NationStates confirmed a data breach after a player who reported a critical Dispatch Search vulnerability exceeded testing bounds, achieved remote code execution on the production server, and copied application code and user data. Exposed information likely includes email addresses, MD5 password hashes, IP addresses, UserAgent strings, and portions of telegrams; the site is rebuilding servers, upgrading security, and has reported the incident to authorities. #NationStates #DispatchSearch #MaxBarry #MD5 #RCE
Keypoints
- A player-report of a Dispatch Search bug escalated into unauthorized remote code execution on NationStatesβ production server.
- The attacker copied application code and user data, including email addresses, MD5-hashed passwords, IPs, and UserAgent strings.
- Telegrams (the gameβs private messaging) were likely partially exposed despite not being on the same server.
- The reporter had previously submitted vulnerability reports and held a Bug Hunter badge but was never granted privileged access.
- NationStates is rebuilding the production server on new hardware, conducting security audits, upgrading password security, and notifying authorities.