Account Name Security

Brock_Khans · August 15, 2023, 3:52pm

TLDR: If I know your email address, I can see all your account names. Snip This is not confirmed -Buldath Snip

Account names in Eve are a weird thing. In order to participate in receiving a character via the Bazaar you have to give someone else 1/2 of the information they need to login to your account. I made a ticket about changing this years ago, but it fell on deaf ears.

It was a welcomed feature when CCP introduced associating multiple Eve accounts with a single email. I use it for all my accounts. However the issue with this feature is it works, even if you never verify the email for the new account.

In testing something with a new alpha account, I signed up using the same email I use for other alpha accounts. I received an email stating: We need to verify your email address before activating your EVE account., which I never did. I then proceeded to log into the new account at https://secure.eveonline.com and out of curiosity clicked on the Other accounts sharing: email@email.com and to my surprise I saw every account name.

The issue is that anyone who discovers or knows your email address you use for eve online, can sign up a new account with your email, and proceed to then see every account name you have attached to this email account. I consider this a security issue.

Account names as stated above are shared during bazaar transactions (which is terrible), but now being able to see every account name that someone has feels very wrong and opens up more accounts to possible breaches in my opinion. A lot can be discovered based off some account names, and you’re opening up players to new attack vectors.

I’ve been told in my tickets that rest assured that this is really not a security concern as usernames and email addresses are public information. I would hope my email addresses I use for Eve are not openly shared.

The simplest fix in my opinion is to disable the Other accounts sharing option until AFTER email verification has taken place. If I can prove I have access to this email address, then I can see all the other accounts associated with it.

The one helpful thing, as the owner of the email address you will get a notification that a new account has been created using your email. You will know that someone else is doing this with your email, however by that point, they have already seen all your account names.

Just a few interesting scenarios I thought of that bad actors could take:

Send an email impersonating CCP to the email in question, building confidence by stating all the account names (that you thought were private) to gain the users trust.
Attempting to impersonate the owner with CCP support saying you lost access to the email account but you know all the account names (I assume CCP has protocols to protect against this)
Start testing accounts to see which ones have 2FA enabled and which ones don’t, to attempt more breach tactics.

Entity · August 15, 2023, 3:59pm

*Strokes chin*

Brisc_Rubal · August 15, 2023, 5:01pm

I will pass this on.

Syzygium · August 15, 2023, 5:59pm

Both things, the fact that you have to share the account name in character transactions AND the fact that you can see other account names outside of the customer support center login definitely ARE security issues. Thanks for bringing them up.

MILINT_ARC_Trooper · August 15, 2023, 6:17pm

This needs to be closed ASAP.

Because if this is used for backtracking players in game to IRL locations this is not good.

Two factor authentication is probably going to be a mandatory thing very soon.

I.E. the email address being used to impersonate or create characters with someone else information. Is bad enough, which can tie into payment systems as well.

But if the email is known, back tracing can be used to find someones location, or bring it down to a certain point. Now VPN players might be more immune to this, but not 100%.

So it needs to be closed.

ISD_Buldath · August 15, 2023, 10:49pm

I have reached out internally to see if this is even an issue.

If I remember correctly connected accounts are linked via more means of identification that is only visible to staff of CCP and there systems. It goes beyond simple email on the account.

Meaning if someone from outside your environment created an account with your email, It only shows that one account.

That being said, I will close this as it discusses possible account security issues and possible discussion of exploits(If the issue appears to be as OP believes).

Thank you,
Buldath