Friday, July 25, 2008

Sporepedia leaks email addresses


I'm not a security engineer (though I wouldn't mind working in that industry). I'm just a curious guy that wanted to learn how spore encodes its creatures within .png files (see previous post). As part of this (yet to be successful) research project, I wanted to download about 100 creatures for testing purposes. This led me to look into how the Sporepedia website works, and as the title of this post suggests, I found more than I was looking for. Apart from delivering creatures' pictures and names (as you can see in your own browser), Sporepedia also delivers some creatures' stats, such as their feet number and health, and their creators email addresses.
Here's a little excerpt of what you get when you browse Sporepedia and look for the toad like creature presented above (formatting is done by yours truly):
s5.assetId=500006865544;
s5.attackRating=4.0;
s5.author=s29;
s5.baseGear=0.0; s5.bite=2.0; s5.boneCount=45;
s5.carnivoreRating=1.0; s5.charge=2.0; s5.created=new Date(1217013619767);
s5.cuteness=53.332813; s5.dance=0.0; s5.description=null;
s5.featured=null; s5.footCount=4; s5['function']=s0;
s5.gesture=2.0; s5.glide=0.0; s5.grasperCount=0;
s5.health=2.0; s5.height=1.444589; s5.herbivoreRating=1.0;
s5.id=500006865544; s5.maxAttack=2.0; s5.maxSocial=2.0;
s5.meanness=13.0; s5.name="Rana"; s5.parentId=null;
s5.posture=0.0; s5.quality=null; s5.rating=-1.0;
s5.sing=1.0; s5.social=3.0; s5.spit=0.0;
s5.sprint=0.0; s5.status=s1; s5.stealth=0.0;
s5.strike=0.0; s5.tags=null; s5.thumbnailSize=27585;
s5.totalEvoPoints=665; s5.type='CREATURE'; s5.updated=new Date(1217013619767);
s29.avatarImage="thumb/500/006/462/500006462490.png";
s29.dateCreated=new Date(1216243320000);
 s29.emailAddress="re****@hotmail.com";
s29.id=2264719288;
s29.lastUserAgent=null;
s29.name="monkey-milker";
s29.screenName="monkey-milker";
s29.subscriptionCount=0;
s29.tagline="drink enough monkey  milk ";
s29.updated=new Date(1216638225588);
s29.userId=2264719288;

As you can see, there is a creature struct linked to a creator struct, the creator struct contains the email address of the user, censored by me. True, this is not a DNS poisoning scheme, but a malevolent party can easily mine those addresses for spam and phishing. I can imagine a phishing scheme where an email apparently coming from spore.com notifies you that you are able to buy your creature "Rana" a special power for a mere $2, all you have to do is give your credit card number.



I've tried to notify EA about this issue, without success.
At first, I sent a mail to privacy_policy@ea.com, but their reply was:
We apologize, but emails regarding billing, account, technical, in-game, or Terms of Service violations or inquiries are not supported from this email address.

Please visit support.ea.com to view our knowledge base of frequently asked questions. If you are not able to find your answer there you may email the appropriate department by choosing the Ask a Question option at http://support.ea.com.
So I posted a question, or rather a warning at http://support.ea.com, and got the following reply (after a bit of correspondence):
Hello,

Thank you for contacting us here at Electronic Arts Technical Support. You can post your concern on the spore forums at http://spore.com/forum so that the administrators of the website can provide you a direct answer since they are the one managing the website.

Should you require further assistance about this or any Electronic Arts games in the future, please visit our website and review our extensive Self Help knowledgebase (http://support.ea.com).

Thanks!

However, since posting in that suggested forum required me to sign up as a Spore user, which in turn required me to risk my email address, I chose not to do so. And since posting to that forum would have made this issue public, I chose to made it public on my own turf.


Update: I encourage everyone reading this post to send a mail to EA or leave a comment in their support forums. Maybe en masse, our voices will be heard.

More Updates: Turns out that I do have an account for EA forums (they can be quite confusing for my puny mind). So I went on to register a complaint, but someone already beat me to it. If you are a spore user, and care about your email address, you should add a comment to that thread.

Last Update?: Meghan Kane McDowell who is "Producer, Pollination & Web" at Maxis, has posted that a bug fix is ready and will be deployed in 24 hours. If that turns up to be true, I'll post a full disclosure on the bug tomorrow. You are welcome to stay tuned. - here it is

11 comments:

  1. Interesting. And I almost signed up for Sporepedia. How exactly do you find all that information in the png file?
    ReplyDelete
  2. This comment has been removed by the author.
    ReplyDelete
  3. I suggest you signup with a throwaway email address of some kind (gmail etc) and try a little harder to let them know, since this is kind of a big deal. After a bit of stumbling around I worked out how to do it as well, so you can bet others will in short order.

    Good work on finding the flaw. :)
    ReplyDelete
  4. thats just typically for EA - when it comes to contacting them. they dont really got support or contact adresses, and if you try to contact them a standard-reply like that slaps you in the face.

    i tried to contact them about several things and issues, its just not possible. even if you have a good idea, a concept for a game or just in the need of some support on a game -> you're lost.

    so lets just cross our fingers, that they look it up, otherwise.... happy phishing ^
    ReplyDelete
  5. I have some contacts inside EA and Emailed them abouth this message. Allso said I dindn't expect an answer back, they have to check it all out offcourse.

    Is this problem since the last Sporepedia update last saturday? Or longer?
    ReplyDelete
  6. @Hiki:
    The issue was found about two weeks ago, and was seen to be there on Friday. Maybe the last update on Saturday solved it (if so, good for EA! it only took making this issue public).

    I'll check it in the evening (which for me is 8 hours away) and will report back.
    ReplyDelete
  7. Oke: let's hope it's fixed.

    This leak problem is allso mentioned on the US Forums so SporeMasters must have seen it and hopefully did something abouth it in the saturday update of Sporepedia.
    ReplyDelete
  8. I was able to reproduce the issue 5 minutes ago on the US site, it still exists.
    ReplyDelete
  9. yep, the issue is still there, but supposedly it would be fixed by tomorrow.
    This is your last chance to find out the email addresses of maxis employees, or of that cute girl that uploaded that bunny yesterday.
    ReplyDelete
  10. It is fixed now, the firebug sale is over.
    ReplyDelete
  11. Spore needs to be more secured with the email of its users.
    ReplyDelete

Subscribe to: Post Comments (Atom)