Vulnerability Disclosure — April 14, 2021

A few days ago, we started receiving reports that a handful of player accounts had their 2FA turned on without their knowledge. Upon investigation, we realized that a handful of accounts have been targeted and hijacked by a rogue actor, and these players had their custodial wallet inventories sent to the attacker’s wallet address. Any connected wallets are unaffected and completely safe.

Summary: The Neon District backend system was not breached, user information was not leaked, and the attack exploited a business logic flaw where an attacker could transfer assets after having already accessed a player’s account.

The fix to mitigate this issue is already implemented on Neon District in the form of mandatory email 2-factor authentication or regular 2-factor authentication for a player to perform any security-sensitive operations.

Immediate Actions:

1. We’ve added email 2FA and require using email verification for every login session if a player doesn’t have normal 2FA enabled. This helps to protects a player’s account from losing their assets if someone accesses their account, because it requires the logged-in user to also have access to the player’s email account.

2. All accounts that we believe were affected have had their passwords reset and the actor’s 2FA removed. For any affected users, reset your password using the password recovery feature, and choose a unique password that you don’t use anywhere else.

3. All affected accounts have received double the equivalent NEON cost of the boxes purchased for all assets lost to account for potential differences in rarities and types of assets collected.

4. We are reaching out to all affected users by email with the details of this report and individual restitution.

Details:

The attacker did not breach any backend systems and did not access or collect private user information. No internal information and no user passwords or keys have been leaked. The attacker exploited a weakness in our business logic, where a hacker is able to set 2FA on an account once they’ve logged into the user’s account.

We are still determining the exact attack method used, however by comparing compromised email addresses with haveibeenpwned.com, we suspect that the attacker obtained a list of emails and cracked passwords leaked from other website breaches and tested a large set of leaked email + password combinations on Neon District looking for matches. The attacker then connected 2FA on these accounts and sent the players’ inventories to their own external wallet.

The attacker’s Matic wallet: 0x69889ED4Fee392EE139fFD181aA72314202E4DC9

Conclusion:

We deeply regret the oversight of an attacker being able to move player assets after already having obtained the player’s login credentials. The introduction of email 2FA is the first step towards mitigating similar attack vectors in the future, and we will continue to monitor the situation and investigate other reports in the future.

If you believe that you were affected, please reach out to me directly on Discord (cybourgeoisie) or by email (bheidorn@neondistrict.io) and I will help to resolve the situation.

Lastly, for all of our users, we strongly recommend that, in order to protect your accounts, that you use a unique password for Neon District and, if you are able, to have 2FA enabled for your account.

- Ben, CTO, Blockade Games