Rift security hole plugged with hacker's help

A serious Rift security flaw that allowed access to players' accounts without a password has been fixed with a kindly hacker's help.


Aided by a friendly hacker, Rift developer Trion Worlds has plugged a large security hole in the MMORPG's login system (via Zam). The flaw would allow dastardly cheats to access a player's account without even knowing their username or password.

"I'm very happy to confirm that we did fix a login vulnerability, with significant assistance from an extremely clever user," executive producer Scott Hartsman wrote on the Rift forum. "The root cause was a very subtle bug in error checking of our login validations deep in the server code. No personal information or any such was leaked out, and no outside attacker penetrated our servers, networks, or databases."

Player 'ManWitDaPlan' discovered that he could log into a friend's account "without knowing his username or password, by bypassing the auth system entirely." He reached out on the forums to inform Trion, who then investigated and fixed the fault. Mr. Plan did not disclose publicly how the hack worked.

As is seemingly inevitable with MMORPGs, Rift accounts have been targeted by hackers looking to scrape together or sell in-game currency.

"All totalled up, under 1% of accounts with characters have had characters impacted," Hartsman said. "However, 1% of a surprisingly large number is still very noticeable."

Last week, Trion added a security feature named Coin Lock to prevent players from selling, trading or destroying items if they log in from a "significantly different" location or computer without authorisation.

Hartsman recommends that while this security is fixed and Coin Lock is in place, players should ensure their Rift account password is not one they use on other websites, in case those are ever compromised.

Filed Under
From The Chatty
  • reply
    March 21, 2011 2:45 PM

    Comment on Rift security hole plugged with hacker's help, by Alice O'Connor.

    • reply
      March 21, 2011 3:03 PM

      Nice to see devs learning from other companies and working with people who are being friendly towards them.

    • reply
      March 21, 2011 3:26 PM

      The man should get a free lifetime sub for the deed.

    • reply
      March 21, 2011 3:36 PM

      the coin lock thing is kinda silly. i got coin locked while logging in on the same computer I always use and I have a static ip lol

      • reply
        March 21, 2011 3:49 PM

        Was it the first time you logged in then since the patch that made it live?

      • reply
        March 21, 2011 3:50 PM

        Was it the first time after the patch or after they reset the coin lock? I've been locked twice (because of those two reasons) and haven't since.

      • reply
        March 21, 2011 5:51 PM

        Everyone got locked after the initial patch

        • reply
          March 21, 2011 6:44 PM

          Which was kinda neat; lets players know how the process works and that it is activated.

    • reply
      March 21, 2011 3:44 PM

      good thing he wasn't a dick and posted it all over the internet instead

      • reply
        March 21, 2011 4:38 PM

        I agree, it's nice to know there are still nice people in the world of gaming :)

        • reply
          March 21, 2011 6:56 PM

          Oh, there's shitloads. It's just that they never make the news; we only hear about the bad ones.

          Hell, just the Rift community alone is awesome on Keenblade. I've randomly run into so many friendly, helpful people while questing, it's really a great change from my old WoW PvE server (uldaman) where everyone pretty much just wanted to be left alone all the time and not help anyone out.

          • reply
            March 22, 2011 7:06 AM

            Well, it might be because Rift has not exploded onto the "non-gamer" consciousness. I noticed that courtesy WoW started rolling over around the same time that it got really big. The first drop-off was quality of player skill, which is understandable. There's a learning curve with anything. However, the second change was the huge drop-off in gamer courtesy. Lots of multiple bios during raids, people afk'ing without announcing it, afk'ing for unbelievably long periods of time, 2-hour raid building struggles, ragequits, inappropriate need rolling, etc.

            I had someone on Keenblade send me a /tell, APOLOGIZING for rolling need on something by accident. I had just gotten done joking with someone else about the event and could not believe that she actually tried to make it right. This was a rift event, so it wasn't even a formal group. She had not heard me complain to the other guy; she was long gone but realized that she rolled need and stepped up.

            I don't want to sound like a snob, but there is certainly a core group of gamers out there who have been around long enough to know the rules of the road, and so far Keenblade is full of them.

            • reply
              March 22, 2011 7:16 AM

              Wasn't Keenblade the server that the Goons and other hardcore poopsockers picked? That might explain the general air of, uh... professionalism?

      • reply
        March 21, 2011 5:54 PM

        He probably got free play for life and a prostitute compliments of Trion to pop his zits and his cherry. Na, it's cool that he did this and probably has the thanks of many others out there for making this game one step more secure.

        • reply
          March 21, 2011 6:04 PM

          if you read the interview, he apparent runs a small security firm, so I don't think he needs a prostitute given to him to solve that :)

    • reply
      March 21, 2011 6:57 PM

      So their was a Rift in their security?

      • reply
        March 21, 2011 7:07 PM

        Its a good thing someone reported it or there would have been Anarchy Online.

        • reply
          March 21, 2011 7:46 PM

          WoW, I can't believe you went there

          • reply
            March 21, 2011 7:49 PM

            I'd keep an Aion the situation if I were you.

            • reply
              March 21, 2011 7:53 PM

              If he does, maybe he will find something new EVEntually.

              • reply
                March 21, 2011 8:01 PM

                You guys are pretty sad, you really need to get a (second) life.

                • reply
                  March 21, 2011 8:02 PM

                  Fuzzwah you are the Archlord of comments like that. Never in 2Moons did I think I'd see the 4th Coming. The Mythos of your Perfect World is like some sort of Asda Story from the Dark Age of Camelot. All across the Free Realms the people look to you as the Face of Mankind. You would hate to see the Fallout Online your comments raise, but it must be Love to know that even as far south as the Meridian 59 the Minions of Mirth FlyForFree. I just hope this doesn't cause some sort of Rift or PlaneShift in the forces of Dark and Light which leads to Guild Wars. If anything were to happen to our Earth Eternal there would be a Tabula Rasa and we'd have to travel Earth & Beyond, though I'm honestly not sure the Jumpgate:Evolution would be ready it would be wonderful when we finally get our Star Trek Online. I've always dreamed of being a Planetarion, but you'll have to Pardus me, if I don't get some sleep you can count me among the Urban Dead.

Hello, Meet Lola