Ex-Hacker Finds RIFT Account Flaw, Talks to ZAM

Thanks to a community "white hat," the RIFT account security exploit (that had nothing to do with ZAM) has been squashed. Read our exclusive interview here!

ZAM: This seems like something Trion should’ve found during their QA testing. Why do you think it was missed? Was it something really obscure? And how were you able to track it down when Trion couldn’t?

I can't go into too many details, but can say that the exploit would be easy to miss because you'd have to be looking for something very specific in a very specific place to find it. I found it because I was actively digging for it. Trion was looking for it as well, according to what they and I had discussed. I basically found it before they did.

ZAM: Do you still have confidence in the team? What’s their response to you been thus far?

Trion's response to the revelation of the exploit has been spot-on. Steve Chamberlin, the dev lead for Rift, was on the phone with me within five minutes of my sending the technicals on the exploit, and while I was talking to him, the engineering team was likely already editing and recompiling code. A patch was deployed just over two hours after the exploit was revealed. A few extra fixes (to Coin Lock) were also pushed in at the same time to further tighten things up. The phrase "epic win" is cliched from its overuse as a meme, but it nevertheless certainly fits here.

Trion hit this like Jackie Chan channeling Bruce Lee, which is what you do when you find an exploit. No playing the blame game, no whining, just find and fix and slam the door on the hackers. "Crush the hackers, see them driven from before you, and hear the lamentation of their women!" (Apologies to Ahnold for that...)

ZAM: Do you feel comfortable with Trion’s response?

Extremely so. The response was flawlessly executed, and should become a textbook example of how a MMO company should respond to any discovered bug - contact the person that found it, get the details, verify their findings, act to secure the bug. Not only did the Trion crew take the exploit seriously, they took fixing it seriously. I mean, come on, reported discovery to implemented fixes in TWO HOURS? I've never seen anyone in IT respond to bug reports that fast.

ZAM: There were a number of folks that helped you. Can you point them out?

TheScoo was the hapless-but-willing victim of my tests once I locked down the exploit's specifics. He allowed me to remotely access his account (while he watched) and even let me delete a test character.

HomeFry helped me with some LAN tests and anti-malware scans on my systems, and was on the network monitor while I was wrecking TheScoo's characters and annoying Coin Lock with my escapades.

I bounced some of the details I was seeing off the_real_seebs, who was also looking into the hacking problem and came up with many of the same conclusions I did. Basically I worked out a few key aspects of the exploit before he did, so one way or another this mystery was gonna be solved - if I hadn't gotten to the magic trick he surely would have.

ZAM: Are these sort of things common in MMOs, and do other companies simply keep it quiet?

Security exploits can and do happen in any complex system. MMOs, operating systems, you name it, the more complex the system the more opportunities there are for something to go wrong. There are rootkits for OSX and many Linux variants, Windows is notorious for security issues (althogh that's slowing improving finally), the Stuxnet virus targeted embedded systems in nuclear power plants, etc. etc. etc.

Security is fickle. It's finicky. It's nitpicky. It demands attention to the minutae but will chastise those that cannot also see the big picture. And it punishes the slightest mistake or miscue or omission with the greatest severity.

Anyone that says _insert_MMO_name_here_ is hackproof is delusional. Hacks exist for ALL of them. To use a relevant example, WoW went to two-factor authentication to stop the hacking it had since it launched, so the hackers simply turned around and broke the algorithm that makes their keyfobs for 2FA work. There's a lot of real money in selling virtual things, and that means RMTers can afford to hire the best and brightest of the bottom of the coding barrel. If there is a way to break a MMO, there are people whose working time is devoted to finding it.

The million-dollar-a-month question isn't whether a vulnerability kept quiet - no matter who you are and what you do, you never reveal an exploitable weakness until after it's corrected - what makes the difference is how it's handled once it's discovered. Trion wins one-point-five Internets for their handling of this particular nightmare.

Continued on Page 3.


Post Comment
Good job
# Mar 28 2011 at 2:41 AM Rating: Good
Ghost in the Machine
36,441 posts
You're the man now, dog. Smiley: wink
Please "talk up" if your comprehension white-shifts. I will use simple-happy language-words to help you understand.
# Mar 22 2011 at 2:16 PM Rating: Decent
Internet Footsie Lawyer
12,846 posts
*hug* to Manwitdaplan. Good job =) very awesome that the solution came from a zam poster! Can he get an originally title or something please??
>.> heheheheh I am DF's sockpuppet.
rachelravage.us (somewhat NWS website)
http://www.guytalon.com/linger15.html My freeze Fetish DVD, on sale now! (WORK SAFE!)
http://venasevildolls.blogspot.com/ NWS
Niobia will establish a charity for orphaned mooses. (meese?) - Kao
ElneClare wrote:
So grow up folks and don't post anything you don't want your child to read. Doesn't matter if they are in diapers or adults, if it can upset them or you then it shouldn't be posted.
Things that make me go hmmm
# Mar 22 2011 at 9:31 AM Rating: Decent
11 posts
No one else said it soo... cause I like to stir the poo sometimes...

what other "interesting" things did u see looking under the Trion skirt ManWitDaPlan???

:) all kidding aside. I hope to high heaven they rewarded you well for your time (and the helpers too). That kind of troubleshooting takes a lot of time, and you had help even.

I dont like spot lights much either, but you earned yours.. so suck it up fluffy :) :)

/pat on the back for ManWitDaPlan and his crew of snokers!!! :) :)
Good job ManWitDaPlan...Trion, fail :(
# Mar 22 2011 at 5:41 AM Rating: Decent
84 posts
Too bad Trion Worlds doesn't QA their work better...good job ManWitDaPlan. I still think this is a huge black eye for Trion World. It will be talked about similarly to other "epic failures" in MMO history...

ManWitDaPlan is right, this game is NOT a WoW killer - a "contender", but another contender that will go down in defeat. Perhaps SWTOR will be the WoW killer. Until then, RIFT will offer a fun diversion.
Excellently done
# Mar 21 2011 at 7:46 AM Rating: Decent
151 posts
It's all been said, but I'll include my thanks and cheers.

WebMaka, you did well.

Trion Worlds, you did well.

Transparency and honesty are virtues less sought by many. You bucked the trend. Thank you from all of us.
# Mar 20 2011 at 6:31 PM Rating: Decent
2 posts
Awesome! No better word to describe it. Goes to show how great things can be when you have very efficient developers and leads in a company and a great community. Thank you WebMaka/The Man With The Plan!
Hack Fix
# Mar 20 2011 at 3:10 PM Rating: Good
73 posts
Thanks to everyone involved with solving this game-breaking hack that would have eventually driven Trion Worlds out of business and tainted their reputation, along with innocent others ergo RiftJunkies and ZAM. It strengthens people's faith that TW was intelligent and fearless enough to accept and promptly contact those who could help. Not every company would do that. I was with a guildmate/friend while on a dungeon run go thru a struggle to maintain his account as we were with him and listening to him in Vent. We appreciate all of you envolved in solving this problem for all us players. It's nice to feel secure rifting again. Kudos!
O, to be a voyager and a voyeur no longer!
# Mar 19 2011 at 8:57 PM Rating: Decent
One of my guild mates was hacked in this manner. SO on behalf of him and all of us:


"Frostmourne is a Hunter weapon. True story."

-Greg the "Ghostcrawler" Street
# Mar 20 2011 at 1:32 PM Rating: Decent
Really awesome interview and incredible job by everybody all around.

Its so cool that people like ManWitDaPlan exist (i hate that name :p ) to counter the people that are complete opposites and are out to beat us down and steal our stuff and whatever ya know.

Also Trion definitely is rocking it out with their game, personally i cant stand Rift but i have a lot of respect for their company and how much love they show to their game and community.
# Mar 20 2011 at 4:14 PM Rating: Good
The Man With The Plan
2 posts
monstermmo wrote:
(i hate that name :p )

Hey now, I happen to like it. :D
Hail to the King, baby!
# Mar 19 2011 at 8:49 PM Rating: Excellent
Too Über for Title
188 posts
Well done ManWitDaPlan. We're all thankful for your selfless work and find the slumbering monster. while everyones running with their torches and pitchforks :)
"If Its a Must, Its Up to US!" Help Contribute to ZAM Wiki's
"Im Nuts for Rift, Because i'm a Squirrel"
# Mar 19 2011 at 8:40 PM Rating: Good
71 posts
I think that pic of a guy standing next to a mailbox crying should be him in his skivvies. It wasn't that the hackers starting leaving the armor etc until a day before they announced the coin lock feature. At least from forum trends that's what I have gathered.
#tentimes, Posted: Mar 19 2011 at 6:17 PM, Rating: Sub-Default, (Expand Post) Trion have known this for days. I HATE all the stupid **tared fanboi's on the forum who for ages were blaming the users.
Hail to the King, baby!
# Mar 19 2011 at 4:41 PM Rating: Excellent
The Man With The Plan
2 posts
I told my guildmates I am now the Troll King - I got over a million people coinlocked at the same time on a busy Friday night. Why troll one shard when you can troll all of them?

Humor aside, this had the potential to be really really ugly. I figure it had at most a week or so of secret time before word got out and things became catastrophically (and likely inescapably/irrecoverably) bad. Trion deserves some serious love for taking it seriously and taking it to the next level.

Edited, Mar 19th 2011 6:43pm by WebMaka
Hail to the King, baby!
# Mar 30 2011 at 11:35 AM Rating: Decent
1 post
You said you're not one for the spotlight and are probably getting a bit tired of all the thank you's so I'll just say good job and leave it at that.

However I do have one question:
(taken from your reply at http://forums.riftgame.com/showthread.php?130781-ManWitDaPlan-Needs-The-Trion-Medal-of-Honor&p=1753562&viewfull=1#post1753562 )

Now if everyone would make sure their account passwords are stronger than what idiots use on their luggage

What!? No more 12345!? Looks like I'll have to change the combination on my luggage...

Hail to the King, baby!
# Mar 19 2011 at 6:57 PM Rating: Excellent
373 posts
WebMaka wrote:
I told my guildmates I am now the Troll King - I got over a million people coinlocked at the same time on a busy Friday night. Why troll one shard when you can troll all of them?

Humor aside, this had the potential to be really really ugly. I figure it had at most a week or so of secret time before word got out and things became catastrophically (and likely inescapably/irrecoverably) bad. Trion deserves some serious love for taking it seriously and taking it to the next level.


Anyway, you did a great thing here, ManWitDaPlan. We can't thank you enough.

Edited, Mar 19th 2011 7:57pm by Micajah
Sheer Awesomesauce
# Mar 19 2011 at 4:28 PM Rating: Excellent
Special Snowflake
6,786 posts
From the work of players who wouldn't take gossip as an answer to Trion's almost unbelievable response, the whole thing is awe-inspiring. Thanks!
Community Manager | QA Lead
ZAM: Support FAQ | Forum FAQ | Forum Rules
Cook Ten Rats
Thank you
# Mar 19 2011 at 2:49 PM Rating: Decent
2 posts
As a player who has had his account hacked in the past I can not let you go without thanking you for what you have done. I love playing mmos and I hate the people that make it unsafe for us to play. Please keep on helping out the loving players and taking a stand against the hackers. Thank you ManWitDaPlan.
Thank you
# Mar 21 2011 at 9:00 AM Rating: Good
703 posts
ManWitDaPlan, thank you for your inquisitive nature, determination and hardwork. All players can now rest a little easier knowing that their characters will not be violated by dirty thieves.

But I must say, I'm glad you're on our side! =)
I don't want to grow old gracefully.
I want to skid in sideways, screaming "WOO HOO! What a ride!".
Thumbs Up!
# Mar 19 2011 at 2:37 PM Rating: Decent
68 posts
Not much to say about this aside from a huge thank you to "ManWitDaPlan" and major kudos to how Trion has handled this whole mess. I do hope that people take this resolution the right way and it adds to their confidence in Trion...

Post Comment

Free account required to post

You must log in or create an account to post messages.