So CCP made a huge blunder with the “awesome” new forums, shortly after they were opened to the public a multitude of exploits was found, and their response as always was top notch.
In-house Developed Forums…
So one of the statements from CCP was that the new forums were going to be completely developed in-house, but as multiple people soon found out there were certain urls starting with yaf_ in them present in the forum software. And with some googling one finds http://yetanotherforum.net/
So it turns out the forums are using some open-source .NET based forum as their base, which in turn spawns a few other problems (Even though it would’ve probably been easy to prevent them).
Insecurely stored sensitive data
One of the issues found was that certain data was stored in the cookies, and this data wasn’t being validated server-side again. This data included both signatures and the current character ID.
This meant that anyone could pose themselves as any character by changing this value, this eventually resulted in people being able to post in the announcements forum and even read forums that are normally not available to them.
As I mentioned previously also the forum signature settings were being stored as a cookie, and people soon found out that one could simply modify that cookie to include any kind of HTML they wanted into their signature, including <script> tags.
This would open up a whole myriad of possible attacks, just check the wikipedia article on Cross-site Scripting to get an idea of what’s possible. Simply said everything is possible though, people can change the behaviour of the entire page that this malicious signature is being displayed on. In short, bad stuff.
Posting from a banned IP
At one point a post was made with the poster claiming they are posting from a banned account from an IP that has been banned, I can’t verify it, but if it’s legit that means they failed to implement the current banning system into the forums too.
So far CCP’s response on this has been that they’ve taken offline the new forums and reopened the old. And that on monday the 11th of april more info will be released. There might’ve been other statements on twitter and alike but this is what the official frontpage says.
Not just the forums
Eventually this is now not just about the forums anymore, for example Mandrill’s Loss of Faith post. Which seems to say that more and more things are going wrong at CCP, and that they need a more enterprise-style mentality, because in essence they still work with their hobbyist enthusiasm that they started with.
Now we’ll just have to wait and see what the Monday devblog will be and if CCP will step up their game soon, I definitely hope they read Mandrill’s blog post and I hope they can get something of value from it.
Finally I have to credit Helicity’s post or most of the details I posted regarding the forum exploits, and I also recommend you read that as it’s a good write-up. And also credits to whomever made the banner that I used for this post.