Hello everyone,
We want to address a serious issue that recently came to our attention. In the interest of transparency, we believe it is crucial to share the following information with you and outline the steps we are taking to address it.
We have identified and resolved an issue involving some of our penguin accounts. A third party abused a bug in our queue system to trick the server into allowing this third party to perform actions on user accounts, such as modifying igloos, by spoofing the username. It’s important to note that NO USER DATA WAS COMPROMISED. Your emails, passwords, and other sensitive information are all safe, and were not able to be accessed by this third party.
The scope of this incident was limited to in-game actions. The third party was observed modifying igloos, changing outfits, modifying outfit slots, playing minigames and adopting puffles alongside leaving puffles to run to the wild. These are all actions that our support team can assist in rectifying.
Our primary focus is to ensure that such issues do not happen again. While the bug has been addressed and resolved, we have temporarily removed the queue system as a precautionary measure and are working on new internal features to improve our ability to swiftly resolve any in-game issues that may arise in the future.
We deeply apologize for any inconvenience this may have caused and are committed to maintaining the security and integrity of your Penguin experience. If you have encountered any problems related to this issue, please reach out to our support team. We are here to help with any adjustments needed, such as fixing igloos or restoring outfits, and will do everything we can to make things right and seek to address any potential issues with the utmost importance.
Technical Details
When a server, such as Blizzard, became full, it would automatically add users to the queue, allowing them to be added to the game server when there is space available. Unfortunately, due to an oversight, if a user was already in the game server, the queue would not disconnect them.
When authorising to the game server, a packet is sent containing a username, which is trusted. This is normally okay, as we have prevention in place to disallow users authenticating multiple times, and disconnecting failed attempts, however, the queue did not account for this, allowing a user to send this authorisation packet multiple times – effectively becoming that user.
If this was done in a specific order, it would allow a user to send a fake username containing an online player to the queue, and when that player was sent into the game, they would become the penguin sent in the specially crafted packet. This allowed a third party to essentially become a different user’s penguin, without ever having access to their email, password, or session tokens. There was also no way for this third party to obtain this information after becoming this target penguin, ensuring that no private information, such as emails or hashed passwords, were ever seen by the third party.
Our Response
Upon learning of this activity, the CPJ team took swift action in shutting down the game server to the public, only allowing staff members to join. This specific exploit did not affect any staff accounts, as they automatically skip the queue.
The CPJ team began investigating this incident, and quickly uncovered the exploitation of the queue server, however, we were not certain of the exact steps involved at the time, so we could not be certain that this issue would not arise again, only bringing the servers back online once we were 100% sure that this was the root cause. We did fix this issue early on, however, understandably wanted to be sure that this could not happen again, hence the delay.
Our communication during this time was within our Discord server, and an official announcement was not in a timely manner. We apologise for this, and we will work hard to ensure if any incident in the future occurs, we will communicate in a more effective way.
Our Actions
After discovering the root cause, a fix was put in place. We have temporarily removed the queue system, and this will now cause a player to disconnect if the server is full. We will be creating an all new queue system, as even though we know the root cause, we would like to overhaul the system.
As the third party had performed different actions on accounts, we attempted to remove all actions that could be easily removed. We could not undo all actions by the third party in an automatic manner, so we ask that you be patient, giving us time to manually undo these actions. We encourage all users to report anything unusual to our support team, who will be able to help you in undoing these actions.
We also have reset all user sessions. You may see an error relating to this when signing in. This was done as a security precaution, as we do not want to risk that this third party would be able to re-gain access to any penguins. If you do get this error, we recommend clicking the “Forget my Penguin” button and signing in again. A password reset is not required as no passwords were accessed.
We have gone ahead and given every penguin on the island an additional 100,000 coins to compensate for this issue and downtime. We apologise greatly for this, and strive to ensure that this will not happen again.
– The Club Penguin Journey Team
