Thursday, February 18, 2016

Wormhole Tracking Software, API Keys and You

The goal of this post is to highlight what I know to be an issue. I feel the more information available and eyes on the issue, the sooner it may get fixed. I've also made a video on the topic, for those who 'en't got no time fer read'in'.

TLDR: Wormhole tracking software may or may not be totally exposed, lets try and tighten it down a bit. 




Wormhole Tracking Software (WTS)


I've commented multiple times on using WTS such as Siggy as my preferred method of tracking wormhole travel and recording signature IDs. The ability to quickly share information between corp members is an invaluable tool that every serious wormholer I know relies on.

Before WTS, everyone just used a shared google doc that highlighted entrances, exists, time found, mass status and if the wormhole was filled with baddies who wanted you dead.

Now, we have multiple to choose from. I'm going to show a hole in one of them. Isogen 5 up to the time of my leaving them, were using "Siggy" as their preferred WTS.  I hope to god they've stopped.

The problem:

The overall issue is a complex one that has many effecting parts. The primary one, EVE is at its heart is a diabolical test of space sociopaths to do ISK damages on others. One defense of that main goal is the invention of an API key.

API keys are a clever way for one pilot to give limited access to their accounts to another pilot. How much  money they have, who they send that money to, how many spaceships they've killed, who's spaceships they've killed, really really good information that can be verified, reviewed and confirmed. You're API key is your history, its your account and its everything it needs to be for someone (not you) to confirm all the information you've said is in fact, true.

Now WTS use API keys on a very limited scale. The software does a simple check of who you are, what corp you are in and with your permission, where you are. This is how they work. Super handy!!

Where in the ever changing string of wormhole connections are you, in relation to where you hang your hat, or in this case, where others hang their hats. This is the issue.

Let me walk you through an application process in most wormhole corps.

Corp #1 -- Lets call them HK (Heavenly Knobs, NOT Hard Knocks, seriously not Hard Knocks)

Applicant: Hi I want to join your wormhole corp.

Recruiter: Sure, send me your API so we can see how much of a spy you are.

Applicant: Ok here it is.  123UU0u0J)(**&080JFIJIEU)(*U)JEOJFJjIJFIEJNHNENB

Recruiter: (after reviewing and storing the API Key) Hmm, seems you're more of a space spy than we thought. Go ahead and get fucked.

Applicant: No problem, never liked you anyway

The process so far is a normal one, some people just aren't right for all corps, it happens. The applicant still wanting to get those dank Wspace kills simply moves to the next corp in the kill board list.

Corp #2 -- Lets call them I5 (Interesting 5 Guys, NOT Isogen5, Seriously)

Applicant: Hi, I want to join your wormhole corp.

Recruiter: Sure, send me your API so we can see how much of a spy you are.

Applicant: Ok here it is.  123UU0u0J)(**&080JFIJIEU)(*U)JEOJFJjIJFIEJNHNENB

The same API key that was sent to Corp #2, because lets be real here, who wants to make a new identical selection API key, each time you send it to a different recruiter. Its the same selections right? Same information... whats the big deal? Its just an account viewing method right, whats the harm?

Well with that API key, Corp #1 can go to  https://siggy.borkedlabs.com/ and log in to siggy with a different email address and the applicants API KEY, and see every single bit of information you/the corp have put on Siggy. They key here is the fact that Corp #2 is using Siggy as their paid WTS.

But thats crazy! There must be some sort of security preventing that right?!

According to this picture, the creator of siggy simply asks you nicely "Please do not use API keys that do not belong to you ". Sure, let me not violate my EVE space honor.  




Whats also interesting is I'm fairly sure it works with most other WTS out there. (someone other than me please test and respond). I'll be talking about this issue on the next DTP (downthepipe-wh.com), I would love to have you on the show.

Another fun thing you can do with API's, if that API is something other than just the normal verification API, its as something as dangerous as a "FULL API" those people can use that API to read your in game mails, out of game. Using an API checker to read your corp mails. Corp mails that may or may not contain other peoples API's that are sent to you during your long history in this game.  
What can we do?! The answer is "Not much'.

 Here are some suggestions to limit your exposure. All of them are totally unreasonable, and won't address the overall problem, but its all I got at this point.

 1. Remove every API key you have in the corp using a WTS.  Go to this link and delete/reconfigure every API key you have. This in all honesty should be done every 3 to 6 months in this game. Just make it a habit. Remember you might not give a shit about your travels in a chain, others in your corp you are exposing, may care.   --- If you have a spi already or soon to be in your corp, this won't make a lick of difference because they simply won't delete their APIs.

Worse, even if you ask to verify their API's are deleted, if they are a spi, they'll simply make a new one and send it to Heavenly Knobs, who may or may not have kept every single API key ever sent to them, inside both HK and PL (Panda Legacy, not Pandemic Legion, seriously) they are both totally different corps that don't share kill mails/members or anything. Then devious fellow with said API,  randomly inserted into Siggy. The life of that API key/person moving from one corp to another, spreading an security hole, like bad case of bleeding genital warts. 

2. Stop using Siggy. Siggy so far is the only one I've tested, but being able to access my chain outside of the game, while I'm logged into the game, without my knowledge its happening seems like a totally fked up system.  -- Again, if you have a spi already, simply switching to another WTS, won't do shit for you. The spi will simply give access to your information no matter what.

3. Without having a CCP protected log, each player could access, to know exactly how, when and which API key was used. Players have little to no control of an API key, the second its given to a 2nd party.

This is like that little evaluation you do with a stranger at a bar. How many and what kind of D's has this person handled... and how many D's have those people handled. (Off topic PSA: use protection every time, no matter what, seriously)

I'm sorry I don't have all the answers, when I do, I'll share them, but right now WTS with API key verification seems to be totally exposed, please enjoy sharing your chain with the world.