Yesterday we received a tip about some pretty interesting news regarding the Order & Chaos MMORPG from Gameloft. While we will talk specifically about this news regarding Android, be aware that this affects accounts across all platforms the game is being played on. It seems as though there are some security issues that are leading to players having their accounts hacked.
There are a couple of security concerns regarding player accounts and Gameloft’s MMORPG called Order & Chaos and while one concern, regarding phishing applications and websites, can easily be avoided by simply not downloading them or going to those websites, the real problem is how accounts are still being hacked. Apparently this isn’t just an issue of one or two people but actually a lot of people losing their accounts. Apparently even entire guilds aren’t safe and apparently one with over 200 members got completely, for a lack of a better term, owned.
Example of a phishing program for Order and Chaos
Part of the problem stems from how Gameloft Live works and, if you read the site on a regular basis, you know we reported on a previous issue with Gameloft Live allowing users to accidentally log onto other peoples accounts even though they used their own login credentials. This issue was resolved rather quickly, especially once we reported on it and contacted Gameloft ourselves. We are hoping the same happens this time as well.
Before we go into this further, we will not be posting all the details on how to accomplish getting into peoples Order & Chaos accounts for obvious reasons. Gameloft is aware of the issue but fixing it seems to be taking awhile and we do not want to hamper that in any way nor do we want more accounts breached.
The used to be an issue with Gameloft Live’s website that could be exploited into letting anyone change another person’s login credentials. While Gameloft has apparently closed this exploit, some believe part of it is still actually open for exploiting. This can lead to a user logging you out of your account, changing your password for it and stealing your gold, items and whatever else they want. This has happened in plenty of MMO-type games in the past so it really isn’t a surprise it’s happening to Order & Chaos.
Another main issue is that usernames/passwords are sent and received from the game in plain text. Obviously this is a huge security risk in itself and should be addressed first if anything as it contains way too much information that can be used. There are actually people requesting the game be shut down until the problems are fixed. The exploiting is through different facets of the game and while the phishing part is easily avoidable, the rest is up to Gameloft to hurry up and fix.
We suggest you regularly change your passwords until this problem is solved which will at least help protect you a bit. If you would like to read all three threads, even though we are sure there is more, you can access them below. There’s plenty of detail and discussion there on those threads as well. We will be contacting Gameloft just like we did last time to find out what’s being done aside from ‘the admins are looking into it’.
Please be sure to spread the word so other people are aware of this issue.
Thanks to Joe for the help in all of this and the tip.
Official Security Threads: Phishing Apps and Sites | Encryption Security Advisory | More Security Issues