test content
Logo
What is the Arc Client?
Install Arc
Security and privacy concerns regarding Arc and arcgames.com
frtoaster
Member Posts: 3,354 Arc User
Some of us were discussing security and privacy concerns regarding Arc and arcgames.com in the thread about the forum migration.
Forums are off again
That thread seems to have died down, and this discussion seems a little off-topic for that thread anyway. Also, no one has posted in the previous two threads about Arc and arcgames.com in months:
Feedback Requested: Arc Download and STO Install via Arc
Arcgames.com is Ready for your Feedback
That's why I decided to start a new thread. I will quote the relevant comments from the forum migration thread.
Forums are off again
That thread seems to have died down, and this discussion seems a little off-topic for that thread anyway. Also, no one has posted in the previous two threads about Arc and arcgames.com in months:
Feedback Requested: Arc Download and STO Install via Arc
Arcgames.com is Ready for your Feedback
That's why I decided to start a new thread. I will quote the relevant comments from the forum migration thread.
Because of concerns about the security of the new forums, I decided to do some poking around. Forget about Vanilla Forums for the moment. What about PWE's own security? I'm not exactly happy with what I found. Keep in mind that I only have passing knowledge of this stuff. You should hire an expert to audit your security measures. Most programmers and IT staff are not experts in security. I would not feel comfortable performing such an audity myself.
Flash plugin installed by Arc
If I view my Firefox plugins, I see that I have two versions of Flash installed.
Shockwave Flash 16.0.0.235
Shockwave Flash 17.0.0.169
Above "Shockwave Flash 16.0.0.235", there is a warning message:
Shockwave Flash is known to be vulnerable and should be updated.
If I go to about:plugins, I see that "Shockwave Flash 16.0.0.235" was installed by Arc. The DLL was installed here:
C:\Program Files (x86)\Perfect World Entertainment\Arc\plugins\NPSWF32.dll
If I set "Shockwave Flash 16.0.0.235" to "Never Activate" and restart Firefox, I find that "Shockwave Flash 17.0.0.169" has also been disabled. Stop installing outdated, insecure versions of Flash on my computer. I keep my own version of Flash up to date. Even if you update Arc's version of Flash, I don't run Arc often enough to keep that version up to date.
arcgames.com
You may be missing an SSL certificate. I'm not sure whether you don't have one or whether Firefox doesn't accept yours because you're using a weak signature scheme. You are also using an encryption scheme that has been deprecated as insecure. I have provided reproduction steps below.
1. Start Firefox.
2. Type arcgames.com into the address bar and press Enter. You are redirected to
http://www.arcgames.com/en/games
3. If you click on "Sign in" in the upper right, a form drops down asking for your "User Name / Email" and "Password".
4. Press Ctrl+U to view the source code for the page.
5. Search for the form with class="form-horizontal form-sign-in-header". The source code shows that the form posts to
https://www.arcgames.com/en/sign/in
6. Copy and paste the above URL into the address bar and press Enter.
7. Click on the warning icon to the left of the URL in the address bar. Firefox shows the following warning message:
This website does not supply identity information.
The connection to this website is not fully secure because it contains unencrypted elements (such as images) or the encryption is not strong enough.
8. Press Ctrl+Shift+K to open the web developer console. Search for the following warning messages:
This site uses the cipher RC4 for encryption, which is deprecated and insecure.
This site makes use of a SHA-1 Certificate; it's recommended you use certificates with signature algorithms that use hash functions stronger than SHA-1.
9. Type your user name and password, and click "Sign In".
10. Click on "CHARGE". You are sent to
https://billing.arcgames.com/en/
11. Repeat steps 7 and 8.
Who are Disqus? I just received an email from them asking me to verify my email address:Welcome to Disqus, frtoaster!
Why verify?
Many sites using Disqus require a verified email for commenting to prevent spam. Verifying lets you join discussions quickly and easily.
They know that my forum name is associated with this email address, so I can only assume it has something to do with the new forums. Does Vanilla Forums use Disqus to verify email addresses? Why am I receiving this email from them?
virusdancer wrote: »Aha, found it.
http://www.arcgames.com/en/social/all
So if you click on any of those where it has the comments thing...
It gives the option to login for...
Arc
Disqus
It has a thing there where it looks like there might be 1 comment, the little 1 in the red chat/speaking/dialogue icon...but when you click on it, it pops up in the current window the following:
http://i.imgur.com/IwIZLYH.png
I wasn't logged in to Arc at the time.
So, what the Hell, let me log in and see what happens.
And yep, it logged me into Disqus...well then...hrmmm, that kind of sucks. Heh, I'd forgotten about Disqus until you mentioned it, one of those back of the mind things. But searching my email, I apparently signed up for it back in June 2012.
There is not a chance in Hell that my Arc password is the same password I would have used three years ago...
...that's pretty freaking effed up.
Must be some authorization scheme at play...meh.
edit: Gets into this: https://disqus.com/api/docs/auth/
And I'm wondering just where I agreed to allow Arc to do that....ffs.
There's nothing that I see in any of the "smallprint" stating that I've agreed to that...
edit2: That's just some damn ****ed up bull**** there in your case then, cause it ****ing looks like they created the ****ing Disqus account on your behalf and Disqus is asking you to verify. What a load of ****...
I think they created one of these site-specific profiles for me instead of an actual account.
https://help.disqus.com/customer/portal/articles/1897513-site-specific-profiles-
Of course, if they did create a Disqus account for me, I have no idea what the login and password would be.
khamseenair wrote: »Weirdly, right after visiting the link that VirusDancer shared, I got an email from Disqus asking me to confirm my email address. So it's not even from clicking on a comment section on that page, it's from visiting that page whilst signed in to Arc... I don't like that. For one, I actually already have a Disqus account associated with a different email address to the one I use for Arc/Cryptic stuff. I don't want or need a second Disqus account.
Oh, is that what caused it? Visiting the "SOCIAL" tab? I do remember clicking on that tab. I don't remember seeing that Disqus login form before virusdancer showed it to me. I definitely did not sign up for a Disqus account; I would have remembered typing in a login name and password. So clicking on the "SOCIAL" tab creates a site-specific profile on Disqus and sends them your email address. They should probably explicitly mention that somewhere.
Waiting for a programmer ...
Post edited by Unknown User on
0
Comments
wired: submit@wired.com
arstechnica: http://arstechnica.com/contact-us/
Gawker: tips@gawker.com
Kotaku: tips@kotaku.com
io9: tips@io9.com
And various more.
sig
http://img825.imageshack.us/img825/5451/om71.jpg
It is a peculiar phenomenon that we can imagine events that defy the laws of the universe.
Today, I installed the lastest version of Flash, version 17.0.0.188. I ran Arc to see if it would remove the old, insecure version. Arc did patch something, but version 16.0.0.235 of Flash is still installed.
They shouldn't need the embarrassment of media coverage to fix their problems. I'm hoping Trendy sees this thread and passes the information onto the right people.
Sadly sometimes that's the only way you can get some developers to do their jobs.
For example, you have to send them a tweet in order for them to fix bugs that's the latest method, reporting anything using their tool does nothing.
This time, I installed Arc in a directory where standard users have write access to see if I could run Arc without being administrator. Instead of installing Arc in
C:\Program Files (x86)\Perfect World Entertainment\Arc
as I had previously, this time, I installed it in
C:\Games\Arc
It didn't work. Arc still requires administrator access to run. Why? Is it because Arc needs to patch itself? There's no reason to disallow normal users from patching Arc. I have STO installed in C:\Games\Star Trek Online_en, and I can patch STO just fine without being administrator.
Arc still installs a vulnerable version of Flash (version 16.0.0.235). The following information is from about:plugins in Firefox:
Shockwave Flash
File: NPSWF32.dll
Path: C:\Games\Arc\Plugins\NPSWF32.dll
Version: 16.0.0.235
State: Enabled (STATE_VULNERABLE_UPDATE_AVAILABLE)
Shockwave Flash 16.0 r0
First, you should remove this vulnerable plugin. Second, you should stop installing versions of Flash on behalf of the user. I keep my own version of Flash up to date, but I don't run Arc often enough to keep its version up to date.
Get the Forums Enhancement Extension!
"You don't have to do something again and again and again repetitive that doesn't have much challange, that's just a general good gameplay thing."
anyway.
Issues and features are usually prioritized, and done in that order. If a programmer had to choose, he'd often rather pick the kind of tasks that look fun to do, not the ones that are actually important. An "easy" bugfix can often be exactly like that - it seems easy enough to do, so you quickly achieve a success. But "quickly" doesn't mean "no time" and there might be context switches involved as yo drop everything you're just doing and do something else instead.
Most likely, they require it because they don't assume you put it into an unprotected order like "Games", but instead under Program Files. Also, if the arc launcher also patches other installed games, it would still need the rights for those.
It's hardly ideal, but putting your games or programs in a folder that is not protected by Windows Resource Protection is not actually that great either - it would still allow infecting your machine with malicious software without administration privileges.
Right now, I have my games installed in a directory where normal users have write access. That allows the games to patch themselves, and I don't have to log in as an administrator in order to play. It might not be an ideal solution, but it's better than logging in as administrator every time I want to play a game. If the game allows malicious software through, it is limited to whatever damage a normal user can do. It might completely overwrite my game directories. But it won't overwrite C:\Program Files and C:\Program Files (x86), where I have my other programs installed. And what if I want to browse the Web while playing a game? If some malicious code escapes the browser's sandbox, I don't want to be logged in as administrator when that happens. It's especially disconcerting when Arc includes its own web browser and a vulnerable version of Flash.
If malacious code can get out of your browser's sandbox, it is not important whether anything you have running is in admin mode or not. The question is - is the browser? If so, then the malicious code has admin rights. If not, the malicious code needs a way to escalate its privileges, and for that it doesn't require another program generally speaking, but a security hole in windows itself. A low privilege process should (barring windows vulnerabilities) not be able to manipulate a program in admin mode.
Though it is a problem that Arc needs Flash. With HTML5, they shouldn't really have a need for that anymore - they need to get a decent browser into Arc, maybe something based on Chromium or Webkit or so, but whatever fits the bill of good HTML 5, Javascript and CSS compatibility. Flash will probably always be an extra security risk, regardless of version. (Not that another browser technology couldn't have that as well...)
Perhaps, I am not understanding you correctly, or you are not understanding me. I don't browse the Web using Arc. Actually, I normally don't run Arc at all. I run STO's launcher and client as a standard user, and I run my own web browser as a standard user. That suits me fine today, but they may someday make Arc mandatory. What I don't want is to have to log in as administrator in order to play the game. Then, I would be logged in as administrator if I open other programs, such as a web browser, while playing the game. Yes, if both the browser and the OS have serious enough security holes, then it wouldn't matter whether you run the browser as administrator or not. Are you saying that it doesn't matter at all whether you run a web browser as administrator? Admittedly, I am not an expert in Windows security. If you know more, then please explain.
I generally don't think it is a good idea to require the user to be an administrator in order to run your application. I log in as administrator to install and remove programs. If I'm not actually doing administration, then I log in as a standard user. The problem is that many games today require patching, and the program you use to patch the game is the same one you use to launch it. You need to run that program even if you only want to play, not patch. That's why I started installing games in a separate directory that standard users can write to. If you have a better solution, then I would like hear it.
Agreed, but they're installing a version of Flash that is known to be vulnerable. Are they going to keep installing updated versions of Flash? How often do they expect users to patch Arc? The Flash DLL that they installed is visible not only in Arc, but also in Firefox. Maybe, all Gecko-based web browsers can see it; I'm not completely sure.
Firefox still doesn't recognize your certificate. I'm not sure why. Updated reproductions steps are provided below.
1. Start Firefox 38.0.5 on Windows 7 Home Premium (64-bit), Service Pack 1.
2. Type arcgames.com into the address bar and press Enter. You are redirected to
http://www.arcgames.com/en/games
3. Click on "Sign in" in the upper right. A form drops down asking for your "User Name / Email" and "Password".
4. Press Ctrl+U to view the source code for the page.
5. Search for the form with class="form-horizontal form-sign-in-header". The source code shows that the form posts to
https://www.arcgames.com/en/sign/in
6. Copy and paste the above URL into the address bar and press Enter.
7. Click on the warning icon to the left of the URL in the address bar. Firefox shows the following warning message:
This website does not supply identity information.
The connection to this website is not fully secure because it contains unencrypted elements (such as images) or the encryption is not strong enough.
8. Click the "More Information..." button.
9. Read the text below "Website Identity":
Website: www.arcgames.com
Owner: This website does not supply ownership information.
Verified by: Not specified
10. Read the text below "Technical Details":
Broken Encryption (TLS_RSA_WITH_RC4_128_SHA, 128 bit keys, TLS 1.2)
Parts of the page you are viewing were not encrypted or the encryption is not strong enough before being transmitted over the Internet.
Information sent over the Internet without encryption can be seen by other people while it is in transit.
11. Click the "View Certificate" button. Read the certificate information:
Issued To
Common Name (CN): *.arcgames.com
Organization (O): <Not Part Of Certificate>
Organizational Unit (OU): Domain Control Validated
Serial Number: 04:0D:29:90:BE:46:B8
Issued By
Common Name (CN): Go Daddy Secure Certification Authority
Organization (O): GoDaddy.com, Inc.
Organizational Unit (OU): http://certificates.godaddy.com/repository
Period of Validity
Begins On: 7/11/2013
Expires On: 7/11/2015
Fingerprints
SHA-256 Fingerprint: [deleted by me because the forum treats parts of the string as smiley faces]
SHA1 Fingerprint: [deleted by me because the forum treats parts of the string as smiley faces]
12. Press Ctrl+Shift+K to open the Web Console. Search for the following warning messages:
This site uses the cipher RC4 for encryption, which is deprecated and insecure.
This site makes use of a SHA-1 Certificate; it's recommended you use certificates with signature algorithms that use hash functions stronger than SHA-1.
13. Type your user name and password, and click "Sign In".
14. Click on "CHARGE". You are sent to
https://billing.arcgames.com/en/
15. Repeat steps 7 and 8.
16. Read the text below "Website Identity":
Website: billing.arcgames.com
Owner: This website does not supply ownership information.
Verified by: Not specified
17. Repeat steps 10 through 12.
The following tool also fails to recognize the certificate for www.arcgames.com and billing.arcgames.com:
https://www.grc.com/fingerprints.htm
The above tool does recognize the certificate for account.perfectworld.com. This certificate is used by the current forum (sto-forum.perfectworld.com), which will be taken down soon. The login page (http://www.perfectworld.com/login) posts to
https://account.perfectworld.com/login
The pop-up login form for the current forum also posts to the above URL.
For comparison, here is the security information for that POST:
Connection:
Protocol version: TLSv1.2
Cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA
Host account.perfectworld.com:
HTTP Strict Transport Security: Disabled
Public Key Pinning: Disabled
Certificate:
Issued To
Common Name (CN): perfectworld.com
Organization (O): Perfect World Entertainment
Organizational Unit (OU): Akamai SAN SSL OV
Issued By
Common Name (CN): GeoTrust SSL CA
Organization (O): GeoTrust, Inc.
Organizational Unit (OU): <Not Available>
Period of Validity
Begins On: 10/12/2014
Expires On: 12/13/2015
Fingerprints
SHA-256 Fingerprint: [deleted by me because the forum treats parts of the string as smiley faces]
SHA1 Fingerprint: [deleted by me because the forum treats parts of the string as smiley faces]
I obtained this information from the "Security" tab of Firefox's Network Monitor (Ctrl+Shift+Q).
https://developer.mozilla.org/en-US/docs/Tools/Network_Monitor
https://developer.mozilla.org/en-US/docs/Tools/Network_Monitor#Security
Note that the certificate for www.arcgames.com and billing.arcgames.com is recognized by Internet Explorer 11.0.9600.17843 running on Windows 7 Home Premium (64-bit), Service Pack 1. Different browsers running on different operating systems may treat this certificate differently. Here is a tool to help you diagnose the problems:
https://www.ssllabs.com/ssltest/
If the ARC application uses embedded flash that has vulnerabilities, what is the actual risk? They already have an application installed and running on your computer, so it's not like they gain anything from pushing out malicious flash apps through ARC.
I agree its always a good idea to patch, but in this case, since they are using an embedded instance of flash (e.g. it's found in their ARC directory), it sounds like they took steps to isolate their instance of flash from the rest of the system, which is actually a good thing from a security point of view.
I believe I already mentioned this. The insecure version of Flash installed by Arc shows up as a plugin in Firefox. If I set Arc's version of Flash to "Never Activate" and restart Firefox, I find that the up-to-date version of Flash that I installed is also set to "Never Activate". I'm guessing that Firefox is smart enough not to use the version of Flash that it has flagged as vulnerable, but I'm not completely sure.
So Arc's version of Flash is not isolated only to Arc. Even if it were, it would still put unsuspecting users who use Arc to visit other websites at risk.