These forums have been archived and are now read-only.

The new forums are live and can be found at https://forums.eveonline.com/

Issues, Workarounds & Localization

 
  • Topic is locked indefinitely.
12Next page
 

Ingame Browser - Security issues
Author
Previous Topic Next Topic
Enta Ozuwara
State War Academy
Caldari State
#1 - 2013-02-14 18:48:22 UTC  |  Edited by: Enta Ozuwara
I don't know if you noticed, but the ingame browser is horribly outdated. In fact, on the lowest layer, it is based on Chrome 3 from late 2009. Needless to say this is an issue. Not so much because it lacks certain features, but more so because it also affects the security of all users. More than 1000 issues relating to security have been fixed since the release of Chrome 3. And that's just for WebKit itself. (Source Shortened because EVE forums don't like brackets in links)

A bug report was submitted about 2 weeks ago but remains seemingly unnoticed. Meanwhile I recommend you do not visit websites you don't completely trust with the IGB.

Potential Background:
EVE (or CCP ExeFile as it's creatively named) uses Awesomium, a library that switched from a free open source model to a commercial one in 2009. See the link there? There would be two options for CCP to update the IGB, licence Awesomium or switch to the free Chromium Embedded Framework, which would require some effort.

Please tell CCP you care about security and don't let it go unnoticed that there is a huge security hole in EVE!
Enta Ozuwara
State War Academy
Caldari State
#2 - 2013-02-17 11:53:20 UTC
Bump.

I demand this to be noticed.
AndromacheDarkstar
Integrated Insterstellar Holdings
#3 - 2013-02-17 15:23:05 UTC
When you say this is a security issue, what kind of risks am i taking by using the in game browser as it stands?
Kelderos
Titans of Doom
#4 - 2013-02-17 16:11:43 UTC  |  Edited by: ISD Suvetar
AndromacheDarkstar wrote:
When you say this is a security issue, what kind of risks am i taking by using the in game browser as it stands?


None unless you do all your banking and shopping in the IGB for RP reasons. This is a non issue brought up for no reason. IGB was never meant to be used for these things...

Edit: Snipped unnecessary personal attack. ISD Suvetar
xarjin
Galactic Deep Space Industries
Brave Collective
#5 - 2013-02-17 16:33:52 UTC  |  Edited by: xarjin
I knew that the IGB was outdated but i had no idea it was this serious.

As a computer network engineer I have to admit that I find this lack of security maintenance rather alarming.

There have been hundreds of remotely exploitable vulnerabilities fixed in chrome including dozens of sandbox violation exploits since version 3 and the current version is chrome 24.0.1312.57 m

I don't have a specific list of all of the fixed vulnerabilities all but chrome must have a bug tracker somewhere on the internet.

It likely wouldn't take much effort for someone that knew what they were doing to create a web page filled with exploit code that was able to detect eve's in game browser and use it to steal account information or potentially compromise your computer.

Since eve is a 32bit application this is made an even easier task because most home computers performance has advanced to the level where anyone wanting to find a location in memory to exploit some program scanning or injecting all usable memory with garbage data to find a target location the program is running in is easily accomplished.

This essentially means outdated 32bit web browsers are especially vulnerable to drive by download hacks from malicious websites. In this situation the issue could be classed as a critical severe vulnerability within eve.

This topic specifically was addressed by an arstechnica author when the mozilla foundation planned to cancel development of 64bit firefox for windows earlier this year.

http://arstechnica.com/information-technology/2012/11/64-bit-firefox-for-windows-should-be-prioritized-not-suspended/

- edit- Some further relevant links.

http://arstechnica.com/security/2012/10/google-chrome-exploit-fetches-pinkie-pie-60000-hacking-prize/

and this is also relevant

http://www.zdnet.com/blog/security/google-chrome-hacked-with-sophisticated-exploit/8626

Multiple Google Chrome Vulnerabilities Could Allow for Remote Code Execution - MS-ISAC ADVISORY NUMBER:
2013-007
Enta Ozuwara
State War Academy
Caldari State
#6 - 2013-02-17 16:38:43 UTC  |  Edited by: ISD Suvetar
Kelderos wrote:
AndromacheDarkstar wrote:
When you say this is a security issue, what kind of risks am i taking by using the in game browser as it stands?


None unless you do all your banking and shopping in the IGB for RP reasons. This is a non issue brought up for no reason. IGB was never meant to be used for these things..

Edit: Snipped unnecessary personal attack. ISD Suvetar


Love you too!

See the above post. Any site could exploit this and run arbitrary code. It doesn't relate to actual connection security.
MItchell Jensen
The Black Widow Company.
#7 - 2013-02-17 18:33:14 UTC
I definitely see this as a very important issue that should be dealt with. I myself do not use the ingame browser all that often, but I'm sure that it wouldn't go unloved for some security updates.

CCP Dropbear: rofl

edit: ah crap, dev account. Oh well, official rofl at you sir.
Karbowiak
State War Academy
Caldari State
#8 - 2013-02-17 19:08:42 UTC
CCP should just drop the IGB completely, and add link handling that launches links in external browsers.

But then you'd hear the fullscreen brigade whine about their game being minimized.. Sad
Tost Reim
Aliastra
#9 - 2013-02-17 19:50:22 UTC  |  Edited by: Tost Reim
+1

Karbowiak wrote:
CCP should just drop the IGB completely, and add link handling that launches links in external browsers.

But then you'd hear the fullscreen brigade whine about their game being minimized.. Sad


I would personally love it if it opened in an external browser (fullscreen windowed ftw).
Podmo
Deep Core Mining Inc.
Caldari State
#10 - 2013-02-17 20:06:57 UTC
WTB flash + youtube IGB.
Enta Ozuwara
State War Academy
Caldari State
#11 - 2013-02-17 20:47:52 UTC
Tost Reim wrote:
+1

Karbowiak wrote:
CCP should just drop the IGB completely, and add link handling that launches links in external browsers.

But then you'd hear the fullscreen brigade whine about their game being minimized.. Sad


I would personally love it if it opened in an external browser (fullscreen windowed ftw).


That'd break trusted sites. But to be quite honest, that is already broken from a security perspective. CCP acts like you can't send any headers you want.
Adahs'lak
Game.Theory
GameTheory
#12 - 2013-02-17 21:53:39 UTC
This definitely needs to be looked at.

I almost never use IGB because I find it's performance, lacking... HOWEVER, I would much prefer either; proper link handling to external browser and no IGB, or updated IGB for those times I do happen to just accidentally click a link in some chat window.
Enta Ozuwara
State War Academy
Caldari State
#13 - 2013-02-17 23:36:53 UTC
People on Reddit were asking for some sort of proof. Since a Remote Code Execution would need to be carefully planned, I have instead run a DoS exploit fixed in Chrome 4.1.

Result: Awesomium.exe crashes
Fecal Impaction
Caldari Provisions
Caldari State
#14 - 2013-02-18 04:23:08 UTC
AndromacheDarkstar wrote:
When you say this is a security issue, what kind of risks am i taking by using the in game browser as it stands?
Click link. Get virus.

The virus could do anything, of course. Steal your passwords for everything, wipe your HDD, change every .jpg on your disk to goatse, (my personal favorite) donate all your ISK to somebody, contract all your stuff to somebody.

Whatever.
Andski
Science and Trade Institute
Caldari State
#15 - 2013-02-18 06:25:00 UTC
Enta Ozuwara wrote:
That'd break trusted sites. But to be quite honest, that is already broken from a security perspective. CCP acts like you can't send any headers you want.


they're not broken from a security perspective unless developers are dumb enough to trust IGB headers

Twitter: @EVEAndski

"It's easy to speak for the silent majority. They rarely object to what you put into their mouths."    - Abrazzar
Durzel
Questionable Ethics.
Ministry of Inappropriate Footwork
#16 - 2013-02-18 10:39:45 UTC
Any halfway competent developer knows HTTP headers can't be trusted, so the fact CCP uses them as a convenience is moot.
Abditus Cularius
Clancularius Industries
#17 - 2013-02-19 22:57:52 UTC
Ever wondered why there's so many bots spamming the same website link in Jita local?

Now you know.
Enta Ozuwara
State War Academy
Caldari State
#18 - 2013-02-22 02:00:57 UTC
Durzel wrote:
Any halfway competent developer knows HTTP headers can't be trusted, so the fact CCP uses them as a convenience is moot.

I think CCP doesn't take it as "authentication data" but more as "personalize experience" thing. The headers are e.g. useful for a route planner where authenticity of the data isn't such a big issue.
anishamora
Atelierele Grivita
#19 - 2013-02-22 08:24:39 UTC  |  Edited by: anishamora
CCP has stated several times that IGB's purpose is not to replace or compete with a real browser. Its security shortcomings were acknowledged long ago and it was never advertised as a secure tool. You use it at your own risk.

So basically you're like complaining that the Velator you get for free isn't able to run L4s.

Also,
Enta Ozuwara wrote:

I demand this to be noticed.


makes this thread a piece of garbage that should be ignored. You're not entitled to demand anything.
Enta Ozuwara
State War Academy
Caldari State
#20 - 2013-03-03 00:42:53 UTC
anishamora wrote:
CCP has stated several times that IGB's purpose is not to replace or compete with a real browser. Its security shortcomings were acknowledged long ago and it was never advertised as a secure tool. You use it at your own risk.

So basically you're like complaining that the Velator you get for free isn't able to run L4s.

Also,
Enta Ozuwara wrote:

I demand this to be noticed.


makes this thread a piece of garbage that should be ignored. You're not entitled to demand anything.


No, f*** you.

This is not a minor security issue, this can compromise my computer, this could install malware on my machine, and since when do you avoid clicking any link in chat? No, I am entitled to demand this, it hinders my ability to get into the game and have a tight security on my computer, let me remind you that I and a lot of other people pay for this.

Your argument is directed at ingame mechanics, those work as expected The Velator makes a good rookie ship intended for L1 at most. The browser is not "the right tool for the right job", it's a terrible tool at everything.

I might just have to demonstrate this before someone even gets why this is a problem. (inb4 I get banned for ******* with the EVE client,)
12Next page