TLDR: Wormhole tracking software may or may not be totally exposed, lets try and tighten it down a bit.
Wormhole Tracking Software (WTS)
I've commented multiple times on using WTS such as Siggy as my preferred method of tracking wormhole travel and recording signature IDs. The ability to quickly share information between corp members is an invaluable tool that every serious wormholer I know relies on.
Before WTS, everyone just used a shared google doc that highlighted entrances, exists, time found, mass status and if the wormhole was filled with baddies who wanted you dead.
Now, we have multiple to choose from. I'm going to show a hole in one of them. Isogen 5 up to the time of my leaving them, were using "Siggy" as their preferred WTS. I hope to god they've stopped.
The problem:
The overall issue is a complex one that has many effecting parts. The primary one, EVE is at its heart is a diabolical test of space sociopaths to do ISK damages on others. One defense of that main goal is the invention of an API key.
API keys are a clever way for one pilot to give limited access to their accounts to another pilot. How much money they have, who they send that money to, how many spaceships they've killed, who's spaceships they've killed, really really good information that can be verified, reviewed and confirmed. You're API key is your history, its your account and its everything it needs to be for someone (not you) to confirm all the information you've said is in fact, true.
Now WTS use API keys on a very limited scale. The software does a simple check of who you are, what corp you are in and with your permission, where you are. This is how they work. Super handy!!
Where in the ever changing string of wormhole connections are you, in relation to where you hang your hat, or in this case, where others hang their hats. This is the issue.
Let me walk you through an application process in most wormhole corps.
Corp #1 -- Lets call them HK (Heavenly Knobs, NOT Hard Knocks, seriously not Hard Knocks)
Applicant: Hi I want to join your wormhole corp.
Recruiter: Sure, send me your API so we can see how much of a spy you are.
Applicant: Ok here it is. 123UU0u0J)(**&080JFIJIEU)(*U)JEOJFJjIJFIEJNHNENB
Recruiter: (after reviewing and storing the API Key) Hmm, seems you're more of a space spy than we thought. Go ahead and get fucked.
Applicant: No problem, never liked you anyway
The process so far is a normal one, some people just aren't right for all corps, it happens. The applicant still wanting to get those dank Wspace kills simply moves to the next corp in the kill board list.
Corp #2 -- Lets call them I5 (Interesting 5 Guys, NOT Isogen5, Seriously)
Applicant: Hi, I want to join your wormhole corp.
Recruiter: Sure, send me your API so we can see how much of a spy you are.
Applicant: Ok here it is. 123UU0u0J)(**&080JFIJIEU)(*U)JEOJFJjIJFIEJNHNENB
The same API key that was sent to Corp #2, because lets be real here, who wants to make a new identical selection API key, each time you send it to a different recruiter. Its the same selections right? Same information... whats the big deal? Its just an account viewing method right, whats the harm?
Well with that API key, Corp #1 can go to https://siggy.borkedlabs.com/ and log in to siggy with a different email address and the applicants API KEY, and see every single bit of information you/the corp have put on Siggy. They key here is the fact that Corp #2 is using Siggy as their paid WTS.
But thats crazy! There must be some sort of security preventing that right?!
According to this picture, the creator of siggy simply asks you nicely "Please do not use API keys that do not belong to you ". Sure, let me not violate my EVE space honor.
Whats also interesting is I'm fairly sure it works with most other WTS out there. (someone other than me please test and respond). I'll be talking about this issue on the next DTP (downthepipe-wh.com), I would love to have you on the show.
Another fun thing you can do with API's, if that API is something other than just the normal verification API, its as something as dangerous as a "FULL API" those people can use that API to read your in game mails, out of game. Using an API checker to read your corp mails. Corp mails that may or may not contain other peoples API's that are sent to you during your long history in this game.
What can we do?! The answer is "Not much'.
Here are some suggestions to limit your exposure. All of them are totally unreasonable, and won't address the overall problem, but its all I got at this point.
1. Remove every API key you have in the corp using a WTS. Go to this link and delete/reconfigure every API key you have. This in all honesty should be done every 3 to 6 months in this game. Just make it a habit. Remember you might not give a shit about your travels in a chain, others in your corp you are exposing, may care. --- If you have a spi already or soon to be in your corp, this won't make a lick of difference because they simply won't delete their APIs.
Worse, even if you ask to verify their API's are deleted, if they are a spi, they'll simply make a new one and send it to Heavenly Knobs, who may or may not have kept every single API key ever sent to them, inside both HK and PL (Panda Legacy, not Pandemic Legion, seriously) they are both totally different corps that don't share kill mails/members or anything. Then devious fellow with said API, randomly inserted into Siggy. The life of that API key/person moving from one corp to another, spreading an security hole, like bad case of bleeding genital warts.
2. Stop using Siggy. Siggy so far is the only one I've tested, but being able to access my chain outside of the game, while I'm logged into the game, without my knowledge its happening seems like a totally fked up system. -- Again, if you have a spi already, simply switching to another WTS, won't do shit for you. The spi will simply give access to your information no matter what.
3. Without having a CCP protected log, each player could access, to know exactly how, when and which API key was used. Players have little to no control of an API key, the second its given to a 2nd party.
This is like that little evaluation you do with a stranger at a bar. How many and what kind of D's has this person handled... and how many D's have those people handled. (Off topic PSA: use protection every time, no matter what, seriously)
I'm sorry I don't have all the answers, when I do, I'll share them, but right now WTS with API key verification seems to be totally exposed, please enjoy sharing your chain with the world.
o7 Spear!
ReplyDeleteAs far as I know, how tripwire handles it is that when you register as a corporation, you provide a corp API key that confirms your corp identity in EVE. When you create a mask you set which corporations have access to it. So an API key from an I5 (not Isogen 5) user who leaves I5 and moves to HK (not Hard Knocks) will not give them access to the I5 mask after they leave because the API will show they are in HK. It will give them access to the HK mask if HK opens their mask to their own corp.
Hope that makes sense. I don't know how siggy does it but if it doesn't do it like that, it definitely seems broken.
EDIT: New comment after considering what I wrote
ReplyDeleteI see what you're getting at. It isn't about whether or not Siggy or Tripwire properly limits API key access to the API corporation but rather that I, as a third party, could use your API key *while you belong to a certain corp* to gain access to your corps chain.
I believe that Tripwire doesn't allow multiple account registrations using the same character so trying to register a second account for the same EVE account would not work. Feel free to delete or amend my previous comment with my new enlightened answer.
Tripwire fixed that a while ago. Problem is already solved. Switch tools.
ReplyDeleteTripwire does not have this weakness. You can even checkout the source code to be sure since it is now open source and you can run your own copy!
ReplyDeleteWell, maybe i am in the wrong, but Tripwire requires a username and password.
ReplyDeleteEh, the real issue is that corps still request APIs from applicants. It's laughably easy to have a clean API for recruitment purposes so it doesn't actually tell the recruiter anything and all it does is raise these kinds of security concerns.
ReplyDeleteThere is a log provided by CCP to show what is accessing your API keys here: https://community.eveonline.com/support/api-key/log/
ReplyDeleteI do wish the log history was retained for longer.