Informatika és tudomány

  • Fyrex
    #36092
    It's pretty simple. When you first log in, there's an exchange between the server and your client:

    Server: Hi, who are you?
    Client: My username is Fred, and my password is IAmGod.
    Server: Ok, that checks out. Hi Fred. To avoid having this conversation again, you can just identify yourself by the identifier PinkPony next time.
    Client: Thanks!
    Client: Hey, server, this is PinkPony, can you show me my characters?
    Server: Sure, here they are ....

    In this case, 'PinkPony' is what's called a session identifier. It's used to avoid having to resend the username/password combo every time your machine talks to the server (which is really, really often, possibly on the order of multiple times per second). The current theory is that somehow, session identifiers are being exposed when you enter a public game, so that people with nefarious intent can see them, and start using them pretending to be you:

    NefariousDude: Hey, server, this is PinkPony, drop all my lootz on the floor bitch!
    Server: Sure, done!

    Session ids are usually more complicated than 'PinkPony' but not by much. Often they're a set of 128-1024 letters and/or numbers, either randomly generated (UUIDs) or derived from some input (hashed). Under the session spoofing theory, if true, you're extremely vulnerable if you play a public game, since your session id can be sniffed. But even if you aren't, it's possible to just throw things that look like session ids at the server and hope you've accidentally managed to come up with the session id of someone in a private game.
    Avanti Crociati!