Rift security hole plugged with hacker's help

Aided by a friendly hacker, Rift developer Trion Worlds has plugged a large security hole in the MMORPG's login system (via Zam). The flaw would allow dastardly cheats to access a player's account without even knowing their username or password.

"I'm very happy to confirm that we did fix a login vulnerability, with significant assistance from an extremely clever user," executive producer Scott Hartsman wrote on the Rift forum. "The root cause was a very subtle bug in error checking of our login validations deep in the server code. No personal information or any such was leaked out, and no outside attacker penetrated our servers, networks, or databases."

Rift

Player 'ManWitDaPlan' discovered that he could log into a friend's account "without knowing his username or password, by bypassing the auth system entirely." He reached out on the forums to inform Trion, who then investigated and fixed the fault. Mr. Plan did not disclose publicly how the hack worked.

As is seemingly inevitable with MMORPGs, Rift accounts have been targeted by hackers looking to scrape together or sell in-game currency.

"All totalled up, under 1% of accounts with characters have had characters impacted," Hartsman said. "However, 1% of a surprisingly large number is still very noticeable."

Last week, Trion added a security feature named Coin Lock to prevent players from selling, trading or destroying items if they log in from a "significantly different" location or computer without authorisation.

Hartsman recommends that while this security is fixed and Coin Lock is in place, players should ensure their Rift account password is not one they use on other websites, in case those are ever compromised.