Response to the Project Altis password logging "PSA"

Two days ago, there was a PSA posted that alleged Project Altis was logging raw Usernames and Passwords. This is a personal response from me that should not reflect the Project Altis team.

In case the PSA goes down, here is a archive link of the post.

This will be a bullet-point list explaining and counteracting many points described in the post.

  • Yesterday, on 14 September 2017, the Project Altis servers have been compromised using a zero day RDP exploit (Which has been patched a while ago, just mentioning). Thanks to this, I have acquired the game source code, as well as the MongoDB game database.

There is some logic mistakes in his words here. A zero-day exploit means it hasn't been discovered or acknowledged by anyone else, while he references it being fixed a while ago. Regarding the actual RDP exploit he might be talking about, the only recent exploit released was the EsteemAudit exploit which only affected Windows XP and Windows Server 2003 which the Altis game server does not use.

  • Fret not, though, for my intentions are not malicious. These will not be released to the public, unless those who own Altis's servers continue to do what I'm about to discuss further down.

Your intentions are clearly malicious, due to the streamable video you had posted showing you logging into toon accounts and acting on behalf of Dev accounts while using commands.

  • PLEASE move to Linux. Don't install all kinds of useless software on Windows. Do you even know what kind of services you are running? You're halfway there.

Yes, we're fully aware of the services we're running. The server is hardened and protected by our server host.

  • UPDATE your software! You are stuck on software that is TWO years old! That is completely unacceptable. Even your OS is outdated.

Our software is fully up to date with the stable major releases of software used. All security updates are installed on a moment's notice.

  • CHANGE your API keys often! Leaks of other nature can seriously diminish your live security measures.

While it is an oversight that we didn't change API keys after staff had recently left the team, we change our api keys regularly to prevent incidents like this.

  • Security through obscurity is NOT a solution! Only allow the server to use server APIs.

Most APIs used by the server also have to be ran by our developers who run local servers to test new features. Due to recent events we will be overhauling API<->Server infrastructure in the near future.

  • Run your servers in containers. If one server gets compromised, not all servers have to be.

Our servers are already separated even between different hosts. If one server is compromised none of the other servers are compromised as everything is ran through SSL and no secure ssh/ftp credentials are stored on the servers.


  • Listen to suggestions.

You probably don't know this since you seem like the type of person that gets banned from any discord server you didn't create, but we recently launched the suggestions channel in our discord along with a separate channel to track which suggestions are implemented.

  • Get somebody competent and easily trusted to handle the servers. I will get to this in just one moment.

Who do you suggest? you and how you're hiding behind a throwaway account?

  • All passwords on Altis have been logged since January 2017, plain text as it went through the web server, and through one certain third party log collection service.

We have logged no passwords since January. Once we switched to post-based logins no post data has been, or can be logged.

  • Previously, many of you have heard that Project Altis used GET-style authentication through HTTP earlier this year. All GET requests are server logged by default. While these accusations were thought to be unfounded back then, evidence found yesterday proves that this has been done deliberately.

Yes, GET is logged. So is post, but post requests don't log the content of the post data (where the username/password are sent in). This was not done deliberately at the time, it was just an oversight and easier to implement at the start.

  • Adding this line into the nginx config - Project Altis is using nginx on Linux - will trigger collection of all POST data, including passwords.

The line you linked will log post data, but only with nginx. We have been and still only used apache2 as our web server. To prove this I spun up a ubuntu instance with AWS alongside the altis server to show the differences between having nginx vs apache2

To further prove, here's the altis apache2 configuration

root@projectaltis:~# ls -l /etc/apache2/sites-available/000-default.conf
-rw-r--r-- 1 root root 1164 Sep  7 20:53 /etc/apache2/sites-available/000-default.conf
root@projectaltis:~# cat /etc/apache2/sites-available/000-default.conf
<VirtualHost *:80>
        ServerName projectaltis.com
        ServerAlias www.projectaltis.com

    ServerAdmin webmaster@localhost
    DocumentRoot /var/www/html/
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
        <Directory /var/www/html>
                AllowOverride All
        </Directory>
        <Location /blog>
                RequestHeader unset Accept-Encoding
                AddOutputFilterByType SUBSTITUTE text/html
                AddOutputFilterByType SUBSTITUTE text/xml
                Substitute "s|projectaltisblog.wordpress.com|projectaltis.com/blog/|i"
                Substitute "s|class=\"site-info\"|class=\"site-info\" hidden|i"
                Substitute "s|s2.wp.com/i/favicon.ico|projectaltis.com/favicon.ico|i"
        </Location>
        RewriteEngine on
        RewriteRule ^/blog$ /blog/ [R]
        ProxyRequests Off
        SSLProxyEngine on
        ProxyPass /favicon.ico !
        ProxyPass /blog/favicon.ico !
        ProxyPass "/blog/" "https://projectaltisblog.wordpress.com/"
        ProxyPassReverse "/blog/" "https://projectaltisblog.wordpress.com/"
</VirtualHost>
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

the blox proxy at the bottom allows us to have our developer blog at https://projectaltis.com/blog to look more elegant and retain the altis favicon.

The only explanation I can think of how they thought we used nginx is that the server type header is always set to nginx because we are proxied by cloudflare.

  • Analyzing these logs, I have found that every password login/register attempt is logged, plain text and unhashed. The databases still save the passwords with bcrypt hashing, in an attempt to trick any security auditors.

Since we do not log post data, he could not have looked at any post data. The database uses the default laravel authentication service provider which hashes and salts passwords upon every login and register attempt, nowhere do we use bcrypt.

  • Naturally, all staff passwords are logged aswell. I took the liberty to log into 3 of them, using simple usernames and passwords, running various staff commands (that could have been abused by any malicious attacker!) for further proof.

The login screens you show here are running ttpa-beta-1.1.1-debug. the debug tag at the end of the version name only shows up when connection to servers via recent source code, meaning it's almost certain you are one of the recent staff personnel who left the team.

  • Excerpt of the game databases to show that I am serious:

Congratulations, you used the Mongo middleware that we were going to use for our new website's toon search feature. Only one of the recently removed staff personnel knew about the mongo middleware and also knew the exact username+password needed to access it. The information stored in the game database holds no personal information, only the user's real playtoken which cannot be used to log into the game.

  • Who's to blame? The Altis moderators probably do not know anything about this. The only people who could have done is are the Altis server owners. There are 3 of them: Dubito, Sir Tubby Cheezyfish and Judge.

We are completely transparent with our moderators and all of the Altis team. They knew about the breach when it happened and we clarified it in full detail in the following meeting, for anyone offline the days before.

  • In addition, this was a constant topic of discussion in the NOMCA chat - the Discord channel where higher-up Altis staff hang out and cause trouble for other people, and occasionally servers. That is a matter of its own - I will not be elaborating on it right now.

Considering you probably only heard bits and pieces, NOMGCA is a server where some team members and team member friends hang out in during their free time. All we do is talk and play games together, mainly minecraft mods and Arma 3.

  • To those responsible: IMMEDIATELY destroy all server logs, including backups, and disable all collection of unhashed passwords and POST data! To continue this kind of behavior is a huge slap on the face for your players. It's incredibly irresponsible to put all your players in grave danger just to try to get the upper hand on others.

After showing proof that we do not have any logs containing sensitive information, there is no reason for us to destroy logs and there is nothing to disable and players were never in danger.

  • Altis has went down for "maintenance" for the past 17 hours after noticing this incident. Why lie about the truth? This isn't about maintenance. You have been compromised. You should be honest about that, instead of always hiding behind "maintenance". This isn't the only incident that happened that your players don't know about. Mature people take their fall - not cover it up.

While we haven't gotten around to posting this on the website, we started up https://status.projectalt.is to report all incidents.