wot-replays.org: Not all is well in replay land...
I made a rather long post on the forums, which can no longer be found; the moderators have hidden it so only moderators can see it. According to the mod who did the hiding, the issue has been bumped straight to Minsk for further investigation of my claims.
I've received a bunch of PM's and emails about what I talked about, and I think that it's best if the information I posted stays in the open because, well, stick behind the door and since the issue is public now it's best to just get it figured out in detail.
In case you don't know what I was talking about, here's a sort-of recap of my forum post...
tl;dr: It is possible given the proper voodoo magic done to replay files to read clan chat and private messages that were received while you were in battle
I stumbled across this during one of my "replay spelunking" adventures. A little background here is reqiured.
World of Tanks replay files are stored on your computer in a compressed and encrypted format. The only non-compressed and non-encrypted parts of the file are the pieces that are used by replay sites like mine to get their information out. Now, I've remembered from a long time ago in 0.7.1 that replays were compressed with Zlib, so that answered the "what is the compression" question for 0.7.2+ replays as well, except encryption. And doing a full cryptanalysis was going to cost me way too much time and while they're fun for a while, spending weeks on it wasn't what I had in mind.
Until a little birdy posted a URL to another blog where it was explained that the files are encrypted using the Blowfish algorithm - and it had the decryption key listed too. So with that information in hand, it didn't take very long to take a replay and strip it like a cheap hooker. What came out of a 600kb file was 3 megabytes of replay - and one of the first things I noticed about this unpacked replay was that it actually contains the complete World of Tanks version string! Hallelujah, praise the Lord, pass the ammunition, I've got a new feature for the site. And that's where the version numbers next to replays come from these days.
Then I got to thinking, you know, wouldn't it be cool to have like a HTML5 minimap going with the map beeps and the chat and the .... And so I began mucking about with the unpacked replay data. One thing I noticed quickly is that it seemed to be the entire network stream that gets sent to your PC from the server while you are in a battle, since it contained many (and I do mean many) repetitive blocks of data that appear to be position updates. Then I stumbled across the first "see, there you go!" bit of data. Myself talking! Great, I thought, at least that info is there. So I figured hey, why the heck not, and proceeded to run many a spelunkers' favorite tool: strings - it's a Unix command that extracts all displayable text from a file and puts it on your screen.
So what I saw went something like this:
Interesting, isn't it? At least, it was since that was something someone said in chat. So I kept on reading through it going "okay, that seems like the chat". Except it didn't tell me anything about whether it was sent to team or to all. I kept on reading until suddenly I saw this:
Wait a minute... I thought to myself. shotgun99 isn't in this match at all, but... he is in my clan! That's the point where I sat back, lit a cigarette, and told myself: "There is no way in hell they'd dump your clan chat in here, there's no nee.... osnap...". The "osnap" is when I realised that if your clan chat ends up in replay files, chances are good that your private messages end up going in there as well!
And that was a week ago. I spent a week pondering the question whether to send a bug report to WG, or go public. In the end I decided to go public. In the mean time (since yesterday), I've written some proof of concept code and integrated this with my parser, and the result of parsing my own replay results in the following output:
Read that and check this out...
- #chat:channels/battle/team is your team chat channel
- #chat:channels/battle/common is the "everyone" channel
You notice the few entries near the bottom that say "unknown" for the channel? That's my clan chat. Now I'm lucky my clan isn't super talkative in chat since we do most of it on Teamspeak, and I'm lucky enough personally that I rarely have private conversations going (I use YM/MSN/Gtalk for that), but I can imagine that this is not something people would want to see.
In order to "exploit" this bug, you require the following:
- The ability to decrypt and unpack a replay file.
- The ability to write the code required to obtain the chat information from the unpacked replay
All in all, if I'd have to rate this on a scale of difficulty from 0 being super easy and 10 being nearly impossible, this is a 5. Most developers that build tools for World of Tanks can most likely pull this off.
So it is in essence a pretty big data disclosure vulnerability.