I've been seeing a lot of people misunderstanding the exploit that was used on April 17th, 2020. This gist should help explain how the exploit is done, and how to protect your account. Personally, I wouldn't call this an exploit, as this is more of social engineering than actual hacking, but nevertheless, throughout the gist, this will be referred to as an exploit.
As of April 19th, 2020, this exploit has been patched. Playcookies are now printed only after authentication, which means that even if you get your log files exposed, an attacker cannot login to your toon directly.
Do note however that logs can still be used to impersonate you, so remember to keep them safe!
Some users might not be familiar with a playcookie. A playcookie is essentially a token generated once you login to Toontown Rewritten via any launcher (including custom ones). This playcookie is then validated in Toontown Rewritten once you click on the splash screen "Click to Join".
The playcookie itself is a randomly generated string that expires upon authentication, or after 15 minutes (in which it times out).
To explain the exploit properly, it's best to show the process of logging in Toontown Rewritten.
-
The user opens up the launcher.
-
The user enters their username and password.
-
The launcher sends to the server the username and password, who then checks if it's the correct combination.
- If the user has 2FA/Toonguard, the server will return a response asking them to authenticate.
- Additionally, this will also check if the account isn't verified, hasn't accepted the ToS, has been terminated, etc.
-
The server will return a playcookie and the server IP if the combination is correct, and has passed 2FA/Toonguard.
-
The launcher launchs the client with the playcookie and server IP.
-
On the authentication screen, when the user clicks on the splash screen, the client will send to the server the playcookie, the server validates it.
-
The playcookie is expired, and the user is now in Toontown Rewritten, ready to play.
Here's a visual example to aid in understanding the process.
You can read more about the exact flow in the Login API documentation.
Playcookies are stored in the log file of Toontown Rewritten. It's the first line of the log file, and is printed every time you start up Toontown Rewritten. This is both a good and a bad thing: it's good, since it's one way to prove to the Support Team you own a certain account (all your playcookies are logged in their database), however it's a bad thing, as if you give access to a user other than the Support Team of Toontown Rewritten, they will be able to impersonate as you, or worse, login to your account.
The exploit involves the attacker social engineering the victim in giving them a fresh log file, while still being in the authentication screen. Since the playcookie isn't expired yet, they can login with your playcookie (through a custom launcher that launches the game directly with a given playcookie), do whatever they feel like with the account, and then leave without you noticing.
This exploit bypasses all security checks, as these are done before the playcookie is generated.
This exploit can easily be avoided by the user by NEVER sending a log file to anyone that isn't part of the official Toontown Rewritten team. If you truly need to send one (such as having issues with a crash), make sure to censor the line that contains your playcookie, or better yet, only sending the traceback.
But doesn't the playcookie expire once authenticating?
Yes, it does, however the problem is that playcookies are used for verifying the ownership of an account, so someone could impersonate as you and get full access to your account by asking the support team to change the email associated to the account with theirs.
Additionally, the Toontown Rewritten team could simply get rid of playcookie being printed in the log files, or print extra lines saying "do not share the log file with anyone other than [email protected]".
The exploit involves the victim sending a logfile containing their playcookie to the attacker. The attacker can then login through a custom launcher, bypassing 2FA/Toonguard/IP bans/etc.
The best thing you can do, as a user, is never send a log file to anyone but [email protected].
As of April 19th, 2020, this exploit has been patched. Playcookies are now printed only after authentication, which means that even if you get your log files exposed, an attacker cannot login to your toon directly.
Do note however that logs can still be used to impersonate you, so remember to keep them safe!