Guild Wars 2

Anyone know if this recently identified security vulnerability has/could impact GW2?

Sounds like pretty serious stuff, for info:

http://heartbleed.com/

This is pretty widespread potential (MOST versions of OpenSSL released since end of 2011), so it’s certainly possible. I’m guessing the answer you are asking for is not one a company would ever care to answer voluntarily, however.

Investigated this a bit more and here are the percentages of CURRENTLY (as of late 4/8/2014) potential exploitable top websites:

Top 1000 websites:

• 51.2% do not use SSL at all
• 44.1% are NOT vulnerable (either don’t use OpenSSL or have already updated).
• 4.7% Are still vulnerable. (tests made 4/8/2014).

Top 10,000 websites:

• 56.8% do not use SSL at all
• 36.9% Use SSL but are not vulnerable.
• 6.3% Are vulnerable (tests made 4/8/2014).

According to my brother (web-designer and .Net coder), very few reputable business sites would ever use OpenSSL on main public websites. Above info seems to confirm that.

Personally, I find it VERY interesting that so many top websites do not use SSL at all.

BTW, I tested this forum and the account login pages and they both report an error that indicates a firewall or some SSL setting on the website side is blocking the testing and thus it would block attempts to exploit the vulnerability….so they are currently not at risk.

Keep in mind that this exploit has been present since early 2012, so this test does not mean the exploit was never possible. The exploit was reported to be discovered only 2 days ago (4/7/2014 at a security conference) and the chances are very low that this has ever been exploited in the wild and no indication of it being used has ever shown up on the internet before now. Security experts agree that keeping this type of open exploit a secret on the internet for over 2 years is highly unlikely (however they do admit that the fact that it has actually EXISTED for 2 years without being found is also shocking).

Just to be clear on what this exploit allows is that someone using it can systematically get raw memory data from an active SSL protected server and use that data to obtain sensitive information. One of the pieces of information that could be obtained is the SSL secret key….which would allow decryption of ALL communication to and from that server…..(ouch).

On top of this is the fact that the way in which the exploit works there is NO trace that the memory chunks were ever taken in any logs, so unless some code was actively attempting to catch someone performing the exploit (which would not have even been on the general radar before a few days ago), there is no way to know it has happened in the past.

A+ reply.

Thanks for the great response.

Just to corroborate:

LastPass Heartbleed checker

Detected server software of Microsoft-IIS/7.5
That server is known to NOT use OpenSSL and is not vulnerable.

The SSL certificate for guildwars2.com valid 2 years ago at Apr 23 13:28:55 2012 GMT.
Since the server is not vulnerable this is fine.

Thanks for that info.

Exactly what URL or address did you check? I’m guessing this website account server and the game login servers are separate servers (tho they likely both access the same DB). Also, the Trading Post servers use some form of HTTP to control data to and from the game UI, so that likely uses our log in credentials to connect and could be SSL based.

How Has this not been addressed by someone from ArenaNet yet? The info so far has been great but there are a lot of unknowns here still…

just change it anyways, it’s good practice.

Thanks very much for the confirmation.

Chris Cleary.8017:

All our first-party HTTPs sites (including the commerce panel) are behind IIS, which doesn’t suffer from heartbleed. Our third-party hosted HTTPs sites (buy.guildwars2.com, in-game purchasing flow, and CDNs) were not vulnerable when I checked Tuesday morning.

The CDNs at least were vulnerable before that but no user-specific data ever flows through those so it shouldn’t have been an issue.

Just to be sure we’ll be issuing new certs for all our secure domains in the near future, but we’re pretty confident that there were no issues for our sites.

I was actually going to post this later. I had checked the forum sites and found out that they were ok, but I was too lazy to run a pcap to see where the payment data actually went in the TP (plus using an inline proxy to stop the payment actually going through would have been a pain -.-). Thanks for the open honesty about this one! I’ve been working the past 3 days on nothing but this silly thing :-/

Yet the trading post has suffered for 3 days is unusable for many users, primarily mac beta users

That has NOTHING to do with this bug (Heartbleed itself could not effect the server). This exploit in no way inhibits how a website works or does not work and a hacker would not be likely to use this to try and gain control of the server (even if that WAS technically possible). It only EXTRACTS data from the servers memory (not changes it or alters it in any way).

BTW on the MAC issue, Apple put out statement today that it’s systems are “TOTALLY IMMUNE” to this bug…..Obviously the statement meant that nothing in OSX or other Apple OSs have OpenSSL code used, but the main statement implies to Apple users that there is nothing to fear at all and that is just absolutely untrue.

OSX is “immune” because it’s so out of date it doesn’t even have that feature. Lots of stuff on OSX uses OpenSSL, the bits that use apple’s knock off version have had some far far worse issues.
But it’s not like heartbleed has any real affect on any desktop system, so it’s just marketing crap from apple.

And the trading post issue on Mac’s was directly caused by heartbleed. CloudFront rolled their SSL certs because heartbleed may have comprised them, and for some reason awesomium doesn’t like the new cert. It would appear it ignores the system installed root certs, so I assume it has it’s own outdated root store, or other hard-coded hackyness. Either way heartbleed was the root cause of the break.

Grimm – Thanks for the info. Wish all the news people would take abit more time in presenting this story and not throwing more gas on the fire.

On a side note – how do you spell nsa anyway?

DavidSev.6978:

And the trading post issue on Mac’s was directly caused by heartbleed. CloudFront rolled their SSL certs because heartbleed may have comprised them, and for some reason awesomium doesn’t like the new cert. It would appear it ignores the system installed root certs, so I assume it has it’s own outdated root store, or other hard-coded hackyness. Either way heartbleed was the root cause of the break.

I have no idea how your information relates to the BLTP or the MAC client (if those use the above mentioned, that would not be common knowledge, so may be you should mention that), but SSL certs are replaced all the time….nobody would hard code a cert (that kind of defeats the purpose of a ‘certificate’ in general).

If a changed SSL cert “broke” something it was broken long before fixing Heartbleed required the Cert to be replaced. I don’t think you understand the meaning of the term “root cause” as it does not mean the first or initiating step in a process that failed.

The sensitive information that may be retrieved using this vulnerability include:
- Primary key material (secret keys)
- Secondary key material (user names and passwords used by vulnerable services)
- Protected content (sensitive data used by vulnerable services)
- Collateral (memory addresses and content that can be leveraged to bypass exploit mitigations)

Any service that supports STARTTLS (imap,smtp,http,pop) may also be affected.
Due to the fact you can’t trace back any activity serverbased and network based several government agencies have adviced that if you use this particular openssl version (and yes if companies have actual patched their systems regularly this bug had occurred. Several companies are not effected due to lack of patching) to patch it to the latest version.
Also several network and infrastructure sollutions are possible infected. It’s not only an https website.
http://www.kb.cert.org/vuls/byvendor?searchview&Query=FIELD+Reference=720951&SearchOrder=4

Actions to be taken if vulnerable:
1. Patch openssl
2. Change certificates
3. Change credentials (especially admin)
4. If end user credentials are send through the devices/ sollution inform those users and have them change the credentials.

You can check for the heartbleed bug on:
https://www.ssllabs.com/ssltest/analyze.html?d=buy.guildwars2.com

Arenanet could consider to disable some cipher suites which are related to xp en ie6…
More info:
http://www.kb.cert.org/vuls/id/720951

I configured my firewall to ask me for approval to make a connection. In the login screen i enter my credentials, when i log in or click the play button, i get a warning that i am connecting to an adress in the arenanetworks domain and the addres contains the abreviation CDN. So earlier you mentioned no user data goes through this CDN. I don’t trust your answer. First of all SSLLAbs reported that the used certificate is not issued bij an Certifcate authority (that’s also an issue). Second, after login i don’t get other warnings of additional ip adresses etc. I presume that all traffic goes via this adress (CDN). you wrote , it was vulnerable befor patching. The use of this vulnerability could not be detected. You should therefor advise everyone to change their password as a precaution. And yes the chance is very small, but would you take the risk…

Didis.3984:

I configured my firewall to ask me for approval to make a connection. In the login screen i enter my credentials, when i log in or click the play button, i get a warning that i am connecting to an adress in the arenanetworks domain and the addres contains the abreviation CDN. So earlier you mentioned no user data goes through this CDN. I don’t trust your answer. First of all SSLLAbs reported that the used certificate is not issued bij an Certifcate authority (that’s also an issue). Second, after login i don’t get other warnings of additional ip adresses etc. I presume that all traffic goes via this adress (CDN). you wrote , it was vulnerable befor patching. The use of this vulnerability could not be detected. You should therefor advise everyone to change their password as a precaution. And yes the chance is very small, but would you take the risk…

They did just that. See the Sticky at the top of the sub-forum. =)

While Heartbleed may have no effect in ArenaNet’s servers, it certainly can nab your e-mail’s information easily.
And we all know once somebody has access to your account’s e-mail they can simply change the password to whatever they want and log in to it.
This is a serious security breach and should be taken seriously, a lot of players have been experiencing things like IPs from half a world away showing up on their account’s security logs.
If you’re using the phone authenticator software your account should be safe as even if they can change passwords how they like, they can’t still couldn’t log into the game. But everyone else is very vulnerable to this bug, major e-mail service providers have patched their servers relatively quickly but everyone not using one of these should think about requesting an account e-mail change.

Veckna.9621:

While Heartbleed may have no effect in ArenaNet’s servers, it certainly can nab your e-mail’s information easily.
And we all know once somebody has access to your account’s e-mail they can simply change the password to whatever they want and log in to it.
This is a serious security breach and should be taken seriously, a lot of players have been experiencing things like IPs from half a world away showing up on their account’s security logs.
If you’re using the phone authenticator software your account should be safe as even if they can change passwords how they like, they can’t still couldn’t log into the game. But everyone else is very vulnerable to this bug, major e-mail service providers have patched their servers relatively quickly but everyone not using one of these should think about requesting an account e-mail change.

If anything, the security breach would be on your end, not Anet’s. It’s like walking down the street to your bank, dropping your wallet, and then blaming the bank your money is gone. There’s nothing they can do if the user has poor security, or visited a poorly coded website.

Smooth Penguin.5294:

Veckna.9621:

While Heartbleed may have no effect in ArenaNet’s servers, it certainly can nab your e-mail’s information easily.
And we all know once somebody has access to your account’s e-mail they can simply change the password to whatever they want and log in to it.
This is a serious security breach and should be taken seriously, a lot of players have been experiencing things like IPs from half a world away showing up on their account’s security logs.
If you’re using the phone authenticator software your account should be safe as even if they can change passwords how they like, they can’t still couldn’t log into the game. But everyone else is very vulnerable to this bug, major e-mail service providers have patched their servers relatively quickly but everyone not using one of these should think about requesting an account e-mail change.

If anything, the security breach would be on your end, not Anet’s. It’s like walking down the street to your bank, dropping your wallet, and then blaming the bank your money is gone. There’s nothing they can do if the user has poor security, or visited a poorly coded website.

Heartbleed bug is situated only in servers. It is vulnerability in server side not in users Computer. So user’s can not do anything else than wait that server provider is block that hole with new cert and then user can change password. In this case, if heartbleed vulnerability is in Anet’s server it is their fault not user’s fault. This vulnerability have been on since 2011 on the servers programs, so even before this game ever have been started to sell. So that vulnerability may have been on from start of this game, and that might even explain why there have been so much hackings in this game and accounts.

If you look how many hackings have had happening during Easter time it means that those hackers are not gathering user information from server anymore, now they have started to use that information what they have gathered. Everybody of us is in danger until Anet block that hole, if there been any, and until we have change our passwords. If there is even slight possibility, that Anet have had that hole in server, they will openly inform that they have put new cert in the servers and suggest that everybody is changing their password in the game.

And I hope that they will inform this in very public, like main page of game.

Sinope.5630:

Smooth Penguin.5294:

Veckna.9621:

While Heartbleed may have no effect in ArenaNet’s servers, it certainly can nab your e-mail’s information easily.
And we all know once somebody has access to your account’s e-mail they can simply change the password to whatever they want and log in to it.
This is a serious security breach and should be taken seriously, a lot of players have been experiencing things like IPs from half a world away showing up on their account’s security logs.
If you’re using the phone authenticator software your account should be safe as even if they can change passwords how they like, they can’t still couldn’t log into the game. But everyone else is very vulnerable to this bug, major e-mail service providers have patched their servers relatively quickly but everyone not using one of these should think about requesting an account e-mail change.

If anything, the security breach would be on your end, not Anet’s. It’s like walking down the street to your bank, dropping your wallet, and then blaming the bank your money is gone. There’s nothing they can do if the user has poor security, or visited a poorly coded website.

Heartbleed bug is situated only in servers. It is vulnerability in server side not in users Computer. So user’s can not do anything else than wait that server provider is block that hole with new cert and then user can change password. In this case, if heartbleed vulnerability is in Anet’s server it is their fault not user’s fault. This vulnerability have been on since 2011 on the servers programs, so even before this game ever have been started to sell. So that vulnerability may have been on from start of this game, and that might even explain why there have been so much hackings in this game and accounts.

If you look how many hackings have had happening during Easter time it means that those hackers are not gathering user information from server anymore, now they have started to use that information what they have gathered. Everybody of us is in danger until Anet block that hole, if there been any, and until we have change our passwords. If there is even slight possibility, that Anet have had that hole in server, they will openly inform that they have put new cert in the servers and suggest that everybody is changing their password in the game.

And I hope that they will inform this in very public, like main page of game.

Did you read anything that was posted? I’m just wondering because even Gail said the servers were fine and someone else posted that the servers were fine. Next time actually talk about things you research instead of trying to blame Anet for all the hacks recently.

If you think about it, email accounts were more at risk then the servers. And a lot of people who have been hacked recently have also had their emails hacked, which Anet wouldn’t have their passwords to either.

The party that was vulnerable NEVER had access to any user information nor was any user information exchanged with them (per Anet’s Dev comments). If you choose not to believe that statement, then change your password. The 3rd party obviously changed their certificates and patched (as the new cert is what “broke” Mac’s accessing the BLTP) so that hole (that never used player credentials) has been fixed.

Anet’s log in servers are MS software based, so they were never vulnerable. Not an issue in terms of this bug.

Certainly devices other than servers CAN be using bugged code, but short of network equipment (that should NEVER be open to remote access via the internet), very little would be gained by exploiting a user device.

Ellieanna.5027:

Sinope.5630:

Smooth Penguin.5294:

Veckna.9621:

While Heartbleed may have no effect in ArenaNet’s servers, it certainly can nab your e-mail’s information easily.
And we all know once somebody has access to your account’s e-mail they can simply change the password to whatever they want and log in to it.
This is a serious security breach and should be taken seriously, a lot of players have been experiencing things like IPs from half a world away showing up on their account’s security logs.
If you’re using the phone authenticator software your account should be safe as even if they can change passwords how they like, they can’t still couldn’t log into the game. But everyone else is very vulnerable to this bug, major e-mail service providers have patched their servers relatively quickly but everyone not using one of these should think about requesting an account e-mail change.

If anything, the security breach would be on your end, not Anet’s. It’s like walking down the street to your bank, dropping your wallet, and then blaming the bank your money is gone. There’s nothing they can do if the user has poor security, or visited a poorly coded website.

Heartbleed bug is situated only in servers. It is vulnerability in server side not in users Computer. So user’s can not do anything else than wait that server provider is block that hole with new cert and then user can change password. In this case, if heartbleed vulnerability is in Anet’s server it is their fault not user’s fault. This vulnerability have been on since 2011 on the servers programs, so even before this game ever have been started to sell. So that vulnerability may have been on from start of this game, and that might even explain why there have been so much hackings in this game and accounts.

If you look how many hackings have had happening during Easter time it means that those hackers are not gathering user information from server anymore, now they have started to use that information what they have gathered. Everybody of us is in danger until Anet block that hole, if there been any, and until we have change our passwords. If there is even slight possibility, that Anet have had that hole in server, they will openly inform that they have put new cert in the servers and suggest that everybody is changing their password in the game.

And I hope that they will inform this in very public, like main page of game.

Did you read anything that was posted? I’m just wondering because even Gail said the servers were fine and someone else posted that the servers were fine. Next time actually talk about things you research instead of trying to blame Anet for all the hacks recently.

If you think about it, email accounts were more at risk then the servers. And a lot of people who have been hacked recently have also had their emails hacked, which Anet wouldn’t have their passwords to either.

I think CDN server were vulnerable before, and even they say that there is not going user specific data in there, I think that is not case. In CDN is going user specific data too. And if there is even one weak link in servers, it should be taken really seriously. Not just put something fishy information in sub forum, it should be inform really public. They need to put in main page that they ask each and everybody of the players change their password just in case, because of that possible weak link in the CDN server.

Sinope.5630:

Ellieanna.5027:

Sinope.5630:

Smooth Penguin.5294:

Veckna.9621:

While Heartbleed may have no effect in ArenaNet’s servers, it certainly can nab your e-mail’s information easily.
And we all know once somebody has access to your account’s e-mail they can simply change the password to whatever they want and log in to it.
This is a serious security breach and should be taken seriously, a lot of players have been experiencing things like IPs from half a world away showing up on their account’s security logs.
If you’re using the phone authenticator software your account should be safe as even if they can change passwords how they like, they can’t still couldn’t log into the game. But everyone else is very vulnerable to this bug, major e-mail service providers have patched their servers relatively quickly but everyone not using one of these should think about requesting an account e-mail change.

If anything, the security breach would be on your end, not Anet’s. It’s like walking down the street to your bank, dropping your wallet, and then blaming the bank your money is gone. There’s nothing they can do if the user has poor security, or visited a poorly coded website.

Heartbleed bug is situated only in servers. It is vulnerability in server side not in users Computer. So user’s can not do anything else than wait that server provider is block that hole with new cert and then user can change password. In this case, if heartbleed vulnerability is in Anet’s server it is their fault not user’s fault. This vulnerability have been on since 2011 on the servers programs, so even before this game ever have been started to sell. So that vulnerability may have been on from start of this game, and that might even explain why there have been so much hackings in this game and accounts.

If you look how many hackings have had happening during Easter time it means that those hackers are not gathering user information from server anymore, now they have started to use that information what they have gathered. Everybody of us is in danger until Anet block that hole, if there been any, and until we have change our passwords. If there is even slight possibility, that Anet have had that hole in server, they will openly inform that they have put new cert in the servers and suggest that everybody is changing their password in the game.

And I hope that they will inform this in very public, like main page of game.

Did you read anything that was posted? I’m just wondering because even Gail said the servers were fine and someone else posted that the servers were fine. Next time actually talk about things you research instead of trying to blame Anet for all the hacks recently.

If you think about it, email accounts were more at risk then the servers. And a lot of people who have been hacked recently have also had their emails hacked, which Anet wouldn’t have their passwords to either.

I think CDN server were vulnerable before, and even they say that there is not going user specific data in there, I think that is not case. In CDN is going user specific data too. And if there is even one weak link in servers, it should be taken really seriously. Not just put something fishy information in sub forum, it should be inform really public. They need to put in main page that they ask each and everybody of the players change their password just in case, because of that possible weak link in the CDN server.

No. Anet’s servers are secure. Please don’t pass the blame for a player’s poor security or bad website visits to them. If Anet’s head of security says their servers weren’t vulnerable due to not using the exploitable codings, then I’ll believe them.