- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: Horizons: Account Data Sniffing Vulnerability Date: January 25, 2006 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== A flaw in the Horizons Standalone launcher allows to readout account information of any user. Affected ======== ------------------------------------------------------------------- Vulnerable Unaffected ------------------------------------------------------------------- HorizonsLauncher.exe <= 0.5.1005.0 >= 1.6.1005.0 Description =========== The Horizons developers have confirmed a vulnerability in retrieving account data. Impact ====== By exploiting a flaw, a user can retrieve account information of other users simply by forging a custom http request towards the auth server. Reproduction steps ================== 1. install Charles (or any other proxy software with rewrite features) http://www.xk72.com/charles/ 2. Fire up Charles and Import the attached charles_rewriterule.xml at Tools/Rewrite... - [Import...] the filter does: a. replace false with true b. replace false with true this does allow a user to login with any email address and get the list of characters. password can be anything (or empty). c. replace -1 with ANYID ANYID is just a wild guess. ID must be a valid account ID, NOT a biote. -1 is the value returned if no successfull authentification did happen! the overwrite now does a forge a full login and returns an xml set with all account data (email, password, userid, chars, biotes, publickey). 3. In Charles goto Proxy/Windows Proxy and enable it. a. Hit the big red button to start the proxy. b. fire up HorizonsLauncher.exe and enter any valid email, login and click next till you see the list of chars c. return to Charles and checkout the HTTP Response: does contain all the plaintext information. Solutions ========= - Switch to https - Don't return the password plaintext, store it on the harddisk if the users selects 'save password' at the launcher. - Don't assume the user logged in only at the start. check at any time you return DataAccess - use random fieldnames to avoid rewrite rules. best, Arcat