CVE-2018-7295: Vulnerability in Final Fantasy XIV Allowing For Credential Theft Product Background: Final Fantasy XIV is a massively multiplayer online role-playing game (MMORPG) developed by Square Enix. Originally released in 2010, the title was initially shut down in 2012 and relaunched as "Final Fantasy XIV: A Realm Reborn" in 2013. It is currently available for PC, Mac, and PlayStation 4. Summary: Versions 4.21 and 4.25 of the PC version of Final Fantasy XIV are known to contain a vulnerability in the launcher application (ffxivlauncher.exe) that can be exploited by a man-in-the-middle attacker to steal user credentials for Final Fantasy XIV. It is possible that this vulnerability is also present in the Mac and PlayStation 4 versions of the application; however, these versions have not been tested. Technical Details: Vulnerability Type: Improper Enforcement of Message Integrity During Transmission in a Communication Channel (CWE-924) Known Vulnerable Versions: 4.21, 4.25 The launcher for Final Fantasy XIV (PC version) does not properly secure the login process. When executed, ffxivlauncher.exe requests a remote URL and renders the response inside the launcher application as part of the login process. Although this does result in a login page being transmitted via HTTPS, the initial URL is requested using HTTP. It is therefore possible for a man-in-the-middle attacker to intercept and alter the contents of the login page, allowing for theft of the victim's credentials without presenting any certificate warnings or other indicators that an attentive user might notice. In version 4.25, the following steps result in successful exploitation: 1) Intercept or redirect requests for the URL http://img.finalfantasyxiv.com/ft/version_4_0/scripts/common/global.js. 2) Replace the URL on line 42 of global.js (the line that begins with the string "LOGIN:") with a URL corresponding to a server controlled by the attacker. The URL used here will determine the contents of the login window in ffxivlauncher.exe. Successful exploitation will allow an attacker to silently redirect a victim to a fake login screen, allowing attacker to steal victim's username, password, and current one-time password (if one has been configured) when said victim attempts to log in to Final Fantasy XIV. Remediation: When Final Fantasy XIV is executed, any available patches are automatically download and installed. Therefore, no special action by the user is believed to be necessary at this time. Timeline: 2018-02-21: Contacted vendor. 2018-02-21: CVE-2018-7295 assigned. 2018-03-07: Vendor replied with statement that the vulnerability report had "been escalated to the appropriate department for further investigation". 2018-03-13: Vendor initiated contact, reiterating that the vulnerability report had "been forwarded to the appropriate department", but that they would not "give any updates in regards to this situation for security and privacy reasons" going forward. 2018-03-19: Observed that a fix had been attempted, but that the vulnerability was still present. Notified vendor that vulnerability remained. 2018-03-31: Vendor requested contact by telephone. 2018-04-02: Contacted vendor by telephone. Vendor confirmed that the information provided on 2018-03-19 had been forwarded to the appropriate team. 2018-04-23: Contacted vendor with offer to extend disclosure deadline until release of the 4.3 patch if necessary (as it was rumored at the time that it would be released on or shortly after May 22nd). 2018-05-01: Vendor responds with statement that they "have ensured that the correct parties are aware of the issue", but that they are unable to provide further information related to resolution of vulnerability. 2018-05-22: Patch 4.3 released by vendor. Although a fix is not explicitly listed in the patch notes, the vulnerability appears to no longer be present. 2018-05-23: Advisory published. Credit: This vulnerability was discovered by Leo Tokarski (leoctokarski@gmail.com). Copyright: This advisory is released under the Creative Commons Attribution 4.0 International License (CC-BY-4.0). Further information about this license can be found at https://creativecommons.org/licenses/by/4.0/.