Riot Games 2FA implementation is inherently broken: The same code can be used multiple times.

The code is also emailed to you, and email is known to be an insecure channel. You do not have the option to use your own TOTP application to generate login codes.

Riot Games responded to a report saying that the system is "working as intended"

Lesson? Phish Riot accounts. They will do nothing to stop you.

Also, HackerOne is an absolute fucking joke.

"A 2FA bypass is not a bug because you'd need to know the username and password to use it"

uhhhhh folks what do you think 2FA is for?

@r000t this is the company which is confident about the rootkit they require you to install in order to play their games

@xerz HackerOne ticket I opened this morning.

I gotta give them props for the response time, but that's it.

@xerz iknorite?

They do offer a much larger bounty for anybody who can pop vgk.sys ("Vanguard"),

But at the same time, the exact same rubric says that "Logic flaw bugs leaking or bypassing significant security controls" in "Critical Riot infrastructure (game servers, services in the game loop, Riot accounts infrastructure)" pays between $1,000-$10,000. I got zero, and told that they won't even fix the problem.

So there very well could be bugs in Vanguard, that Riot refuses to admit are bugs

@xerz FWIW, any MDM/AD domain profiles I roll out, specifically block the big "anticheat" drivers.

I get to hide behind "opaque kernel blobs bad for security lmao" and the companies get to hide behind "don't play video games on work issued equipment"

@lanodan Find out: Try to login twice, super quick, with the same code.

@r000t That one doesn't works, I had some steam guard tokens being refused because of greylisting.

But get just read access to the email account of someone and you get password reset and you can get a token. (Unless maybe they have the app on their surveillance gameboy)

@lanodan Huh, that's weird. The reply from Riot said that *everyone* lets you reuse tokens. Discord was the example they gave.

Because Discord is just such a fucking bastion of internet security.

@lanodan @r000t it's at least TOTP.

Non-standard output but idea is the same.
@a1ba @r000t
I looked few times on getting the TOTP thing for steam and a lot of the implementations made me either thing they're malware (like how gives a curl|sh) or just horribly badly done.
And I don't want to risk being locked out at some point.

So Steam account security: Same as the access to your email account.
@lanodan @r000t dunno, I use Aegis Android app for that.

Pretty normal Java code.
@a1ba @r000t Well I don't have a smartphone and even then it wouldn't be Android.
@lanodan @r000t found out rockbox has otp plugin...

I wonder if it supports steam
@r000t >Also, HackerOne is an absolute fucking joke.
as usual it is, unless you specifically pick the right programs :shrugz:
Sign in to participate in the conversation
Infosec Exchange

A Mastodon instance for info/cyber security-minded people.