########################################################################

Title:  People on Ubi.com can be easily banned 0.1
Author: Luigi Auriemma
e-mail: aluigi@autistici.org
web:    aluigi.org

########################################################################


Lately a lot of people have asked me to investigate about the
possibility to ban users on Ubi.com for a temporary time.

The method I want to show is the most easy and stupid existent and it is
caused by a bad protection used by Ubisoft.
Probably exist also other methods to ban people (temporary or not) but
currently I don't know them so I cannot report them to Ubisoft.

The problem I want to describe happens just because Ubisoft temporary
blocks for 15 minutes the accounts where the password has been mistaken
4 times.

That means everybody can open the Ubi.com application, insert the
nickname of the user to temporary ban, insert a casual password (123,
abc or everything he wants) and then try to login until he gets the
warning message saying:
"Your ubi.com account is blocked for 15 minutes. Please try again later"

As everybody can see it is nothing of technical but is only a simple
and known abuse of a protection mechanism (anti brute forcing and
password guessing techniques) commonly used also in other services over
Internet.

If you wanna avoid this banning abuse try to write to Ubisoft asking
them to remove this protection or to use a more intelligent one.


########################################################################