Security Disclosure: CCP SSO Tokens not being revoked by character transfers
TLDR;
- CCP Fucked up
- If you bought a character all the old tokens stay relevant and apps can read your data. You cannot revoke these tokens
- If you sold a character, you (and your apps) can access the buyers ESI data
- If you sold a character "Linked" on Auth, the buyer can login as you.
- All Third Party Applications are affected, but persistent apps more so, and apps that deal with authentication more so again.
- We have to trust CCP explicitly for AA to work
- There’s very little we could do if bad data is sent to us.
- We have some fixes deployed to minimize the threat.
- CCP has not really acknowledged the scope of the issue or communicated a plan to fix already bad tokens
- CCP has not suspended character transfers
- Transparency is important
Scope
- Characters Transferred with Tokens after at least 2022.08.23, we suspect a lot longer but this is the oldest date we can verify.
- This has not been fixed as of this disclosure.
- Character transfers are still active.
Timeline
- AffectedCharacter Transferred 2022-09-22 (time intentionally excluded)
- Concerned SysAdmin performed troubleshooting, refreshed the token and confirmed the character IDs etc. to confirm the tokens were still valid (not just old) 2022-09-26
- EBR-239105, Logged by Concerned SysAdmin 2022-09-26
- EBR-239105 Sent to CSM by Concerned SysAdmin 2022-09-26
- Sent to me by Concerned SysAdmin to get this handed through the Partner Program 2022-09-26 23:57
- Escalated by me through the Partner Program 2022-09-27 00:16
- Escalated by me personally CCP Swift, with examples as to why this should get put on someones desk urgently. 2022-10-4 0859
- Escalated by Concerned SysAdmin to security@CCP games date 2022-10-04 0937
- EBR-239105 Attached 2022-10-04 13:30 (this means ticketed internally by CCP)
- Shared by Me to the Alliance Auth Maintainers 2022-10-06 1210
- Concerned SysAdmin received response from security@CCPgames, "Unfortunately this is not the appropriate channel to report any ingame EVE Online violations via this email" (Side note: WHAT THE FUCK CCP!) 2022-10-11
- I performed a Character Transfer to re-check the scope of this issue and if it was still a thing 2022-10-11 0240 and 2022-10-11 12:50
- I sent a follow up email to security@ informing them of my planned public disclosure timeline of October the 14th 2022-10-11 13:09
- We publicised this issue in order to deploy fixes. 2022-10-14 11:00
Summary
SSO is our trust mechanism, a failure of this type is incredibly difficult for us to work with or protect against. Whatever data CCP send us, we cant decide what to respect and what not to as we have no way to determine what tokens are incorrectly valid.
This is easily exploitable by Apps with users that have sold characters, and they probably already have by accident. In the much longer term, I was also concerned about the long term effects of people potentially seeding the character bazaar with honeytraps eroding the trust in SSO further. Because of this (as well as in respect to CCP) I didn't want to disclose this issue until it was fixed. But full transparency is important and im always happy to discuss the timeline, my/CCPs actions and strategies to minimize this impact on your auths moving forwards.
I simply don’t know, and cant know, if this has been abused, and neither will you.
Impact
With a valid CharacterOwnership still in place, the buyer could login to Alliance Auth instances as the seller, accessing the sellers linked characters, data and services.
The buyer would still be providing un-revokable tokens to the seller’s apps, with no knowledge to the buyer.
Mitigations
We ultimately delegate our trust entirety to CCP and their SSO. Any deviation from this is more likely to cause issues than to prevent them
OwnerHash was not reset, which we use to handle Character <> User relationships outside of token validity. As this didnt change from whatever related oauth issue, this didnt protect us.
We have temporarily halted the ability to login with any linked character, you must SSO into AA using your Main Character, this should prevent any impersonation.
We have added a new Token Management page, to allow users to view and delete tokens in Auth for characters they do not own.
Recommendations
-
Administrators should delete Tokens and Data that you may have pulled automatically from affiliations you don't recognize, to minimize breaches of the Third Party Developer agreement.
-
Users with sold characters can see if they still have outstanding tokens valid and are vulnerable by accessing https://community.eveonline.com/support/third-party-applications/getgrants/?characterID=CHARACTER_ID&page=1 on the account that sold the character with the relevant character ID.
-
Buyers have no protections.
-
Have your members revoke tokens for sold characters via Token Management new in 3.3.0,
-
Have your members check for unrecognised alts on Auth, if a buyer has logged into a seller and seeded an alt they can use for later access, they should revoke this Token via Token Management
-
Have your members check their services activations, a changed mumble or forum password should be obvious as it will leave the original non functional, but better to be safe than sorry.
-
Have your members with higher permissions cycle their service passwords anyway.