NationStates Game Site Shut Down After Data Breach
▼ Summary
– NationStates, a multiplayer browser game, suffered a data breach after an unauthorized user gained access to its main production server and copied user data.
– The breach was caused by a player who, while reporting a critical vulnerability, exceeded authorized testing and achieved remote code execution on the server.
– The exposed data includes email addresses, passwords stored as obsolete MD5 hashes, IP addresses, and likely some contents of the internal private messaging system.
– The site is offline while the developers completely rebuild the compromised server on new hardware, a process expected to take a few days.
– NationStates has reported the incident to authorities and plans to implement security upgrades, including enhanced password security, once the site is restored.
The popular multiplayer browser game NationStates has been taken offline following a significant security breach. The site’s administrators confirmed that an unauthorized individual gained access to its main production server and copied sensitive user data. This incident has prompted a complete rebuild of the server infrastructure, with the website expected to remain unavailable for several days as the team works to ensure system security and integrity.
The breach originated from a critical vulnerability within a relatively new site feature called “Dispatch Search.” The attacker exploited insufficient input sanitization combined with a double-parsing bug, which ultimately allowed for remote code execution on the server. This provided the ability to copy both application code and stored user information. While the flaw was initially reported by a player with a history of submitting bug reports, that individual crossed a clear line by actively exploiting the vulnerability to access the server, rather than simply documenting its existence.
Site developer Max Barry detailed in a breach notice that the player, who held a “Bug Hunter” badge for previous responsible disclosures, performed actions far beyond authorized testing. After confirming the bug’s existence, the individual proceeded to breach the server directly. Although the person later apologized and claimed to have deleted the copied data, the NationStates team has no way to verify this claim. Consequently, they are treating the entire system as compromised.
The compromised data includes user email addresses, passwords stored as outdated MD5 hashes, IP addresses, and browser user-agent strings. The use of MD5, an obsolete cryptographic hashing function, is particularly concerning as it offers inadequate protection against modern decryption techniques, especially if an attacker possesses an offline copy of the data. The breach notice also indicated that the intruder attempted to copy data from the internal “Telegrams” private messaging system, making it likely that some private message contents were exposed. Fortunately, the site does not collect real names, physical addresses, phone numbers, or financial information.
In response, the NationStates team has taken the drastic step of completely decommissioning the affected server. The only way to guarantee security is to rebuild the production environment from the ground up on new hardware. This process involves thorough security audits, system enhancements, and an upgrade to more robust password security protocols. The incident has been reported to the relevant government authorities.
Players are advised that the site will likely return within two to five days. Once restored, all users will be required to reset their passwords. They will also be able to review the exact data stored for their account via a dedicated secure page. The team emphasizes that this is the first time a critical remote code execution bug has been reported in the game’s long history, underscoring the seriousness of the current situation and the extensive remediation efforts now underway.
(Source: Bleeping Computer)
