A word about security

The server was closed on April 2nd, 2023
https://pwmirage.com/forum/thread/342-we-are-closing/
  • We did have an incident on the server yesterday. One of our players Gameruk started logging in on someone else accounts and transferred most of the gear and money to another character. He was also asking people in faction for more money, which he eventually got, so more than 1 person was affected. Was PW Mirage hacked? I doubt it.


    PW server is indeed a black box. Even with the full source code leaked last year it's just too much code for anyone to wrap his head around. Nevertheless, there's a lot that can be done to protect a server. PW 1.3.6 came out over 10 years ago, and the server files appeared on the internet not much later. It's easiest to run those server files on the architecture that was normally used at that time, over 10 years ago. Software is always full of bugs though. Something that PW based on 10 years ago now has a list of known vulnerabilities on the internet just waiting for someone to exploit. Literally, right now there's a PW server around using Apache Tomcat 5.0.33 for hosting the GM web panel. This piece of software is over 8 years old and has its vulnerabilities listed e.g. here: https://tomcat.apache.org/security-5.html

    Just pick one with high priority, google it, grab some exploit script from github, run it against that server and boom you're a great hacker.


    On Mirage we use latest OS and software that's still supported and has security fixes applied as soon - or even sooner - as the vulnerability is made public. We still have a high risk of getting hacked though because of the PW server itself. It's old piece of software and some people may know a few exploits for it. PW might have fixed them in later versions, but we do want to stick with the old 1.3.6 to keep the 3 races and the old look&feel. And there's no list of PW vulnerabilities on the internet, so we need to get hacked in order to understand the issue and be able to fix it. The best we can do to protect user data is to do backups. Every 3 hours. If someone hacks us and affects someone else on the server we look at the logs and try to understand what and how that happened. When we finally introduce some mitigation for the vulnerability, we try to estimate how much impact an intruder has done, and in the worst case we pull out backups. We have them stored on the PW server machine itself as well as a separate machine which just pulls them periodically - in case the PW machine dies or all of the backups there get deleted by the intruder.


    For the yesterday's incident there weren't used any vulnerabilities on the PW server. Gameruk did get access to someone else forum account, from where he was able to see in-game account names and to reset their passwords. Forum is hosted on a yet another machine and the game server doesn't even know about it, so the scenario of using a PW vulnerability to get access to someone's account is very unlikely.


    Supposedly gameruk was banned yesterday on PW Warzone server for sending out some of their account names to the public. I can't say how much of that is true and it's none of my concern, but I do see that gameruk did try a bunch of credentials both in the forum and the game on PW Mirage - not all of them worked. My guess is that he did find a vulnerability on PW Warzone, retrieved user account names and passwords there (PW keeps them in plaintext by default), then tried them on PW Mirage.


    It's always the weakest pillar that fails - and in this case it was probably the passwords themselves. If there is something to be learned from this, please keep your passwords secure. Using a complicated password with numbers or symbols doesn't mean anything if you use the same password everywhere. My best recommendation - a long password that's easy to remember. A nonsense story that's crazy enough to always remember. A single number thrown there won't hurt either.


    -- Edit


    I talked with PW Warzone Admin and apparently no credentials were leaked from their server. It seems like Gameruk just guessed the password.

    Edited 2 times, last by Beta ().