I am an “on-again, off-again” MTGO fan. Since the release of version 3, I have been pretty much 100% “off-again” due to some of the bugs and the really awful UI I’ve found. But one thing I did decide to do was purchase a trade bot to deal with my old collection that could potentially get me a couple hundred dollars that could be put to better use than merely sitting around in my account.
I purchased CBSBot. But I’m paranoid, so I tend to carefully watch what’s going on with network traffic when running a third-party application that has access to an account that, to me, is worth a little bit of money and time. Using Wireshark, I analyzed the http traffic by setting a filter on port 80 (“tcp.port == 80” in the filter field):
In version 1.29, I didn’t see any issues. Things were contacting the author’s server a bit too much for my tastes, but nothing dangerous seemed to be going on. I did, however, disable the connection to his server just to be safe. Who knows when something might pop up, right?
Well, when I got a hold of version 1.31, something did indeed pop up. Maybe it was in 1.30, but I can’t be sure since I never bothered downloading it. Anyway, immediately after launching the app, here’s what I saw in wireshark:
For those who don’t see exactly what’s going on, the bot is requesting a PHP script called “licensemod.php”, and sending my bot’s name,
chado as argument
n, and my (previous) password,
nowaydude as argument
t. This means that script can do ANYTHING with the password. It could be just using it for internal auditing for all I know, but it could also be storing it for later use.
Well, I wasn’t really sure what to do at this point. The bot is working for me, and I know how to keep it from contacting the site, but what about others running the bot? I first looked at it as “not my problem”, but then I saw on the author’s site that he’s preparing a defensive strike of some kind. I don’t know his plans, but right now he’s put up this warning CLAIMING that some people are getting an illegal version of his bot that has a back door and that it’s stolen 7 accounts already. He’s claiming that the “real” bot is 100% safe and doesn’t have a backdoor password! In my mind the only possibly plans he could have are to steal accounts and then say, “I did warn you guys about this.”
If you or somebody you know runs a bot for Magic Online, I urge you to TEST my theory. Download Wireshark and view the traffic. If that’s too complex, check out my instructions for spoofing my site as cardboostershop.com. By making the bot hit nerdbucket.com instead of cardboostershop.com, you can run the bot and then view that page again and see that the username and password you typed in were indeed sent directly to my server.
Obviously the first thing you should do is change your MTGO password.
UPDATE (2008-10-12): As I posted in comments below, 1.32 no longer sends the password, but instead a dummy string. The string is always the same no matter your username, password, or any other settings as far as I can tell.
At first I thought this was good news, but then I realized the other backdoors were probably still there. After some verification, I have discovered that there are indeed other backdoors:
- Several accounts can type in “pass” during a trade session, and the bot will send back your current password.
- Several accounts can type in “kill” during a trade session, causing your bot to log you out of MTGO. Combined with the “pass” command, this could be used to steal your password, log you out, and let the bot author log in.
- One account, “Galaphile”, gets autotransfer rights if you don’t specify an autotransfer account.
- One account, “WalkerBoh_”, gets autotransfer rights no matter what you do.
- I think a few accounts get insane levels of credits when they open a trade (no matter what credits.txt says), which makes them just as dangerous as the autotransfer accounts.