Riot Games 2FA implementation is inherently broken: The same code can be used multiple times.
The code is also emailed to you, and email is known to be an insecure channel. You do not have the option to use your own TOTP application to generate login codes.
Riot Games responded to a report saying that the system is "working as intended"
Lesson? Phish Riot accounts. They will do nothing to stop you.
Also, HackerOne is an absolute fucking joke.
@r000t this is the company which is confident about the rootkit they require you to install in order to play their games
@xerz HackerOne ticket I opened this morning.
I gotta give them props for the response time, but that's it.
They do offer a much larger bounty for anybody who can pop vgk.sys ("Vanguard"),
But at the same time, the exact same rubric says that "Logic flaw bugs leaking or bypassing significant security controls" in "Critical Riot infrastructure (game servers, services in the game loop, Riot accounts infrastructure)" pays between $1,000-$10,000. I got zero, and told that they won't even fix the problem.
So there very well could be bugs in Vanguard, that Riot refuses to admit are bugs
@xerz FWIW, any MDM/AD domain profiles I roll out, specifically block the big "anticheat" drivers.
I get to hide behind "opaque kernel blobs bad for security lmao" and the companies get to hide behind "don't play video games on work issued equipment"
@lanodan Huh, that's weird. The reply from Riot said that *everyone* lets you reuse tokens. Discord was the example they gave.
Because Discord is just such a fucking bastion of internet security.
A Mastodon instance for info/cyber security-minded people.