• Advertisement
Sign in to follow this  
  • entries
    109
  • comments
    378
  • views
    128029

Oh teh joy of running an MMORPG

Sign in to follow this  

80 views

So I came home today after a nice day, and one of our former developers that got a licence for his own game based on EL code and art, who is still a level 5 admin on EL but had no server access since he left the team sends me an ICQ message and an e-mail letting me know about a BIG security problem, namly an exploit where one can get, under some circumstances, the username and password of the last person that logged in.
Now, this wasn't really easy to get, but the person that found the exploit managed to find a few username/passwords and steal some items.
Finding out who did it was trivial. He also told that ex dev how he did it. Normally, I am happy when people find and report bugs, but this guy stole people's stuff, which is a big NO NO.
So I banned his IP and changed his password to see what items I can recover.
He retalliated by posting the code on a few guild forums.
The big problem was that two server developers are away (one is moving, one in vacation). And the 3rd developer was nowhere to be reached. They made a few changes on where the server source is stored, and given the fact that we are preparing for a new update and have 2 test server running didn't help. To make it even worse, I didn't know which source directory is the last one. So I gave the server password to that ex developer, and he managed to find out which is the most likely version. We tought we fixed the problem, restarted the server, tested for the exploit, and was still there. So we just added a small hack (which is a good hack) and cleared a buffer before any data is processed from an user. This will fix other possibly related bugs. So after another restart, all was nice and well, except that I have to give people the stollen items, which requires a lot of grepping in log files and nice things like that.
So how was your day? :)
Sign in to follow this  


4 Comments


Recommended Comments

Ugh, my day was shitty. There was a powerstruggle at work, and most of us peons got caught up in it. Fuck, I was running around dealing with half the store all night. I swear, this must be some kind of corperate profiling. And it disgusts me.

The other "conspiracy moment" was the "Night of the Deaf and Dumb" where every frickin' deaf person was shopping. Seriously. Almost every person that asked me questions was deaf (like, deaf-from-birth-deaf, meaning they can't articulate themselves. Almost all deafs can read lips though). Thank goodness sign language is intuitive. But statistically, I'm convinced that whole night was a test of the store's disability readiness or something.

Shitty day all around, must be a bad lunar alignment or whatever you want to blame it on.

Share this comment


Link to comment
If I understand this well, the user could find the password because data parts of buffers were filled with old data.

Interesting to learn from such mistakes.

Share this comment


Link to comment
Yes, that's exactly what happened.
But you needed to send a special, crafted packet to the server, otherwise it wouldn't send you that data.

Share this comment


Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Advertisement