Лазейка в системе позволила злоумышленникам сломать аккаунты некоторых игроков.
Recently, some Escape from Tarkov players were disconnected from the server. This sometimes happens, so at first it didn't raise any questions, but after reconnecting, they discovered that all progress had been deleted.
Users began to suspect that the EFT databases had been hacked. However, tech enthusiast Chilljones1125 explained that it was much simpler — Battlestate Games' security turned out to be very unreliable:
This is incredibly stupid and a huge security hole on the part of BSG. No data was compromised, nothing was disclosed. It's just a login bypass.
It turned out that the authentication system via Steam (OpenID) does not properly check the digital signature and the response returned by the Steam servers.
As a result, attackers were able to replace the URL of the Steam response with the account ID they wanted to access. Two-factor authentication did not save the day.
As a result, players in Escape from Tarkov whose accounts were linked to Steam were affected.
