[Full-disclosure] Personal Information Disclosure/Account Hijacking Vulerability in mafia online games

The mafia online games www.mafia1930.de, www.mafia1930.com and
www.the-mafia.de operated by e-sport GmbH are popular online
applications with over 400.000 accounts.
Although the basic game is free, many people upgrade to premium
accounts and invest real money to get special features.

An attacker is able to ruin accounts and gain personal information by
analyzing webserver logs.


Details:
The game is designed not to use cookies to track user sessions.
Instead a session id is appended to every URL within the game as a
parameter.

Every clan (user) can set up a informational "about-page", which can
contain a link to the clan website.
Due to the nature of the game most players try to gather information
about other clans and visit their websites regularly.

When clicking on such a link, the actual session id of a user is send
to the server as HTTP referer. An attacker can hijack accounts just by
searching session id's in the webserver logs.


Impact:
An attacker can hijack user sessions and ruin accounts. Furthermore an
attacker has access to all private user data, including name, address,
phone-number and email-address.


Workaround:
-Users of the game should avoid clicking on these links from within
the game.
-Another option is to disable the sending of the Referer in the
browser.
-Within the game-settings is an undocumented option "IP-blocking",
which might also help.


Thanks:
Mike Andrews gave a talk about security vulnerabilities in web
software (http://video.google.com/videoplay?docid=5159636580663884360).
Thanks to him for this great presentation and to Google for making it
freely available.

Ulrich Keil
--
http://www.derkeiler.com
PGP Fingerprint: 5FA4 4C01 8D92 A906 E831 CAF1 3F51 8F47 1233 9AAD
Public key available at http://www.derkeiler.com/uk/pgp-key.asc

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Relevant Pages

  • Personal Information Disclosure/Account Hijacking Vulerability in mafia online games
    ... accounts and invest real money to get special features. ... An attacker is able to ruin accounts and gain personal information by ... The game is designed not to use cookies to track user sessions. ... When clicking on such a link, the actual session id of a user is send ...
    (Bugtraq)
  • Re: Got one canceled, working on the other.
    ... a recent discovery of a game bug exploit ... hacks to dominate PvP and the champion spawns and sell their spoils. ... conclusion it was making fun of trammies for not being PvP'ers! ... Where UO it was 180 accounts so ...
    (rec.games.computer.ultima.online)
  • Re: What good are XP Pro User Accounts?
    ... > My daughter has a game, Sims 2, that requires her to run it from my admin ... Start Menu folder and Desktop folder shortcuts from the user profile ... limited accounts, you can fix it to allow limited users to access the ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Pieceing together a 124-year-old puzzle
    ... have established over the Jones incident or what you think you are ... research can achieve and how authentic accounts of cricket matches can ... bit - by giving you Ces Dacre's own recollection of the game in one ... First-Class Umpires" points out that WG was a great admirer of Thoms ...
    (rec.sport.cricket)
  • Re: Got one canceled, working on the other.
    ... I will play until they shut it down for good. ... a recent discovery of a game bug exploit ... hacks to dominate PvP and the champion spawns and sell their spoils. ... Where UO it was 180 accounts so ...
    (rec.games.computer.ultima.online)