I'm not a security engineer (though I wouldn't mind working in that industry). I'm just a curious guy that wanted to learn how spore encodes its creatures within .png files (see previous post). As part of this (yet to be successful) research project, I wanted to download about 100 creatures for testing purposes. This led me to look into how the Sporepedia website works, and as the title of this post suggests, I found more than I was looking for. Apart from delivering creatures' pictures and names (as you can see in your own browser), Sporepedia also delivers some creatures' stats, such as their feet number and health, and their creators email addresses.
Here's a little excerpt of what you get when you browse Sporepedia and look for the toad like creature presented above (formatting is done by yours truly):
s5.assetId=500006865544;As you can see, there is a creature struct linked to a creator struct, the creator struct contains the email address of the user, censored by me. True, this is not a DNS poisoning scheme, but a malevolent party can easily mine those addresses for spam and phishing. I can imagine a phishing scheme where an email apparently coming from spore.com notifies you that you are able to buy your creature "Rana" a special power for a mere $2, all you have to do is give your credit card number.
s5.attackRating=4.0;
s5.author=s29;
s5.baseGear=0.0; s5.bite=2.0; s5.boneCount=45;
s5.carnivoreRating=1.0; s5.charge=2.0; s5.created=new Date(1217013619767);
s5.cuteness=53.332813; s5.dance=0.0; s5.description=null;
s5.featured=null; s5.footCount=4; s5['function']=s0;
s5.gesture=2.0; s5.glide=0.0; s5.grasperCount=0;
s5.health=2.0; s5.height=1.444589; s5.herbivoreRating=1.0;
s5.id=500006865544; s5.maxAttack=2.0; s5.maxSocial=2.0;
s5.meanness=13.0; s5.name="Rana"; s5.parentId=null;
s5.posture=0.0; s5.quality=null; s5.rating=-1.0;
s5.sing=1.0; s5.social=3.0; s5.spit=0.0;
s5.sprint=0.0; s5.status=s1; s5.stealth=0.0;
s5.strike=0.0; s5.tags=null; s5.thumbnailSize=27585;
s5.totalEvoPoints=665; s5.type='CREATURE'; s5.updated=new Date(1217013619767);
s29.avatarImage="thumb/500/006/462/500006462490.png";
s29.dateCreated=new Date(1216243320000);
s29.emailAddress="re****@hotmail.com";
s29.id=2264719288;
s29.lastUserAgent=null;
s29.name="monkey-milker";
s29.screenName="monkey-milker";
s29.subscriptionCount=0;
s29.tagline="drink enough monkey milk ";
s29.updated=new Date(1216638225588);
s29.userId=2264719288;
I've tried to notify EA about this issue, without success.
At first, I sent a mail to privacy_policy@ea.com, but their reply was:
We apologize, but emails regarding billing, account, technical, in-game, or Terms of Service violations or inquiries are not supported from this email address.So I posted a question, or rather a warning at http://support.ea.com, and got the following reply (after a bit of correspondence):
Please visit support.ea.com to view our knowledge base of frequently asked questions. If you are not able to find your answer there you may email the appropriate department by choosing the Ask a Question option at http://support.ea.com.
Hello,However, since posting in that suggested forum required me to sign up as a Spore user, which in turn required me to risk my email address, I chose not to do so. And since posting to that forum would have made this issue public, I chose to made it public on my own turf.
Thank you for contacting us here at Electronic Arts Technical Support. You can post your concern on the spore forums at http://spore.com/forum so that the administrators of the website can provide you a direct answer since they are the one managing the website.
Should you require further assistance about this or any Electronic Arts games in the future, please visit our website and review our extensive Self Help knowledgebase (http://support.ea.com).
Thanks!
Update: I encourage everyone reading this post to send a mail to EA or leave a comment in their support forums. Maybe en masse, our voices will be heard.
More Updates: Turns out that I do have an account for EA forums (they can be quite confusing for my puny mind). So I went on to register a complaint, but someone already beat me to it. If you are a spore user, and care about your email address, you should add a comment to that thread.
Last Update?: Meghan Kane McDowell who is "Producer, Pollination & Web" at Maxis, has posted that a bug fix is ready and will be deployed in 24 hours. If that turns up to be true, I'll post a full disclosure on the bug tomorrow. You are welcome to stay tuned. - here it is
Interesting. And I almost signed up for Sporepedia. How exactly do you find all that information in the png file?
ReplyDeleteThis comment has been removed by the author.
ReplyDeleteI suggest you signup with a throwaway email address of some kind (gmail etc) and try a little harder to let them know, since this is kind of a big deal. After a bit of stumbling around I worked out how to do it as well, so you can bet others will in short order.
ReplyDeleteGood work on finding the flaw. :)
thats just typically for EA - when it comes to contacting them. they dont really got support or contact adresses, and if you try to contact them a standard-reply like that slaps you in the face.
ReplyDeletei tried to contact them about several things and issues, its just not possible. even if you have a good idea, a concept for a game or just in the need of some support on a game -> you're lost.
so lets just cross our fingers, that they look it up, otherwise.... happy phishing ^
I have some contacts inside EA and Emailed them abouth this message. Allso said I dindn't expect an answer back, they have to check it all out offcourse.
ReplyDeleteIs this problem since the last Sporepedia update last saturday? Or longer?
@Hiki:
ReplyDeleteThe issue was found about two weeks ago, and was seen to be there on Friday. Maybe the last update on Saturday solved it (if so, good for EA! it only took making this issue public).
I'll check it in the evening (which for me is 8 hours away) and will report back.
Oke: let's hope it's fixed.
ReplyDeleteThis leak problem is allso mentioned on the US Forums so SporeMasters must have seen it and hopefully did something abouth it in the saturday update of Sporepedia.
I was able to reproduce the issue 5 minutes ago on the US site, it still exists.
ReplyDeleteyep, the issue is still there, but supposedly it would be fixed by tomorrow.
ReplyDeleteThis is your last chance to find out the email addresses of maxis employees, or of that cute girl that uploaded that bunny yesterday.
It is fixed now, the firebug sale is over.
ReplyDeleteSpore needs to be more secured with the email of its users.
ReplyDeleteHow to Play Pai Gow Poker | BetRivers Casino - Wolverione
ReplyDeletePai Gow Poker casinosites.one is an online version of a traditional table game in which worrione.com players place bets 사설 토토 사이트 in the background. sol.edu.kg Pai Gow febcasino.com Poker uses only the symbols from a
They must perform test runs and make adjustments until the resulting product meets blueprint specs. CNC Programmers are also charged with performing machine maintenance and cleansing. Not only do mill cutters come in in} a number of|numerous|a variety of} styles and sizes, might be} also a spread of coatings, chopping surfaces and rake angles. Some CNC milling machines have cutters that can drill vertically into the material, whereas others cannot; these bits are known as middle chopping bits. CNC machining Mill bits of middle chopping have teeth that reach the middle of the top face.
ReplyDelete