the threads and discussions into one place, if you're looking for a bit more info. While this is still a rumor, it's being reported from multiple sources, which makes it a bit more questionable, and we can only hope that the truth of the matter becomes evident sooner rather than later.

[Thanks to Daniel for the tip!]

Source

Tags: account-exploits, account-security, aion, arenanet, breaking-news, gaile-gray, guild-wars, gw, hacking, ncsoft, regina-buenaobra, security-breach, security-issues

Reader Comments (19)

"LOGGING INTO YOUR OWN PLAYNC MASTER ACCOUNT CAN RANDOMLY LOG YOU INTO ANOTHER PLAYER'S ACCOUNT."

Account ID Hash collision?

Little Bobby Tables is at it again.

NCSoft and second-rate? Colour me surprised. :rolleyes:

That's some fairly scary stuff. Hope they get it sorted soon.

If my memory serves right, this began with the Master Account linking about 2 years ago.

Security has been an issue ever since NCSoft linked all of our COH, GW, etc accounts under a single old email address login that is NOT changeable and which most likely, given how old these accounts are, not at all a secret email (as you'd presumably use for, say, Battlenet). That was years and years ago. GW hacking existed long before Aion and it's far more likely that all Aion did was create a critical mass of people capable of losing said multi-game password -- I mean come on, all it takes is one subtle keylogger on an unscrupulous fansite, or sharing your Aion creds with a "friend", and bam, all your accounts are compromised -- GW is just the easy one to target since it's free to play.

Getting people who think themselves internet savvy to believe they could succumb to such obvious tricks is harder than the hacking itself, I suspect. It's much easier to believe some hocus pocus about random logins (and if the "whistleblowers" here really believe what they are saying, they really should be ashamed of themselves for bringing the exploit into mass circulation to escalate the hack attempts. Brilliant.)

Wasn't there stories about people being logged into the wrong master accounts several months ago? I might be wrong, but i swear I remember reading about this a while ago, and it was supposed to be fixed.

It might of been fixed previously, and somehow reintroduced. (it happens sometimes when people are careless)

But it does not surprise me in the least to see how NCSoft is handling the issue.

I have no history with them so I don't know how much of the hate is justifiable but it doesn't seem unreasonable that when they checked out their account security they found things they could improve upon.

In other words, somebody yells "OMG YOU HAVE SECURITY BREACH!" so you check out your system. No breach is found but you see where you can make improvements.

What you dont do tho is tell people that there is no breach/security risk and then turn around auditing your system which leads to them implementing changes.

This gives of the impression that they are incompetent and/or covering things up.

They did not come out and say there is no security issue. There was some initial confusion over what was being reported, but once the situation was understood, this was one of the postings from Gaile Gray:

"I do not know what to advise you. We still do not have confirmation that there is such a security issue. *holds up hand* Wait, please! I'm not in denial and I'm not taking "the party line" in blind defense of NCsoft. But until we test it, we don't have any real data about the reported exploit. (Anecdotal reports are helpful, yes, but they do not and cannot trump actual testing by an experienced crew.)

So at this point, I don't have any additional information to share, and I am sorry -- we all are sorry -- that this is the case. As I have said previously, a lot of emails are being exchanged and many team members and many teams are aware of this report. We are taking this seriously and moving forward with testing and, if necessary, resolution. -- Gaile"

Considering they put what additional security they could in right away and Gaile kept us informed the whole time, I don't think anything was being hidden in this case.

If there is a security issue, am I happy that it exists in the first place? Of course not. But things like this happen and the key is then in the response. It may be the companies where you never hear of problems that you should worry about. ;)

While it is a frightening thought that someone could log on to your master account by accident, when it comes to the "hackings" you have to keep in mind a couple of things:

1. From the research NCSoft has done, they say the majority of compromised GW accounts were not even linked to a master account.

2. The malicious parties involved in stealing accounts will always ind the path of least resistance for stealing as many as they can in as short a time as they can. Given the information so far, a potential flaw in the logon for the master accounts is not one they are using to any extent.

As many people have done in the forums and on the GW wiki, I send my thanks to the technicians who worked through night and day on New Year's to help the players and do what they could to increase security on any potential avenues of access to our GW accounts.

Even though NCsoft may have it's issues, it's wouldn't be the sole reason of why people are getting hacked. I think people are just trying to point a finger at something quickly so that they can blame someone.

People forget that you do NOT need an NCsoft account, unless you plan or making purchases from their site. I have a good friend who got hacked that never used any online forums and never made an NCsoft account. Although his password could have been stronger, anything that has been mentioned so far doesn't make sense in this case.

Account hackings have been around for a while. These situations should be evaluated on a per account basis to help find a root cause of the issue. Although this would take time, but at the same time it'll help in the long run by providing more security to different ways that accounts are being hacked right now.

I think there is more than one issue here and that people are jumping to conclusions a bit too fast. Only time will tell.

Well, that explains why my GW account got cleaned out when my EVE and WoW accounts were untouched.

Weird at the time, 'cause I'm kinda rich in EVE and stupendously wealthy in WoW, but all that got hit was my impoverished GW account.

My theory at the time was that they brute-forced my GW password. Which is a weird thing to spend one's time doing, but seemed the only explanation.

Happened to me recently. I haven't logged into GW for over a year and then I received an email telling me that my GW password had been changed. My master account password was fine, which let me log onto it and then change the GW password from there. I reported it to NCSoft but no explanation was ever given.

http://www.meyithi.com/graphics/gw.jpg (proof)

I can tell you that Aion's website has some security bugs. Yesterday I logged into the My Aion portion of the site, and it took me to a username that was similar to mine but a different user entirely (and I have no alts, so it was definitely another user's character). I didn't do anything out of the ordinary, either...I just logged in. There was a weird delay, and then there I was, in another user's account.

Personally I advise anyone who uses a master account to immediately log in, change the password to something utterly gibberish (write that down!), enter made-up personal info and immediately cancel all games subscriptions you have with them.

In the event you do get hacked expect to spent a week replying via e-mail (only) with account support to resolve the issue. They will want they key to every game (including releases) linked to your master account and the registration code you received at the time you created the master account. They also want a bunch of personal information as well.

They are available via e-mail only M-F 12p-5p CST. IT's webmail so expect to go back and forth using a very un-user-friendly form. Then all they will do is ban the account and then your master account without offering much detail as to what they did to "fix" the problem. Good luck.

They can have my GW account if they wanna maybe they already got it I really not known I did not log in for years!

I also managed to login to an account which was not mine :( the person is luckly i am not from China!

Potential smoking gun found for Guild Wars security issues

Reader Comments (19)

Posted: Jan 2nd 2010 10:25AM Sephirah said

Posted: Jan 2nd 2010 5:11PM (Unverified) said

Posted: Jan 2nd 2010 10:36AM (Unverified) said

Posted: Jan 2nd 2010 10:36AM archipelagos said

Posted: Jan 2nd 2010 9:38PM GaaaaaH said

Posted: Jan 2nd 2010 10:49AM Cinnamoon said

Posted: Jan 2nd 2010 10:53AM hmmdar said

Posted: Jan 2nd 2010 11:26AM Pingles said

Posted: Jan 2nd 2010 11:55AM blomma said

Posted: Jan 2nd 2010 12:07PM Tanek said

Posted: Jan 2nd 2010 12:13PM Tanek said

Posted: Jan 2nd 2010 11:59AM Tanek said

Posted: Jan 2nd 2010 12:04PM (Unverified) said

Posted: Jan 2nd 2010 12:57PM (Unverified) said

Posted: Jan 2nd 2010 2:23PM Meyithi said

Posted: Jan 2nd 2010 3:09PM MrDiamondJ said

Posted: Jan 2nd 2010 6:39PM (Unverified) said

Posted: Jan 3rd 2010 11:13AM TheJackman said

Posted: Jan 4th 2010 8:36AM Metalheart said

Info

Description

MSRP

Release Date

Genre

Developer

Publisher

Rating

Breaking News

Massively surveys WildStar's Scientist and Settler paths, the Esper class, and the crazy things Jeremy Gaffney says

Featured Stories

The Art of Wushu: Learning the basics of combat

The Daily Grind: How do you handle a closed MMO still on the shelf?

Massively surveys WildStar's Scientist and Settler paths, the Esper class, and the crazy things Jeremy Gaffney says

Engadget

Joystiq

WoW

TUAW