Thursday, January 8, 2015

What is... gamerDNA

gamerDNA
Find out what's happening in a game you're playing
January 7, 2015
Matthew Molyett
https://secsandcyber.blogspot.com

Executive Summary

This is a detailed look into the web application gamerDNA, which is a social networking website for video game players and games database. Data about the application was collected through a combination of manually browsing the web pages, inspecting URL structures, scraping pages through a Python spider script, and inspecting the application traffic recorded in WireShark and FireBug. Based on URL structures and file extensions, the backend of gamerDNA is Ruby on Rails and php. I confirmed my understanding of the interaction traffic by creating a Python module to allow interacting with the application through automation, which is available on GitHub. Connections to gamerDNA can be made over HTTPS, and most sensitive pages try to redirect to it, but the certificate is expired.

Why gamerDNA?

To select an application I wanted to inspect, I pulled an entry off of the English Wikipedia page “List of social networking websites.” My criteria was that the site be identified as fairly mature (gamerDNA was established September 2006), have a large user base (310,000), and be near the middle of the list when sorted on page ranking. (approximately in the middle) Candidate applications needed to be in English, something I’d never used, registerable, and have a general subject matter that I’d be familiar with (gamerDNA is listed with a focus of “Computer and video games”). Before looking into the site, I read the linked Wikipedia page. All the parenthetical details are as presented in the List. The player directory on the site claims 864,576 users.

Methodology and reason

During my initial review of gamerDNA, I browsed the site unauthenticated and only via HTTP in FireFox with FireBug in a Windows XP VM. By being in a XP VM, it minimized the network chatter that I was seeing on my host system’s WireShark capture. This set up allowed me to really dive into the network actions of the gamerDNA application and learn some new tricks for using WireShark to trace.
http.request.method == "POST"
Verifying what I believed though Python was also educational, as I had to learn about making POST requests and maintaining cookies. Also, the ‘requests’ module!

Public Application Functions

gamerDNA contains provides three primary functions, a directory of Games, a directory of Players, and "NOW" which is a feed of recent activity on the application, which is all browsable by the public. Most activity and information submitted by members is publicly visible, where only real name, gender, and age can be private.

Member Application Functions

As a social networking site, gamerDNA allows the posting general public statuses, statuses related to a game being played, sharing images (with or without association to a specific game), reviewing games, and associating games and gaming consoles with themselves. These pieces of data can be aggregated into a viewing feed, called the gamerCURRENT, by selecting Players or Games to Follow. Each Player has a main homepage at [PlayerHandle].gamerdna.com
A Gamer's profile consists of four pages
  1. A homepage with a status feed, recently played games, 'follower' information, and an avatar image
  2. A gamer biography page with Name, Sex, Age, gaming info, and gamerDNA account info (join data, last login, profile views)
  3. A games played page
  4. An image hosting page
Other functions available to members
  1. API key and /help/helix-api/
  2. private messaging at /private.php
  3. vbulletin Forums at /forums.php
  4. quiz at /quizzes/
  5. Warhammer Signatures at /warhammer-signature
  6. Warcraft Signatures at /wrath-of-the-lich-king-signature
  7. Guild hosting at /hosting/ **HTTPS only**
  8. Chat

Website Identity Information

  • Copyright Info: "gamerDNA®, Contents are Copyright 2006–2015 PLAYXPERT LLC and Live Gamer Inc. gamerDNA and the gamerDNA Logo are trademark and property of Live Gamer Inc."
  • DNS
>>nslookup gamerdna.com 8.8.8.8
Server:  google-public-dns-a.google.com
Address:  8.8.8.8
Non-authoritative answer:
Name:    gamerdna.com
Address:  208.88.178.16
  • WHOIS [Full details in Appendix A]
Registrant Organization: LIVE GAMER, INC.
Registrant City: NEW YORK
Registrant State/Province: NY
Registrant Postal Code: 10012
Registrant Country: US


  • GeoIP2 City
IP Address: 208.88.178.16
Location: Sunnyvale,California,United States,North America
Postal Code: 94089
  • Certificate Information

CN = *.gamerdna.com
OU = PositiveSSL Wildcard
OU = Domain Control Validated
Valid (10/10/2013 0:00:00 AM GMT) - (10/11/2014 23:59:59 PM GMT)
CA Issuers: URI: http://crt.comodoca.com/PositiveSSLCA2.crt
DNS Name: *.gamerdna.com
DNS Name: gamerdna.com
  • Interesting Geographic data

    • From the Terms of Service:
      • Choice of Law and Forum. The TOS and the relationship between you and GamerDNA shall be governed by the laws of the Commonwealth of Massachusettes without regard to its conflict of law provisions. You and GamerDNA agree to submit to the personal and exclusive jurisdiction of the courts located within the county of Middlesex, Massachussetts.
    • Server Hosting based on IP:
      • Sunnyvale,California
    • Domain Registration:
      • Registrant Organization: LIVE GAMER, INC.
      • Registrant City: NEW YORK
      • Registrant State/Province: NY

Security Issues [Full details in Appendix C]

  1. Website presents an expired certificate: This causes visitors to have to click through a browser warning about the identity of the site. If accessing the site requires a security click-through, users are less likely to notice a bad certificate being presented due to an ongoing Man In The Middle attack.
  2. Website allows account registration and login over HTTP: This causes a created account’s password / unsalted password md5 hash to be visible in network traffic. To disallow this would prevent HTTP-only users, but allowing it amplifies the already significant security risks of password reuse.  [Full packets in Appendix B]
  3. Website allows logged in users to navigate over HTTP: This causes the session cookies to be visible in network traffic. To disallow this would prevent HTTP-only users, but allowing it risks session hijacking.
  4. XXXXX Redirects to an attacker specified page
    1. SEE APPENDIX C
  5. Fields allow for static script injection
    1. SEE APPENDIX C
  6. Information leak in 403 Error Page
    1. SEE APPENDIX C
  7. Server software in use
    1. SEE APPENDIX C
  8. Registration page
    1. SEE APPENDIX C

Application functionality

The application functionality that I analyzed has been implemented in the gamerDNA class of spider.py. ( https://github.com/SecsAndCyber/py_gamerDNA/blob/master/src/spider.py )

Login Functions

  • login.php
  • logout?r=%s

Check Email

  • accounts/checkEmailUniquity.php?email=%s

Make Status Post

  • rails/profile/set_quote

Follow Games or Players

  • rails/profile/follow/%s
  • rails/profile/unfollow/%s
  • rails/game/follow/%s
  • rails/game/unfollow/%s

Associate or Review Games

  • dna/add_game/%d
  • dna/delete_game/%d
  • dna/game_update/%d

Update Biographical Information

  • rails/dna/save_info
  • rails/dna/update_location/?location=%s

Add or Remove Images


  • rails/dna/image_submit
  • rails/dna/image_delete/%d

Author's note: Full report with appendices possibly available. Contact me if you are interested.

No comments:

Post a Comment