Summary
The gameserver does not verify the IP that created the game token is the same that uses the game token. This is not normally a problem since it is generally not possible to aquire other's game tokens. However, on LBP1,2,3,Vita on both RPCS3 and PS3, it is possible to discretely and invisibly (to both the user and server) log anyone's token from in-game by just joining them through dive in or through the friends menu.
Details
Token.cs does not contain the IP that created the token, and GameAuthenticationProvider.cs does not verify them
PoC
Using a database viewer of the database (or a patched copy of refresh) get a valid token, and use it on another IP. All requests are allowed through, even though the IP has changed.
Impact
All gameserver users on LBP1,2,3,Vita, PSN/RPCN are effected, and can have their tokens logged, then subsequently used to make requests as that user with no intervention from the server.
Resolution
Link every game token to the user's public IP, and if a user tries to authenticate with it from another IP, return 403 unauthorized, in real scenarios, this causes the game to re-authenticate and retry, so it does not effect normal people playing on networks where your public IP may change in real time.
Summary
The gameserver does not verify the IP that created the game token is the same that uses the game token. This is not normally a problem since it is generally not possible to aquire other's game tokens. However, on LBP1,2,3,Vita on both RPCS3 and PS3, it is possible to discretely and invisibly (to both the user and server) log anyone's token from in-game by just joining them through dive in or through the friends menu.
Details
Token.cs does not contain the IP that created the token, and GameAuthenticationProvider.cs does not verify them
PoC
Using a database viewer of the database (or a patched copy of refresh) get a valid token, and use it on another IP. All requests are allowed through, even though the IP has changed.
Impact
All gameserver users on LBP1,2,3,Vita, PSN/RPCN are effected, and can have their tokens logged, then subsequently used to make requests as that user with no intervention from the server.
Resolution
Link every game token to the user's public IP, and if a user tries to authenticate with it from another IP, return 403 unauthorized, in real scenarios, this causes the game to re-authenticate and retry, so it does not effect normal people playing on networks where your public IP may change in real time.