Ex-Hacker Finds RIFT Account Flaw, Talks to ZAM

Thanks to a community "white hat," the RIFT account security exploit (that had nothing to do with ZAM) has been squashed. Read our exclusive interview here!

For the past two weeks, the RIFT community has been rocked by a seemingly endless onslaught of accounts being compromised. Account security is an incredibly touchy subject with MMO players, and once it became apparent that this was an epidemic rather than a handful of occurrences, fansites like ZAM were blamed as part of, as Trion put it, a “witch hunt” by some members of the community.

The culprit behind a portion of the account debacle was tracked down by a member of the RIFT community that ignored all of the speculation going on around him and put real effort into making RIFT a safer place to play. Known only as ManWitDaPlan on the RIFT forums (and Webmaka on ZAM’s own forums), he exposed the flaw with the aid of several other committed RIFTers. Trion quickly found his post, contacted him directly, and within hours had the exploit fixed. The entire community, including all of us at ZAM, breathed a huge sigh of relief.

UPDATE: Trion speaks out and clears the air about ManWitDaPlan's find.

Over the last few hours, we’ve managed to reach out to MaWitDaPlan and get his side of the story, find out what his background is, and see what he thinks of the future of RIFT. We hope you enjoy this exclusive interview!


ZAM: What’s your background? Do you often work with account security?

ManWitDaPlan:
I've been a programmer for most of my life (started at age ten), and professionally so since 1995. I currently own a small security-software company specializing in secure data destruction. I'm also something of a "white hat" (aka "ethical hacker") in that I was involved with the cracking and warez scenes in my younger days and have basically employed the skillsets from that era of my life for more worthy pursuits.

ZAM: Why did you want to pin it down? Did you get an account hacked? Or did you just feel like doing a good deed?

ManWitDaPlan:
My account was hit during the start of the hack-fest on the weekend of the 12th-13th of March. I was left with only two pieces of armor and some gold, but my bank and mailbox were completely untouched, which deviates from the norm for what happens to hacked accounts. That made me immediately suspect there was a bug of some sort.

Since I've been working with security for so long I run a very, VERY locked-down system and knew that there was pretty much no way I could have been hacked via the usual avenues (e.g., malware). Still, I invoked some of my more aggressive anti-malware scanners, including a couple that act as hypervisors, and every scan I could throw at the systems turned up nothing at present, and no signs of ever having been infected in the past.

Between these two - the bank being untouched and the systems being clean - I started looking up the chain from me to the game servers proper. I started searching for man-in-the-middle attacks and server-side compromises. That avenue began with investigating how the game works, which led to finding an exploit, which led to working out how it works, which led to the forum post that from the looks of things shook all of Telara in a way that'd make Regulos go "umm, okay, let's go find another planet to eat - these people are nuts!"

ZAM: There was a lot of finger pointing going on around the community, especially towards ZAM RIFT and RIFT Junkies. What would you tell those folks that were on, as Trion called it, a “witch hunt?”

ManWitDaPlan:
Unfortunately that sort of thing is normal human nature. 99.999% of the time a game account gets hacked it was because the user of that account did something dumb, like using weak passwords or reusing compromised credentials, or just as frequently, allowing malware to get a foothold and leech previously-safe credentials.

This time around, it was an active, in-the-wild exploit, so the normal causes were not the primary ones. Some people cannot remove the blinders of their own preconceptions, though, and couldn't adjust to the idea that it wasn't malware or poor client security in all cases, so they stuck with what would be the most likely answer under normal circumstances.

Once it became increasingly clear there was more going on that just bad/reused passwords and those folks were forced to rethink their "it's got to be your fault" stance, the next target was anyone that ran anything that could conceivably be a hacking vector. Thus, the finger pointing toward fansites that offer any form of active content or add-on. ZAM took an extra-tough dose of baseless blame thanks to the old, no-longer-valid link to RMT companies from back in the IGE days.

ZAM: You’ve been hailed as something of a savior on the forums. How’s that make you feel?

ManWitDaPlan:
I find it fun in some ways - everyone loves to feel "special" after all - but disconcerting in others - I'm not the spotlight-seeking type.

That having been said, I do understand why some are making a big deal of it. Trion sunk how many millions of dollars and years of time into making Rift? Hint: Over $50 MILLION and at least a couple years. That is a LOT of capital and work hanging out there. The last thing anyone at Trion needs is to have the playerbase for a pay-to-play game lose confidence in the game's internal security, so they set what I suspect is a new speed record for fixing the exploit.

Continued on Page 2.

« Previous 1 2 3

Comments

Post Comment
Good job
# Mar 28 2011 at 2:41 AM Rating: Good
Ghost in the Machine
Avatar
******
35,922 posts
You're the man now, dog. Smiley: wink
____________________________
Please "talk up" if your comprehension white-shifts. I will use simple-happy language-words to help you understand.
GOOD JOB
# Mar 22 2011 at 2:16 PM Rating: Decent
Internet Footsie Lawyer
*****
12,846 posts
*hug* to Manwitdaplan. Good job =) very awesome that the solution came from a zam poster! Can he get an originally title or something please??
____________________________
>.> heheheheh I am DF's sockpuppet.
rachelravage.us (somewhat NWS website)
http://www.guytalon.com/linger15.html My freeze Fetish DVD, on sale now! (WORK SAFE!)
http://venasevildolls.blogspot.com/ NWS
Niobia will establish a charity for orphaned mooses. (meese?) - Kao
ElneClare wrote:
So grow up folks and don't post anything you don't want your child to read. Doesn't matter if they are in diapers or adults, if it can upset them or you then it shouldn't be posted.
Things that make me go hmmm
# Mar 22 2011 at 9:31 AM Rating: Decent
11 posts
No one else said it soo... cause I like to stir the poo sometimes...

what other "interesting" things did u see looking under the Trion skirt ManWitDaPlan???

:) all kidding aside. I hope to high heaven they rewarded you well for your time (and the helpers too). That kind of troubleshooting takes a lot of time, and you had help even.

I dont like spot lights much either, but you earned yours.. so suck it up fluffy :) :)

/pat on the back for ManWitDaPlan and his crew of snokers!!! :) :)
Good job ManWitDaPlan...Trion, fail :(
# Mar 22 2011 at 5:41 AM Rating: Decent
Scholar
*
84 posts
Too bad Trion Worlds doesn't QA their work better...good job ManWitDaPlan. I still think this is a huge black eye for Trion World. It will be talked about similarly to other "epic failures" in MMO history...

ManWitDaPlan is right, this game is NOT a WoW killer - a "contender", but another contender that will go down in defeat. Perhaps SWTOR will be the WoW killer. Until then, RIFT will offer a fun diversion.
Excellently done
# Mar 21 2011 at 7:46 AM Rating: Decent
*
150 posts
It's all been said, but I'll include my thanks and cheers.

WebMaka, you did well.

Trion Worlds, you did well.

Transparency and honesty are virtues less sought by many. You bucked the trend. Thank you from all of us.
Awesome
# Mar 20 2011 at 6:31 PM Rating: Decent
2 posts
Awesome! No better word to describe it. Goes to show how great things can be when you have very efficient developers and leads in a company and a great community. Thank you WebMaka/The Man With The Plan!
Hack Fix
# Mar 20 2011 at 3:10 PM Rating: Good
Scholar
Avatar
*
73 posts
Thanks to everyone involved with solving this game-breaking hack that would have eventually driven Trion Worlds out of business and tainted their reputation, along with innocent others ergo RiftJunkies and ZAM. It strengthens people's faith that TW was intelligent and fearless enough to accept and promptly contact those who could help. Not every company would do that. I was with a guildmate/friend while on a dungeon run go thru a struggle to maintain his account as we were with him and listening to him in Vent. We appreciate all of you envolved in solving this problem for all us players. It's nice to feel secure rifting again. Kudos!
____________________________
O, to be a voyager and a voyeur no longer!
THANK-YOU!!!!
# Mar 19 2011 at 8:57 PM Rating: Decent
One of my guild mates was hacked in this manner. SO on behalf of him and all of us:


YOU RAWK!
____________________________
Quote:

"Frostmourne is a Hunter weapon. True story."

-Greg the "Ghostcrawler" Street
THANK-YOU!!!!
# Mar 20 2011 at 1:32 PM Rating: Decent
Really awesome interview and incredible job by everybody all around.

Its so cool that people like ManWitDaPlan exist (i hate that name :p ) to counter the people that are complete opposites and are out to beat us down and steal our stuff and whatever ya know.

Also Trion definitely is rocking it out with their game, personally i cant stand Rift but i have a lot of respect for their company and how much love they show to their game and community.
THANK-YOU!!!!
# Mar 20 2011 at 4:14 PM Rating: Good
The Man With The Plan
2 posts
monstermmo wrote:
(i hate that name :p )


Hey now, I happen to like it. :D
Hail to the King, baby!
# Mar 19 2011 at 8:49 PM Rating: Excellent
Too Über for Title
*
188 posts
Well done ManWitDaPlan. We're all thankful for your selfless work and find the slumbering monster. while everyones running with their torches and pitchforks :)
____________________________
"If Its a Must, Its Up to US!" Help Contribute to ZAM Wiki's
"Im Nuts for Rift, Because i'm a Squirrel"
Bohtauri
yay
# Mar 19 2011 at 8:40 PM Rating: Good
Scholar
*
71 posts
I think that pic of a guy standing next to a mailbox crying should be him in his skivvies. It wasn't that the hackers starting leaving the armor etc until a day before they announced the coin lock feature. At least from forum trends that's what I have gathered.
#tentimes, Posted: Mar 19 2011 at 6:17 PM, Rating: Sub-Default, (Expand Post) Trion have known this for days. I HATE all the stupid **tared fanboi's on the forum who for ages were blaming the users.
Hail to the King, baby!
# Mar 19 2011 at 4:41 PM Rating: Excellent
The Man With The Plan
2 posts
I told my guildmates I am now the Troll King - I got over a million people coinlocked at the same time on a busy Friday night. Why troll one shard when you can troll all of them?

Humor aside, this had the potential to be really really ugly. I figure it had at most a week or so of secret time before word got out and things became catastrophically (and likely inescapably/irrecoverably) bad. Trion deserves some serious love for taking it seriously and taking it to the next level.


Edited, Mar 19th 2011 6:43pm by WebMaka
Hail to the King, baby!
# Mar 30 2011 at 11:35 AM Rating: Decent
1 post
You said you're not one for the spotlight and are probably getting a bit tired of all the thank you's so I'll just say good job and leave it at that.

However I do have one question:
(taken from your reply at http://forums.riftgame.com/showthread.php?130781-ManWitDaPlan-Needs-The-Trion-Medal-of-Honor&p=1753562&viewfull=1#post1753562 )

Quote:
Now if everyone would make sure their account passwords are stronger than what idiots use on their luggage


What!? No more 12345!? Looks like I'll have to change the combination on my luggage...

*sadface*
Hail to the King, baby!
# Mar 19 2011 at 6:57 PM Rating: Excellent
Avatar
**
372 posts
WebMaka wrote:
I told my guildmates I am now the Troll King - I got over a million people coinlocked at the same time on a busy Friday night. Why troll one shard when you can troll all of them?

Humor aside, this had the potential to be really really ugly. I figure it had at most a week or so of secret time before word got out and things became catastrophically (and likely inescapably/irrecoverably) bad. Trion deserves some serious love for taking it seriously and taking it to the next level.


ULTIMATE TROLL.

Anyway, you did a great thing here, ManWitDaPlan. We can't thank you enough.


Edited, Mar 19th 2011 7:57pm by Micajah
Sheer Awesomesauce
# Mar 19 2011 at 4:28 PM Rating: Excellent
The Great Pretender
ZAM Administrator
Avatar
****
6,633 posts
From the work of players who wouldn't take gossip as an answer to Trion's almost unbelievable response, the whole thing is awe-inspiring. Thanks!
____________________________
User Image
ZAM QA Lead
EverQuest II || Free Realms
My Non-Gaming Blog
I see rude people.
Thank you
# Mar 19 2011 at 2:49 PM Rating: Decent
2 posts
As a player who has had his account hacked in the past I can not let you go without thanking you for what you have done. I love playing mmos and I hate the people that make it unsafe for us to play. Please keep on helping out the loving players and taking a stand against the hackers. Thank you ManWitDaPlan.
Thank you
# Mar 21 2011 at 9:00 AM Rating: Good
Scholar
**
703 posts
ManWitDaPlan, thank you for your inquisitive nature, determination and hardwork. All players can now rest a little easier knowing that their characters will not be violated by dirty thieves.

But I must say, I'm glad you're on our side! =)
____________________________
I don't want to grow old gracefully.
I want to skid in sideways, screaming "WOO HOO! What a ride!".
Thumbs Up!
# Mar 19 2011 at 2:37 PM Rating: Decent
Scholar
*
68 posts
Not much to say about this aside from a huge thank you to "ManWitDaPlan" and major kudos to how Trion has handled this whole mess. I do hope that people take this resolution the right way and it adds to their confidence in Trion...
____________________________

Rift Signature
Post Comment

Free account required to post

You must log in or create an account to post messages.