Because I can reach a lot of people here: Do not login to any MC servers that you don't fully trust, as it is currently possible for the owner of that server to steal your session and use it to log into another server.
E.g. if you are admin on one server, and somone you don't know invites you onto their server (and you actually log into that server), they are able to log into your server (or any other server) with your username without you noticing. This is possible without them knowing your password (and they don't need it anyway for that) and they can connect to "online-mode=true" servers.
To be save, add an additional line of defense like AuthX and make sure it's active for all "important" players (admins, mods).
“Two things are infinite: the universe and human stupidity; and I'm not sure about the universe.” — Albert Einstein
"Never try to teach a pig to sing; it wastes your time and it annoys the pig." — Robert Heinlein
“Two things are infinite: the universe and human stupidity; and I'm not sure about the universe.” — Albert Einstein
"Never try to teach a pig to sing; it wastes your time and it annoys the pig." — Robert Heinlein
Yeah, working on getting AntiMulti integrating with something along those lines, and also just using the login system would work here was well.
I am curious as to how effective and hard this would be to pull off, because if it is easy to do/easy to get, then that is a large security risk.
If you do that, I'll download AntiMulti, at least until this is fixed, the main reason I don't is because I have a brother on the same connection as me :/
If you do that, I'll download AntiMulti, at least until this is fixed, the main reason I don't is because I have a brother on the same connection as me :/
To be save, add an additional line of defense like AuthX and make sure it's active for all "important" players (admins, mods).
The only issue is that I kinda want to see this actually work and someone do it, because that is when it is a concern is when someone actually does it and tells people how to do it.
Then in that case is when i get my plugins and get to work securing my stuff down.
It'll probably work the same way it did back in the day of WoW account snatching. The smart people will attempt to keep this underground as long as possible, not raising flags about it. The accounts they take aren't going to be major accounts or ones that will raise a ****-storm, and most likely will use them for more or less innocent things like alt accounts.
It's when someone not quite up to speed on how the knowledge of the hacks existing gets ahold of it, and then they go on a forum and post "hey guys I got this super cool thing, it lets me snatch accounts". The original maker facepalms, and everyone starts to rave about it, until it will get fixed rather fast.
Given, this is different than WoW seeing as they did not support modifying clients and actually staffed people to scour the internet for such things. But even so, if someone is doing something of this level, and some less-than-intelligent person starts raving it everywhere, then it will get patched.
It'll probably work the same way it did back in the day of WoW account snatching. The smart people will attempt to keep this underground as long as possible, not raising flags about it. The accounts they take aren't going to be major accounts or ones that will raise a ****-storm, and most likely will use them for more or less innocent things like alt accounts.
It's when someone not quite up to speed on how the knowledge of the hacks existing gets ahold of it, and then they go on a forum and post "hey guys I got this super cool thing, it lets me snatch accounts". The original maker facepalms, and everyone starts to rave about it, until it will get fixed rather fast.
Given, this is different than WoW seeing as they did not support modifying clients and actually staffed people to scour the internet for such things. But even so, if someone is doing something of this level, and some less-than-intelligent person starts raving it everywhere, then it will get patched.
Well, you cannot steal details like the password, just the session. It's a little unwieldy for something like alts.
“Two things are infinite: the universe and human stupidity; and I'm not sure about the universe.” — Albert Einstein
"Never try to teach a pig to sing; it wastes your time and it annoys the pig." — Robert Heinlein
Read how authentication works.
Basically the client and the server talk to the main Minecraft server which tells the server if the client is who it says it is. This involves a key which both the server and the client use (the client logs in to the main server and gives it the key and the server asks the main server if it the key has been shown to it by the client).
What this involves is the "evil" server taking that key and using it to connect to another "good" server (which then asks the mains server "is this key authenticated" and it replies with "yes" because the client authenticated itself earlier trying to log into the evil server).
The simple solution is having the client tell the main server which IP it is connecting to and then the main server not saying yes when the key are used on different servers.
Rollback Post to RevisionRollBack
"Terminator like robots may one day rule the world, as long as they don't run Windows Vista"
“Two things are infinite: the universe and human stupidity; and I'm not sure about the universe.” — Albert Einstein
"Never try to teach a pig to sing; it wastes your time and it annoys the pig." — Robert Heinlein
I would take a guess they can't, but this is a security bulletin and needs to be known so people do not make 700 threads about it.
</subtle bump>
Also, this should be sticked.
Quote from Rules »
Bump Threads - Do not bump threads to get more replies or reply to older threads that have dropped off unless there is significant new information to add.
“Two things are infinite: the universe and human stupidity; and I'm not sure about the universe.” — Albert Einstein
"Never try to teach a pig to sing; it wastes your time and it annoys the pig." — Robert Heinlein
Additional proof: http://www.teamavoli...line-mode-true/
I haven't found any evidence of this being exploited so far, but I thought it would be a good idea to post this here just in case.
"Never try to teach a pig to sing; it wastes your time and it annoys the pig." — Robert Heinlein
According to evenprime, it's possible via a Man-in-the-middle attack. So not the simplest to implement, but certainly possible to do so.
"Never try to teach a pig to sing; it wastes your time and it annoys the pig." — Robert Heinlein
Yeah, working on getting AntiMulti integrating with something along those lines, and also just using the login system would work here was well.
I am curious as to how effective and hard this would be to pull off, because if it is easy to do/easy to get, then that is a large security risk.
If you do that, I'll download AntiMulti, at least until this is fixed, the main reason I don't is because I have a brother on the same connection as me :/
The only issue is that I kinda want to see this actually work and someone do it, because that is when it is a concern is when someone actually does it and tells people how to do it.
Then in that case is when i get my plugins and get to work securing my stuff down.
It's when someone not quite up to speed on how the knowledge of the hacks existing gets ahold of it, and then they go on a forum and post "hey guys I got this super cool thing, it lets me snatch accounts". The original maker facepalms, and everyone starts to rave about it, until it will get fixed rather fast.
Given, this is different than WoW seeing as they did not support modifying clients and actually staffed people to scour the internet for such things. But even so, if someone is doing something of this level, and some less-than-intelligent person starts raving it everywhere, then it will get patched.
Well, you cannot steal details like the password, just the session. It's a little unwieldy for something like alts.
"Never try to teach a pig to sing; it wastes your time and it annoys the pig." — Robert Heinlein
Read how authentication works.
Basically the client and the server talk to the main Minecraft server which tells the server if the client is who it says it is. This involves a key which both the server and the client use (the client logs in to the main server and gives it the key and the server asks the main server if it the key has been shown to it by the client).
What this involves is the "evil" server taking that key and using it to connect to another "good" server (which then asks the mains server "is this key authenticated" and it replies with "yes" because the client authenticated itself earlier trying to log into the evil server).
The simple solution is having the client tell the main server which IP it is connecting to and then the main server not saying yes when the key are used on different servers.
PROTIP: If someone named aaron1tasker asks you to go on their server. DON'T DO IT!
Proof he's exploited it:
Problem solved mostly. Unless they make a bad password (or until AntiMulti gets the IP login system integrated) it is harder to get by that one.
(OPs can necrobump, right?)
"Never try to teach a pig to sing; it wastes your time and it annoys the pig." — Robert Heinlein
I would take a guess they can't, but this is a security bulletin and needs to be known so people do not make 700 threads about it.
</subtle bump>
Also, this should be sticked.
Since this is a PSA, I think I'm in the clear.
"Never try to teach a pig to sing; it wastes your time and it annoys the pig." — Robert Heinlein