TOP Forum

[Wojtek]

there is some serious security flaw i found on TOJ long time ago. I never bothered to report it because TOJ development was inactive for a while (except maybe for some lame tries to block patch). but i think this is kinda interesting so it's good time to share this.

so cookie toj website use to authenticate user is called tetirs [sic!].
it looks somehow like this:

Code: Select all

SjIwMjE5NgJXb2p0ZWsCNjgCMAIwAjI2NTECMjAxMC8wNS8xOCAwOjAwOjAwAjIwMTAvMTEvMTQgNzoyMDoyMAJ1c2VyXHBlcnNvbkltZ1x0aHVtYlxwcm9maWxlX21fMS5naWYCMQIwAjACMAIxAjEwAjACaGFyZGRyb3AuY29tAjECNjdUTw==

when you decode it as base64 (first you need urldecode it, i think) you get something like this

Code: Select all

J202196Wojtek680026512010/05/18 0:00:002010/11/14 7:20:20user\personImg\thumb\profile_m_1.gif10001100harddrop.com167TO

so where is auth token? there is none. all you need to do is change userid (in this case 202196) encode it back and you are authenticated as another user. you can find other's user userid by viewing their profile on website.
after you do this, you can do basically everything user can do, launch toj client with their accout, read their pw, but items for tp/coins, play unlockable flash games, view private user accout info. only thing you can't do is to view/change user's email and change password.

interesting thing is that TF also have similiar session handling issues, i reported them and they fixed it a bit and they even tried to workaround problem, but never bothered to fix it (afaik).

[Caithness]

Where do you view the password? I forgot mine long ago, and have been using this method to login since I started playing again.

Until I started getting a crash when I tried to launch TOJ from the command-line. Oh well, I guess it doesn't matter any more since they're shutting it all down anyway.

[Wojtek]

you can't see or change password this way.
if your toj crashing when running from command line than you probably forgot enc parameter
this is correct command:

Code: Select all

tetris.exe enc id=202196 pw=54fde05f2d5dc5433f5cf16897a3c4f4 ip=tgame.tetrisonline.jp

[Caithness]

Oh, i was putting a - in front of enc. I guess I got confused and thought Windows commandline worked the same way Unix does.