lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20060605162641.GA59029@mail.der-keiler.de>
Date: Mon Jun  5 17:27:03 2006
From: full-disclosure at der-keiler.de (Ulrich Keil)
Subject: Personal Information Disclosure/Account Hijacking
	Vulerability in mafia online games

The mafia online games www.mafia1930.de, www.mafia1930.com and
www.the-mafia.de operated by e-sport GmbH are popular online
applications with over 400.000 accounts.
Although the basic game is free, many people upgrade to premium
accounts and invest real money to get special features.

An attacker is able to ruin accounts and gain personal information by
analyzing webserver logs.


Details:
The game is designed not to use cookies to track user sessions.
Instead a session id is appended to every URL within the game as a
parameter.

Every clan (user) can set up a informational "about-page", which can
contain a link to the clan website.
Due to the nature of the game most players try to gather information
about other clans and visit their websites regularly.

When clicking on such a link, the actual session id of a user is send
to the server as HTTP referer. An attacker can hijack accounts just by
searching session id's in the webserver logs.


Impact:
An attacker can hijack user sessions and ruin accounts. Furthermore an
attacker has access to all private user data, including name, address,
phone-number and email-address.


Workaround:
-Users of the game should avoid clicking on these links from within
the game. 
-Another option is to disable the sending of the Referer in the
browser.
-Within the game-settings is an undocumented option "IP-blocking",
which might also help.


Thanks:
Mike Andrews gave a talk about security vulnerabilities in web
software (http://video.google.com/videoplay?docid=5159636580663884360). 
Thanks to him for this great presentation and to Google for making it 
freely available.

Ulrich Keil
-- 
http://www.derkeiler.com
PGP Fingerprint: 5FA4 4C01 8D92 A906 E831  CAF1 3F51 8F47 1233 9AAD
Public key available at http://www.derkeiler.com/uk/pgp-key.asc

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ