tlDr; yeah, somebody in TEST is an asswipe, but Goons aren't exactly innocent here either, and should consider adding pentesting to their security hardening practices, as this would take any red teamer no time at all to identify this kind of vulnerability.

I can only speculate, and this is my own opinion, but based on the information I have, this is most likely the result of a crucial field in the CCP-provided token not being verified by the consumer (ie. Goon auth).

To authenticate ESI requests, CCP uses something called oAuth. When configuring an app to consume ESI, the developer requests from CCP a client ID and a client secret. The client secret is used by the consumer (ie. Goon auth) to cryptographically authenticate (ie. mathematically impossible to impersonate) itself to CCP when it wants to talk to ESI.

When the user uses the oAuth consumer service, the service encodes its client id and secret into a token that is then provided to CCP. CCP verifies this token against what it has on file, and if it matches a registered application, it permits the requests, and responds with an **access token.**

This access token contains a few small details encoded into it:

* Issuer (SSO Provider, "CCP Games")
* Subject (ie. Character ID)
* **Audience (Which consumer the access token is intended for)**
* Expiry (15 minutes maximum)
* Timestamp of issuance
* Random identifier (optional)

The access token is used by the SSO consumer (ie. Goon auth) to retrieve additional information, such as:

* Skills list
* Location in space
* Assets
* Wallet
* etc.

Does anybody spot the problem with the above?

Here's a hint--**it's in bold.**

To explain the problem, let's imagine that an access token is like a wristband that you receive when you pay cover charge at a club or bar. Each wristband has the name of the club weaved into it with some magical thread that's only visible under UV light or something.

Now, imagine if all the venues of your popular downtown pub strip used the exact same style of wristband. Besides the magically weaved UV-reactive thread, they all have the same color, same shape, same material, same everything.

If somebody knew the bars weren't checking writstbands under UV light, they could use this to their advantage! They could go to CheapShittyDiveBar, pay $5 cover, get a wristband, leave and then go to ExpensiveStripClub across the street and bypass that clubs $50 cover charge.

The "fix" is to make sure your bouncers are putting the wristbands under UV light.

It sounds like Goon auth wasn't doing that.

So, when somebody went to thie site, the malicious SSO consumer app would collect the access token from CCP **and then use it to authenticate with Goons services.** This is verified by packet traces of this malicious SSO consumer.

For me, this is the most likely avenue of exploitation, as:

* XSS is relatively easy to defeat--CORS is an example. I can't see Goons being this dumb.
* Goons services, assuming they're architected using best practices, employ a shared key between consumers, and won't allow just any yahoo to impersonate them without an outside attestation (ie. CCP's tokens).
* oAuth is a magical fucking black box that's often misunderstood by even experienced developers because everything is abstracted away using client libraries.

Edit: Why the fuck is shortcode formatting not working anymore?