New EVE Online forums get off to a bumpy start

As part of EVE Online's Incursion expansion, players were due to get a new set of forums with a powerful new search feature and other handy tools. A beta version of the forum was released for testing by players at the end of February to help CCP collect feedback on its design. On Thursday, April 7th, the new forum was officially launched and the old forum was set to a read-only archive. It wasn't long, however, before problems began to crop up with the new forum. With so many people now using the new forum, it was only a matter of time before someone found a security hole in it.

Players discovered a cookie-based exploit that allowed them to authenticate as any EVE player without knowing the user's password, including forum moderators and CCP developers. Although user login data wasn't revealed, players abusing the exploit were able to edit other users' posts, access moderator tools and post as developers. A similar exploit was found that allowed players to post arbitrary Javascript into their forum signatures, which could have led to serious security compromises.

Web developers at CCP disabled the forum for several hours to develop and deploy a fix, but were ultimately unable to resolve the problem. For now, the new forum has been disabled and the old one has been reactivated in its stead. A devblog on the issue is due to be posted tomorrow.

Reader Comments (13)

The very first rule of using cookies is that you never store anything other than a simple salted hash key. Everything else has to remain server-side.

That amateur oversight is bad enough, but the worse offense is that during the forum beta testing, CCP were alerted to these exact exploits by players. They ignored these warnings and released it, anyway.

With their push to excellence, I must say this surprised me a lot.

CCP has been working on these new forums for a year now.

Instead of the promised inhouse-coded forum, they took and reskinned open source package and in the process they replaced the authentication system with their own - that was based entirely in *one cleartext character-ID string in a cookie*. Change the ID and boom, you're posting as CCP-dev (with access to the forum admin panel).

I'm sorry to say this, but their web team/QA has no idea what they're doing. This is so elementary, it's embarrassing.

@SgtBaker1234556

It completely baffles me, also. I am a major open-source proponent, but sometimes you just need something very specific to address custom environments. That's often the case when you already have a special set of data, a special security need or authentication need, or you need certain hooks that simply don't already exist in an available solution.

However, writing a piece of forum software is simply not that complex. They may have had a year to do it, but it should only take a month to fully write, test, and implement a fairly simple forum with authentication. Everything their new forums did could have been quickly put together.

The last time I needed forum software, I didn't like how everyone just used pre-existing solutions on their sites so that users had to create a whole second account just for the forums and login separately. You see this almost everywhere and it's frustrating. So, I just wrote my own, so I could control authentication and session handling, entirely. I also didn't like that the most popular forum software NEVER has threaded discussions. That is so damn annoying. So, I wrote my own. The threaded portion was actually probably the most difficult to do correctly (recursion and pagination and all).

Anyway, I had it written and tested and ready for deployment in three weeks with no additional help. And after it was deployed, it served my 100,000+ members for over a full decade excellently.

So, when I see major mistakes like this . . . it really frustrates me. If a guy (kid, at the time, really) could put something together that is fully featured and secure from scratch in three weeks, why can't a group of professional developers at a several hundred person company do it? Especially since there are usually already existing tools to handle the security portions? (It's not like they'd have to write cookie handling or session handling and authentication entirely from scratch).

You're forgetting a couple of points.
1) During beta, the limited amount of players actually discovered the cookie bug (not the javascript exploit one as far as I know) to CCP.

2) Upon new forum release and the start of rampant exploits, several threads were open in the new Suggestions forum to shutdown the new forums and go back to the old one as a measure to cut short the exploits. Players either came with an (apparent) professional background, fear of having their account compromised or just because they didn't understand wtf was going on and didn't like it. Those threads were locked and at least 3 players were Locked/Banned from both the forums and the game. This is only from the suggestion forums and nothing about people who posted HOW to do the exploit all over the general pages using CCP Dev accounts and stickying everything.

There's a pretty good chance that we'll see a full dump of forum profiles that someone might have collected under CCP DEV Accounts (Assuming there is a dev forum).

Wow, what a rookie ass mistake that is. How does someone let this happen and people told them in beta that it could be done and they STILL went through with it? What kind of fucktards does CCP have working there? First off to be so god awful stupid to make such a rookie mistake but secondly to ignore the feedback. This is done so often by companies that when in beta tests now, i almost never give feedback thinking what's the point. Most just ignore it and do their own thing regardless.

Well, at least they gave us something to be angry and indignant about for today.

I was a little disappointed in the forums myself. What's up with the huge quotes?? Perhaps they're up there in Iceland too long, and need to take a trip here to the US where we invented the World Wide Interwebs. Hire a company here in LA and they'd have a better, more secure forums experience in less than 6 months.

I root for CCP, I really do.

ROFL... CCP you always know how to put a smile on my face. Thanks for wasting my sub money on paying your forum monkeys. BTW the new forums sucked, still suck and will continue to suck. Just like Eve Gate. Your not a social gaming company your a PC game studio who is trying to be a console developer.

Free advice--> Focus on that, it will take all you have, and then some. Get Unreal3 to run at 60 on the PS3, spend your money on those programmers, not forums. Douche Bags...

The web design team that did this also were the geniuses that thought that a character- focused facebook would be a good idea. Rumours are that this same team gets a large share of development focus for the next few cycles.

Sad thing is the dude that found the bug and notified CCP to get the forums down as soon as possible before someone gets hurt got banned.

and then he did this

http://i51.tinypic.com/w1qsex.png

As usual, I just roll my eyes at the deception and wishful thinking involved in the use of ‘expansion’ when referring to CCP’s changes.

These tiny little patches do not represent an ‘expansion’, no matter how many times you call them part of an ‘expansion’.

@DLemke
these were not categorised as an expansion. If you want to rage about small expansions, look at Tyrannis.

lol

New EVE Online forums get off to a bumpy start

Reader Comments (13)

Posted: Apr 10th 2011 10:37PM (Unverified) said

Posted: Apr 10th 2011 10:51PM SgtBaker1234556 said

Posted: Apr 11th 2011 2:50PM (Unverified) said

Posted: Apr 10th 2011 11:05PM Icemasta said

Posted: Apr 11th 2011 2:42AM Suplyndmnd said

Posted: Apr 11th 2011 3:21AM pcgneurotic said

Posted: Apr 11th 2011 3:25AM Mode7James said

Posted: Apr 11th 2011 3:51AM (Unverified) said

Posted: Apr 11th 2011 5:10AM GaaaaaH said

Posted: Apr 11th 2011 6:49AM axler said

Posted: Apr 11th 2011 7:24AM DLemke said

Posted: Apr 11th 2011 9:56AM GaaaaaH said

Posted: Apr 11th 2011 3:54PM dudes said

Info

Description

MSRP

Release Date

Genre

Developer

Publisher

Rating

Breaking News

The Secret World launch delayed to July 3rd

Featured Stories

The Mog Log: The Legacy rewards and what they mean

The Tattered Notebook: The passing of Ribbitribbitt

The Firing Line: PlanetSide 2's Matt Higby on the MMOFPS revolution

Engadget

Joystiq

WoW

TUAW