Posted December 17, 2016 The connection to the game is broken this server is closed? Or is it under attack? What will we do...! Share this post Link to post Share on other sites
Posted December 17, 2016 (edited) Its due to someone has found an exploit that can hack any account in WU, and they decided to test it out on the highest population none Russian server. They recorded everything, but showing how to use the hack in this video - Edit: Also the person in question behind the hack has released something public today that the Wurm Dev's in question need to fix ASAP, even worse than this exploit - going to PM them direct as it shouldn't be public. Edited December 17, 2016 by WUPlayer Share this post Link to post Share on other sites
Posted December 17, 2016 RIP 2 days of straight grinding for nothing Share this post Link to post Share on other sites
Posted December 17, 2016 This will explain why we cannot connect 50% of the time to Our server as well, including the listing problem. Just wish we could get some info on it from staff, instead of the very unprofessional thread locking censorship and rudeness. Is there a thread currently where there are some updates and news on this, then we can all watch that? Share this post Link to post Share on other sites
Posted December 17, 2016 guess enki or some other stuff will anounce some news in time Share this post Link to post Share on other sites
Posted December 17, 2016 Will be good. I mean we (well, most developers) understand sec issues, so I have no issue with that. But since we have massive time investments and playerbases, at great expense, some word will be great. Just happy to know the connection issues we've been seeing isn't config/data related, because I have hunted high and low today. Share this post Link to post Share on other sites
Posted December 17, 2016 I have been thinking about some potential workarounds for server owners to carefully consider. - Limit GM accounts to only steamids that have been used on your server and no where else. For server owners this is especially important. Consider picking up a second copy of WU on a new steam account, using it as your GM account on your server and never using this second copy of WU anywhere else. This should largely contain the problem with GM account powers being overridden. They need both your steamid and your gm name to accomplish the hack with the extra powers - For players it's largely an irritation until you get into mayors, deed owners, alliance controllers, kingdom officers. For those the same work around as above could work however it's a huge inconvenience for them and not a great option. Deed owners etc have to worry about disbands etc being triggered when someone takes over the account - Limit all GM accounts to Level 2 except for the server owner account (and use the first option above to protect that account) Share this post Link to post Share on other sites
Posted December 17, 2016 24 minutes ago, Nappy said: I have been thinking about some potential workarounds for server owners to carefully consider. Snip Thing is the steamid's are supposedly visible even if the player is set to private in Steam - so they can be found and duped easily. There is only 1 way of limiting the damage, and it would only stop admin accounts being compromised. At present all WU servers could be compromised at any time. This needs a fix from the Wurm Dev's as soon as possible; they are aware just hope they are working on it as without it WU is useless multiplayer. Share this post Link to post Share on other sites
Posted December 17, 2016 (edited) meep. Edited December 18, 2016 by Trake Share this post Link to post Share on other sites
Posted December 17, 2016 (Repost from the server thread) After a rather close review of our code, the only way someone could have compromised accounts is by having access to the user's computer or Steam account. Unless modded out (which I do believe is against our use agreement), the client and server work together to use Steam for authentication. The short of it is the client sends the SteamID as well as an authentication token. We hash the SteamID as a password, yes - however we rely on the authentication token. This is given to Steam directly through native calls (SteamJNI) and Steam then validates the token and ID to ensure it came from the same user. Thus there is no way with simple client modifications to spoof or break this method of authentication, not without greater access - such as the user's machine or the game server itself. The code posted on Github earlier is a fine example of how to remove Steam authentication, but it effectively renders any patched client useless with servers that are not also patched to remove authentication. In essence, unless your server has had Steam authentication removed, then the only logical way this incident happened is that the affected user has his or her computer or Steam account compromised. Share this post Link to post Share on other sites
Posted December 18, 2016 Zenath is back up. We'll likely be rebooting a bunch of times in the coming week here, so it might be unlisted for short periods. Enjoy! Share this post Link to post Share on other sites
Posted December 18, 2016 (edited) I don't know of any existing exploits in the authentication system (the few i knew and/or discovered were reported to the devs and fixed). If anyone can PM me the alleged exploit code or some logs from the hacked server(s?) - i'd be happy to take a look. Added: I've seen the github project referred to by@Keenan and it's not an actual exploit per-se. It allows removing steam from the client/server, but you will not be able to connect with a patched client to a normal server. Edited December 18, 2016 by bdew Share this post Link to post Share on other sites
Posted December 19, 2016 Thanks bdew, awesome. I also doubt it's an exploit, that is just an easy card to play. But something was very very wrong this weekend, because I saw similiar things on my server, which is small, niche and unrelated to the one in this post. It's nice to know you guys also have your eyes in the code. Share this post Link to post Share on other sites