Player identifies "huge security hole" in RIFT's authentication system, Trion seals it

Hacking and account hijacking have been severe issues for RIFT ever since launch, even though Trion Worlds anticipated the onslaught from the beginning. Yesterday we saw Trion implement the so-called Coin Lock patch to prevent hackers from selling other players' items in-game, which some see as a novel (partial) solution to the problem.

However, this may not be enough to stop the truly malicious invaders from getting into RIFT accounts. One player, identified as "ManWitDaPlan" on the forums, claims to have circumvented the account login completely, leaving a "huge security hole" for hackers to exploit:

"I have verified the authentication system can be bypassed by successfully logging into another account without needing its credentials. Worse, all it took was about thirty seconds of time once I got all of the details locked down. I did trigger Coin Lock, but I was fully able to access that handy delete-character button, so this exploit is a griefer's dream. I will not post details on how to do this (so don't ask), but I'm positive that I can reproduce this at will and likely on any account on the system."

Later in the thread, a Trion representative added: "We have some things in the works right now and have been passing on your feedback, concerns, and thoughts throughout the day (no matter how radical or unlikely). Sharing sensitive information about our actions (no matter how broad) naturally also informs those carrying out these attacks. This puts us in a tight spot with how much information we can provide, and the questions we can answer."

And it looks as though the problem may be fixed, as ManWitDaPlan posted late last night: "Got word back from Steve Chamberlin, the development lead for Rift. This hole is sealed."

Reader Comments (42)

*Tinfoil hat on*
ITS BLIZZARD! They are hiring hackers! ROFL
Jk

The best part is now the people who were unfortunate enough to get their accounts compromised have a nice long 5+ day wait to play those characters again.

But the fact that it was and issue with Trions system and not on user end for many of them is a relief, especially with the rabid fanboyism running rampant during that time.

@Mamemimomu Those weren't Trion fanboys. Those were just your typical garden-variety gaming forum IT security specialists (who probably flip hamburgers under golden arches in real life).

Everyone's an expert on the internet.

@Mamemimomu
Well, technically nobody has proof or evidence that these people were hacked due to this exploit. Yes, an exploit existed. Did the exploit appear with the patch that changed the login system to have the new security system in place? Was it there since shipping?

Also, if you read carefully, the guy wasn't able to circumvent the new security system fully, only able to delete a character, and does not mention unlocking Auction house/trade functions.

So yeah, don't be so quick on using this as a scapegoat, the average user is dumb and if you give them a reason to lower their guards, things will escalate.

Ooh, here comes the posts that blame Trion for criminal actions from PEOPLE who have nothing to do with Trion. I really wish that if people point fingers that they point the right way.

On that note, I'm loving Rift and hackers galore means it's a good game. Good enough to draw the criminal element. You don't see people hacking accounts for Alganon. ROFL.

@MMOaddict Lol..only ten people play that game and Derek Smart is still on the forums shooting his mouth off like an idiot.

@Tizmah
That's the point. You don't see this stuff happen except to popular games. Same thing with movies and music. The more of a hit the more pirating and theft happens.

@MMOaddict

Preface: What I'm about to say in no way relates to Rift. I don't play it, I don't have an opinion on its quality.

With that said...

Popularity does not equal quality. Evidence: Rebecca Black

@Apakal
I never mentioned quality either. Although, I loved WoW for its 6 years. Now I'm loving Rift. Regardless, the popularity factor alone makes it a heyday for the goldseller/hacker criminal element.

@MMOaddict - the thing is, every time someone gets there account jacked, the universal response is "LOL IDIOT learn how to secure your system" or "LOL bet you gave your password to a powerlevelling company" or some such blaming of the victim. And fair enough - usually it IS the victim's fault. But this time, it wasn't. It was a screw-up on the part of the developer, shipping a game with a gaping security flaw. That's why fingers are being pointed at Trion.

Apparently Trion is giving the guy a lifetime sub!

@ManaByte
*Hoping to see an npc in game named manwitdaplan, he could be bros with faceless man.

I still want Trion is make and sell Authenticators. IMHO they truly are the best means to secure ones account. I've got authenticators for WoW, FFXI and FFXIV, the only 3 that have them and not once have my accounts been hacked with them active!

Actually, I'll admit, I did get hacked once in WoW...it was this past Nov/Dec '10 when I returned to WoW in preparation for Cataclysm, a brand new account, bought all of WoW during the $10 sale Blizzard had and my games arrived before the authenticator. So I started playing, and had accumulated a whole 20g in a few days, then my account was hacked and that 20g disappeared. I got the authenticator the next day, added it and it never happened again.

@Khalus I think ALL major release MMOs coming this year or the next should have Authenticators available at release. GW2, SWToR, and Tera, else stuff like this will occur within a month of their release.

Times have changed and the days of simple security questions are grossly out of date.

@Khalus

I think the authenticators are great and that Trion could do worse than to use them, but...

If all of your other account have been hacked and your brand new WoW account was hacked within *days*, you may want to start looking at other common factors. Just in case.

@Seldra

Yes! There's absolutely no excuse for not providing authenticator services at launch. Its already existing technology that's proven to be incredibly successful. It can't be that hard to implement. You can even give them away with pre-orders of Limted Editions. Do you know how many more Limited Editions you would sell? I never buy LE's because I'm not a collector, but if they included an authenticator I wouldn't think twice about it.

@Khalus
Trion has said that Authenticators are coming. Not Tokens, but using Mobile Apps and Text Messaging codes.
I do agree they should have been in at launch, though.

@Tanek

Nah, I'm pretty well secured on my end, as I'd never been hacked before, but I bought Authenticators just cause, for that added security. This generation of MMO gaming, it seems hackers are so prevalent and persistent that every little bit helps ever more.

~~~~~~~~~~~
Hartsman needs to wake up though, and make authenticators cause there is just no excuse not too, well he said and I quote, "We're not going to go with a separate hardware authenticator, because these days, pretty much everybody has the ability to receive a text message or use an app. So we're going to go out with that, because it's a lot cheaper for everyone involved, and people are more likely to use it if they can download it (as opposed to something they have to order and ship and wait for)."
~~~~~~~~~~~

He is dead wrong, not everyone has a cell phone, and there are quite a few gamers that would rather have an actual authenticator then some app that can also most likely be hacked.

I'll give Trion props for trying something different, but this coin-locking is quite stupid since it still allows ones account to be hacked, and then places annoyances on the player to have to take the time to unlock their account which could take a few min or days. An authenticator doesn't cost much to make and its proven that most gamers spend a great deal more on virtual items from cash shops...

@Apakal

I wholeheartedly agree, another point I'd like to make is to put pressure on game new media, especially Massively to ask the tough questions and not softball the developers. Ask questions that normally wouldn't be asked, security and peace of mind tools for players, what they intend to do. These are questions that need to be asked, not the usual obvious stuff that's already been repeated a hundred times over.

Well, my copy of Rift just arrived in the mail about 20min ago. I'm updating it now ~ {which is taking a very long time...blah} ~ Changed my password to one thats longer and more complex than I normally use so I suppose we'll see how it goes.

| 1 | 2 | 3 | Most Recent | Next 20 Comments

Player identifies "huge security hole" in RIFT's authentication system, Trion seals it

Reader Comments (42)

Posted: Mar 19th 2011 1:10PM xyna031 said

Posted: Mar 19th 2011 1:17PM Mamemimomu said

Posted: Mar 19th 2011 2:36PM Lenn said

Posted: Mar 19th 2011 9:44PM Icemasta said

Posted: Mar 19th 2011 1:38PM MMOaddict said

Posted: Mar 19th 2011 1:47PM Tizmah said

Posted: Mar 19th 2011 1:52PM MMOaddict said

Posted: Mar 19th 2011 2:16PM Apakal said

Posted: Mar 19th 2011 2:37PM MMOaddict said

Posted: Mar 19th 2011 6:54PM (Unverified) said

Posted: Mar 19th 2011 1:51PM ManaByte said

Posted: Mar 19th 2011 1:54PM Mamemimomu said

Posted: Mar 19th 2011 1:54PM Khalus said

Posted: Mar 19th 2011 2:19PM Seldra said

Posted: Mar 19th 2011 2:27PM Tanek said

Posted: Mar 19th 2011 2:29PM Apakal said

Posted: Mar 19th 2011 2:46PM Nero823 said

Posted: Mar 19th 2011 3:01PM Khalus said

Posted: Mar 19th 2011 3:04PM Seldra said

Posted: Mar 19th 2011 3:15PM Khalus said

Info

Description

MSRP

Release Date

Genre

Developer

Publisher

Rating

Breaking News

Massively surveys WildStar's Scientist and Settler paths, the Esper class, and the crazy things Jeremy Gaffney says

Featured Stories

Betawatch: May 18 - 24, 2013

MMObility: Why a tablet version of RuneScape is so important

Tamriel Infinium: Elder Scrolls elves are supposed to be ugly

Engadget

Joystiq

WoW

TUAW