registration security ?

All things BZFlag - no [OT] here please
Post Reply
User avatar
toaster
Private First Class
Private First Class
Posts: 457
Joined: Sat Feb 21, 2004 4:44 pm

registration security ?

Post by toaster » Sun Feb 22, 2004 12:24 am

This might not be the correct forum for this submission, and if not, please accept my apology.

I "registered" on a server for the first time today. I got help from sportchick and gjkg (thanks, both of you) because someone else had registered my name on secretplace. I never tried before, so I was unaware that you have to send the password registration and identification on a "chat" transmission. Works fine, no complaint.

However,

About a week or so ago I was on freedomlives.net, and I was being harassed again by one of the goofballs that have been bugging me. I think this individual got upset because I killed her in combat, so she re-joined in my team, then snuck around on the sidelines and shot me, and no one else, and usually at times when I was in heated firefights with no opportunity to check out my fellow team members. The TK was really getting on my nerves, and I got a message from her at one point to the effect of "serves you right," if I remember correctly. About this time, nightmare joined the game as rogue. (He uses a mix of caps/lowercase that I don't recall exactly, but it's something like "NigHtMaRe.")

I sent a private message, using ".", to the tk. I was really upset and I used some foul language. Nightmare immediately posted to me that my message was rather foul. But, when I asked him how he saw my message, he made reference to a special client with the ability to see all messages, regardless of whether they were private. He didn't help fix the problem with the harassing tk, though, and I eventually left the game.

Obviously, he's either an admin who doesn't care to help fix problems, or he's taking advantage of some security hole wherein all messages are forwarded to all clients for the clients themselves to filter, rather than the server acting as filter.

Why do I consider this a security hole? I don't really care too much if some admin wants to voyeur messages I consider private, as a general rule. I also don't care too much if some user gets snoopy and starts voyeuring. However, I do care once passwords of any kind are transmitted in cleartext.

So, how is this individual gaining access to private messages, and how safe is my "password?"

-toaster

User avatar
DTRemenak
General
General
Posts: 625
Joined: Thu Jan 16, 2003 4:54 am
Location: U.S.
Contact:

Post by DTRemenak » Sun Feb 22, 2004 1:22 am

All messages are relayed through the server. Server commands (messages beginning with /, including /identify, /setpass, etc.) stop there, and are not forwarded, so you don't have to worry about your password being sent to everyone, as the server will not relay them.
In 1.10.x+, no other messages should be forwarded to anyone else either (e.g. messages to a player get relayed only to that player, messages to a team only to players on that team). It would be easy to remove or modify this check from the server if a server admin wanted to see all messages.
It should be noted that passwords ARE transmitted in cleartext anyway, and would be subject to man-in-the-middle attacks.
It should also be noted that the server admin can know your password with very little work, as the password can be easily made to be output to a log file.
In short, if you don't trust the server admin, don't use a password you value. Even if you do, remember that it's being transmitted in cleartext between you and the server, and don't use one you value too much.

User avatar
Terminator
Private First Class
Private First Class
Posts: 45
Joined: Mon Dec 23, 2002 10:05 pm
Location: England

Post by Terminator » Sun Feb 22, 2004 10:13 am

Ya know, the pm part, I didn't know that was possible.

I can't register on secretplace now anyways, there must two Terminators, so if I go in there I just change my name to "Terminator." instead. But I don't mind, I'm registered on just about every other server I ever play on.
Astalavista baby!

and I'll be back!

User avatar
toaster
Private First Class
Private First Class
Posts: 457
Joined: Sat Feb 21, 2004 4:44 pm

Post by toaster » Sun Feb 22, 2004 1:49 pm

Well, I'm not real worried about the server admins with my password, either. Certainly, I used a password for the server that is completely different from the myriad of passwords I use on other systems about which I am more concerned. I was primarily worried about other users monitoring the message text, then using the passwords and getting me banned. I've been the subject of enough attacks recently in these worlds by rather immature people, not all of them kids.

Thanks for the response. I'm glad to know that was fixed in 1.10.

-toaster

User avatar
Chestal
Dev Guru
Dev Guru
Posts: 171
Joined: Fri Dec 06, 2002 11:56 pm
Location: Siegen, Germany
Contact:

Post by Chestal » Sun Feb 22, 2004 3:09 pm

Just to give more details: The server used to broadcast all messages to everyone. Thsi was fine because in the beginning there was no such thing as mesasges to the server (/ commands) or private messages. The were team messages, though which should probably have been selectively multicast even back then, but weren't.

Later in 1.7, server messages and private messages were introduced, but the filtering was done solely in the client. IIRC, somewhere along the 1.10 line this was changes so that the server would send the private message to the recipient only. Now on unmodified servers, only someone which has direct access to the server output would be able to see all messages.

User avatar
Gerbil
Private First Class
Private First Class
Posts: 251
Joined: Sat Dec 07, 2002 2:46 pm
Location: Habitrail Tube
Contact:

Sigh

Post by Gerbil » Thu Mar 04, 2004 9:02 am

I am,alas,already aware of people who coded there hack patches and were just looking for ways to compile. I have seen so far a high jump with same guy jumping off of SW bubbles as if they were objects. Another guy I couldn't kill or else was veeeeerrry hard to hit.

Where is Mr.. Apathy Cream when I need him?

Any news out there on cheat effects?

User avatar
SGI
Private First Class
Private First Class
Posts: 513
Joined: Mon Dec 09, 2002 7:24 pm
Location: Motown, MI, USA

Post by SGI » Thu Mar 04, 2004 1:14 pm

Wrong place to post ...Gerbil, there is a cheat code as far updated with the new cheats....you can find in the server policy or use the link .........where is the link?????
On the bottom of my posts

trepan
Dev Wizard
Dev Wizard
Posts: 704
Joined: Fri Feb 21, 2003 7:50 pm

Post by trepan » Thu Mar 04, 2004 1:49 pm

i don't like cheaters, but jumping
off of SW bubbles ... that's just neat.
GIve him a hardy congratulation on
his most excellent hacking achievement,
and then /ban.

Post Reply