I’ve been sitting on this article for a while now, and it seems like the best time as ever to put it forward. NCsoft is currently investigating heavy allegations of massive security holes in the master account system. As I’ve reported before, the number of stolen Guild Wars and Aion accounts has gone up dramatically in the past few months, which NC originally pointed towards a compromised fansite as the source of the theft.
Definitely the most serious, and frightening, of the allegations posted on Guild Wars Guru was that it doesn’t take any skill to hack an NCsoft master account. In fact, according to users, all it takes is spamming log in/log out, and eventually (through the process of happenstance and timing) you may find yourself logged into someone else’s account, able to change passwords, jot down personal details, and clean out accounts without ever being detected.
More after the break…
Both ArenaNet and NCsoft deny any allegations of this exploit, but security measures being put into place are raising eyebrows as to the validity of this: Recently changes have been made to the NCsoft master account page with regards to changing passwords, among other things, that were in direct response to NCsoft escalating the issue.
Even more frightening is the idea that this is not a new security issue. When I said that I’d been sitting on this article for a while now, I mean since MMO Fallout was still in conception. An important thing to remember is that the number of accounts being stolen through this method may be lower than originally thought: ArenaNet has stated that less than half of the accounts stolen were linked to an NCsoft master account.
[Update from NCsoft: NCsoft has confirmed that these exploits exist do/did not exist.]
List of Known Vulnerabilities with the NCSoft Site:
- 1. Wrong Account Bug. Sometimes simply logging into the NCSoft site takes you to someone else’s account instead, with FULL CONTROL over that account. An attacker need only use a bot to log into their own account over and over until the bug occurs, then steal the account the bug gives them.
- 2. Advanced Vulnerabilities Reported by Mung on Aion Forums
- “SQL injection is apparently NOT prevented very well. [Mung] was able to send a basic acknowledge request and instead of “page not found” or “incorrect login” [Mung] received an SQL ack!”
- “The ENTIRE web domain is unprotected from file mirroring (process of copying all files housed at the web host).”
- “[T]he majority of the process functions for each page under the “secure.ncsoft.com” domain are scripted in PERL but referencing Javascript multiple times for all sorts of verifying processes. This can easily be manipulated to a users intention.”
3. Brute Force Vulnerabilities
- Login failure gives different error message for real usernames and non-usernames. An attacker can generate a list of valid usernames by systematically running all character strings against the NCSoft site’s username field.
- Security questions for password reset have dangerously small search spaces that can be guessed quickly. The birthday question which is the default!) is particularly easy. So is the car color question.
- Failed attempt at answering security questions that includes one correctly guessed question returns error message that tells user which question is correct.This vastly reduces search time for a brute force attack.
- Password reset attempts are allowed too frequently. 5 attempts every 12 hours is too many given the small search spaces.
- IP’s attempting multiple failed logins or password reset attempts are not blocked, blacklisted, or greylisted.
- Attacker can specify new NCSoft password immediately upon correctly guessing password reset questions. The system should create a random password sent in a confirmation e-mail it to the account’s associated address.
- The GW username is displayed from the NCSoft site. It should not be. This gives an attacker 1/3 of the GW login credentials.
- Attacker can specify new GW password immediately upon accessing the NCSite. User should be required to enter old password and/or respond to confirmation e-mail to the account’s associated address. [Edit: Apparently this was fixed a few hours ago. Old password is now required.]
- No countermeasures at all against brute forcing NCSoft password.(Gaile states that she has been told there are, but forum members making repeated failed login attempts did not encounter lockout, blacklisting, or increasing delay. Suspect Gaile has been misinformed by NCSoft staff.)
- 4. GW usernames are present in old support tickets. This renders the new character name security question useless.
More on this issue as it arises. NCsoft is taking the allegations very seriously and has been working around the clock investigating the issue.
MMO Fallout 
I recently have been also a victim to ncsoft’s lack of security measures. I have been playing Lineage 2 for 5 years and was in shop mode on 12/20/2010. I was disconnected, master account password, email, security questions, and game password were changed with no notification and my Lineage 2 account is completely stripped. i even got a call from my clan mates said the someone was on my account and couldn’t get into ventrilo, however i couldn’t stop the theft.
This is not the first time,in june 2010, i was inactive for 1 year and the game was not even in this brand new computer,how they got my account information is still a mystery. they returned only my main gear and my adena, none of the 500 million worth of materials and ‘consumable items” got returned.
However the second time around, they didn’t give me any of my gear or items back because they state that my account is only allowed a one time restoration. I am still waiting for their response on how my account was breached.
My computer is clean from virus, keyloggers of any kind.. yet i am punished even further for being a victim the second time. i hope those others who have suffered this tragedy to stand up to ncsoft awful policies and fight back.
I’m really impressed together with your writing talents as smartly as with the format in your blog. Is this a paid subject matter or did you modify it yourself? Anyway keep up the excellent high quality writing, it’s uncommon to look a great weblog like this one these days..