English French German Spanish Russian
Exploit : CHANGE YOUR PASSWORD! - OFFICIAL NEWS - Ryzom Community ForumHomeGuest

OFFICIAL NEWS


uiWebPrevious123uiWebNext

#1 Multilingual 

Multilingual | Français | [English] | Deutsch | Español

Hello,

We just discovered that a Ryzom player exploited a flaw in our system, and was able to access our internal Support tools. He was recently able to cheat, removing all items from apartments and mektoubs on two of a player’s characters.

We were able to uncover him using our control system, and all his accounts are banned for life from Ryzom.

 

How did he do it?

The player was contributing to improving the game, and, for that. had an account with GM (Game Master) privileges on our “Yubo” test server. Some months ago, following a short technical incident, which was corrected some hours later, the “Yubo” accounts had access to Atys. This player took advantage of this incident to create a character on his “GM account”, on Atys. He used this character to access special WebIG technical support tools, although he was not able to connect to the Atys server. He was still able to read tickets, internal technical support notes, the inventories of many characters and guild halls, item statistics, and so on. (He was unable to access player’s personal information, whose access is restricted to SGMs). After looking at the information on boosted items that a player (Caellan / Diwlawen) was about to “sell” during an event, he connected to Caellan and Diwlawen, bought their apartments and freed those mekoubs containing the best quality items, pretending that this disappearance was a bug. We have at the moment no proof to confirm or deny any possible theft of the items, but we continue the inquiry.

 

What measures were taken?

For the player who cheated:

This is a double infraction: exploit over a long time, of a flaw which gave him access to an internal tool + theft of two accounts in order to take away some items of equipment from their owner. Each of these two infractions carries the penalty of a life ban from Ryzom servers.

In consequence, all the accounts of this player are banned for life.

For the player who was victim of the cheat:

The apartments and mektoubs of Caellan and Diwlawen have been restored, and the player got back all his items. A “yubo cuddle toy” will be offered to him in compensation.

For the security:

Ulukyn (Dev) has recoded the access system to Atys and WebIG, to replace it with a simpler but more secure system. So, even if a “Yubo” account is able to use a flaw to connect to Atys or WebIG, it will not be able to access to any “power” or critical applications.

The security system has just been reinforced and, AS AN EXTRA PRECAUTION, EACH PLAYER WILL BE FORCED TO CHANGE HIS/HER “RYZOM” PASSWORD BEFORE BEING ABLE TO CONNECT AGAIN.

In addition, inquiry continues to discover if there was any theft of items before the destruction of the apartments and mektoubs and if so, if there were or were not any accomplices.

 

What is the identity of the banned player?

It is Glorf/Lopyrech. Given that Lopyrech is a guild leader, the leadership of this guild was just left to one of his Higher Officers.

We remain at your service to answer your potential questions.

Best regards,

The Ryzom Team

 

Last edited by Tamarea (9 months ago)

---

Tamarea
Ryzom Teams and Communications Manager - (FR / EN / ES)

tamarea@ryzom.com



Ryzom Forge Wiki

#2 Multilingual 

Thxs Ryzom Team.

---

From past we learn,present we live and future we make:))

#3 [en] 

Thanks for the detective work done and the end result.

#4 [fr] 

Waaa... En tout cas grand merci pour tout, et d'avoir bosser dessus à fond. Une équipe au top :D

Merci / Thanks / Gracias / Shoukran ;p

#5 [en] 

Educational videos on passwords, cracking and security in general for those who are interested. Made by the University of Nottingham.

Password cracking aka why you should care about your passwords: https://www.youtube.com/watch?v=7U-RbOKanYs

How to chose a good password: https://www.youtube.com/watch?v=3NjQ9b3pgIg

arc

---

#6 [fr] 

Petite discussion que j'ai eu avec lopyrèch, histoire d'avoir sa version.




---

fyros pure sève
akash i orak, talen i rechten!

#7 [fr] 

---

fyros pure sève
akash i orak, talen i rechten!

#8 [fr] 

Pour précision, le compte auquel lopyrèch m'avait donné accès, on me filant ses logs, c'était son compte yubo. Je voulais marcher sur la canopé, alors il m'a dit qu'il avait un accès à yubo (donné par les admins comme précisé au premier poste) et qu'il pouvait me donner ses log et PWD. J'ai dit banco.

---

fyros pure sève
akash i orak, talen i rechten!

#9 [fr] 

c est stupide , une personne connaissant aussi bien ryzom, c est très bien que tous aller etre restaurer ...... donc inutile et je ne vois pas faire ça ...

Last edited by Deed (9 months ago)

#10 [fr] 

Azazor
Pour précision, le compte auquel lopyrèch m'avait donné accès, on me filant ses logs, c'était son compte yubo. Je voulais marcher sur la canopé, alors il m'a dit qu'il avait un accès à yubo (donné par les admins comme précisé au premier poste) et qu'il pouvait me donner ses log et PWD. J'ai dit banco.

Bonjour,

Je tiens à préciser que ce partage était formellement interdit, comme tout partage de compte "privilège" attribué à un bénévole ou à un membre de Ryzom Core ou Ryzom Forge sur Yubo.

Edited 2 times | Last edited by Tamarea (9 months ago)

---

Tamarea
Ryzom Teams and Communications Manager - (FR / EN / ES)

tamarea@ryzom.com



Ryzom Forge Wiki

#11 [fr] 

Deleted by Tamarea (9 months ago) | Reason: Such a comment hasn't got its place there.

#12 [en] 

Albeit it is always good to harden systems, this does not appear to have anything to do with passwords or implementation of, as most breaches (>96%) are not password attacks. :/

#13 [fr] 

Bravo pour le lynchage en règle. De mémoire, c’est la première fois que le nom d’un joueur est exposé de la sorte. Et ça fait drôle de voir certains s'en réjouir.

#14 [en] 

So very pleased with the whole system that makes up this world so many of us practically live in! Impressive that it seems this was caught fairly fast, and action taken immediately.

Aenigma/LadyKiri

#15 [fr] 

This was reported to me yesterday by another player who was also missing items from their GH

---

uiWebPrevious123uiWebNext
 

This topic is locked

Last visit Sun Jun 24 22:27:37 2018 UTC
P_:

powered by ryzom-api