Personal Information Disclosure/Account Hijacking Vulerability in mafia online games
The mafia online games www.mafia1930.de, www.mafia1930.com and
www.the-mafia.de operated by e-sport GmbH are popular online
applications with over 400.000 accounts.
Although the basic game is free, many people upgrade to premium
accounts and invest real money to get special features.
An attacker is able to ruin accounts and gain personal information by
analyzing webserver logs.
Details:
The game is designed not to use cookies to track user sessions.
Instead a session id is appended to every URL within the game as a
parameter.
Every clan (user) can set up a informational "about-page", which can
contain a link to the clan website.
Due to the nature of the game most players try to gather information
about other clans and visit their websites regularly.
When clicking on such a link, the actual session id of a user is send
to the server as HTTP referer. An attacker can hijack accounts just by
searching session id's in the webserver logs.
Impact:
An attacker can hijack user sessions and ruin accounts. Furthermore an
attacker has access to all private user data, including name, address,
phone-number and email-address.
Workaround:
-Users of the game should avoid clicking on these links from within
the game.
-Another option is to disable the sending of the Referer in the
browser.
-Within the game-settings is an undocumented option "IP-blocking",
which might also help.
Thanks:
Mike Andrews gave a talk about security vulnerabilities in web
software (http://video.google.com/videoplay?docid=5159636580663884360).
Thanks to him for this great presentation and to Google for making it
freely available.
Ulrich Keil
--
http://www.derkeiler.com
PGP Fingerprint: 5FA4 4C01 8D92 A906 E831 CAF1 3F51 8F47 1233 9AAD
Public key available at http://www.derkeiler.com/uk/pgp-key.asc