Advertisement
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

simpleauth and simpleauth helper security leak

Comments in 'General Discussion' started by da123rrell, Sep 14, 2015.

  1. da123rrell
    Offline

    da123rrell Active Member

    Joined:
    Feb 11, 2015
    Posts:
    136
    Minecraft User:
    da123rrell
    just 5 minutes ago I realized that on simpleauth helper there is an error on registering for pocketmine 1.6 . the error makes the players that is registering give away their password.
    Code:
    [20:24:35] [Server thread/CRITICAL]: "Could not pass event 'pocketmine\event\player\PlayerCommandPreprocessEvent' to 'SimpleAuthHelper v2.0.2': Illegal offset type in unset on aliuly\helper\Main
    [20:24:35] [Server thread/WARNING]: RuntimeException: "Illegal offset type in unset" (E_WARNING) in "/SimpleAuth_v1.7.1.phar/src/SimpleAuth/task/ShowMessageTask" at line 46
    [20:24:35] [Server thread/INFO]: [New Player]>>[...]<< test_player > atestpassword
    
    and then when players login simpleauth usually gives a message that says "an error occurred while attempting to perform this command" and then in the console it shows this :
    Code:
    [20:25:09] [Server thread/INFO]: test_player[/139.228.44.9:61583] logged in with entity id 4451 at (lobby, 226, 85, 146)
    [20:25:11] [Server thread/CRITICAL]: "Could not pass event 'pocketmine\event\player\PlayerJoinEvent' to 'SimpleAuth v1.7.1': Illegal offset type on SimpleAuth\EventListener
    [20:25:11] [Server thread/WARNING]: RuntimeException: "Illegal offset type" (E_WARNING) in "/SimpleAuth_v1.7.1.phar/src/SimpleAuth/task/ShowMessageTask" at line 42
    [20:25:13] [Server thread/INFO]: test_player joined the game
    [20:25:19] [Server thread/CRITICAL]: Unhandled exception executing command 'login atestpassword' in login: Illegal offset type in unset
    [20:25:19] [Server thread/WARNING]: RuntimeException: "Illegal offset type in unset" (E_WARNING) in "/SimpleAuth_v1.7.1.phar/src/SimpleAuth/task/ShowMessageTask" at line 46
    I think these errors should be fix because if the server owners is not a good person they can try using it to access Ex: their twitter, facebook, or etc because some players use the same password everywhere
  2. PEMapModder
    Offline

    PEMapModder Notable Member Plugin Developer

    Joined:
    Oct 9, 2013
    Posts:
    7,294
    Plugins:
    11
    Minecraft User:
    PEMapModder
    SimpleAuth shouldn't have used commands for login in the first place. If you look at its code, it actually reads the whole chat before passing into the command stage.
    CrazedMiner, da123rrell and iksaku like this.
  3. da123rrell
    Offline

    da123rrell Active Member

    Joined:
    Feb 11, 2015
    Posts:
    136
    Minecraft User:
    da123rrell
    ik
  4. aliuly
    Offline

    aliuly Notable Member Plugin Developer

    Joined:
    Feb 8, 2014
    Posts:
    1,086
    Plugins:
    17
  5. LittleRon
    Offline

    LittleRon New Member

    Joined:
    Jul 5, 2015
    Posts:
    7
    Minecraft User:
    LittleRon
  6. JACKO
    Offline

    JACKO New Member

    Joined:
    Sep 18, 2015
    Posts:
    1
    Minecraft User:
    JACKO_64
    SimpleAuth keep ss shutting down my server what do I do?
  7. Gatucraft
    Offline

    Gatucraft Active Member

    Joined:
    Sep 24, 2015
    Posts:
    152
    Minecraft User:
    Rokito
  8. Jelly9912
    Offline

    Jelly9912 Active Member

    Joined:
    Aug 8, 2015
    Posts:
    118
    Minecraft User:
    Jelly9912
    Kiosek likes this.
  9. Brutus
    Offline

    Brutus New Member

    Joined:
    Aug 31, 2015
    Posts:
    21
    I just want to point out that no local plugin solution is going to protect against bad server owners. Servers that take passwords are always going to be able to steal them with minimal effort.

    If a user is sending their password in plaintext to the server an attacker can easily steal that data, regardless of what the plugin does.

    The only actual solution is a centralized, trusted authentication server with a secure connection so that players never send servers their password. The only other option is for users to use a different password on every site/server, but do not expect that any time soon.
    Last edited: Oct 9, 2015
  10. aliuly
    Offline

    aliuly Notable Member Plugin Developer

    Joined:
    Feb 8, 2014
    Posts:
    1,086
    Plugins:
    17
    A common solution to this is to use a One Time Password scheme.

    Google OTP
  11. Thunder33345
    Offline

    Thunder33345 Notable Member

    Joined:
    Apr 3, 2014
    Posts:
    755
    Minecraft User:
    Thunder33345
    in my opinion it is nothing wrong as you should know that your password is NEVER save a very good practice is to use different pass for different services and it is something very bad to use the same password everywhere
    well some server owner(like me but i add a disclamer) can use the plugin called command tracker(on here) which revails everyone pass
  12. PEMapModder
    Offline

    PEMapModder Notable Member Plugin Developer

    Joined:
    Oct 9, 2013
    Posts:
    7,294
    Plugins:
    11
    Minecraft User:
    PEMapModder
    Or just use PacketLogger.
    Thunder33345 likes this.
  13. Goerick
    Offline

    Goerick Active Member

    Joined:
    Jan 24, 2014
    Posts:
    250
    Minecraft User:
    goerick
    Simple auth does not use plain text to store passwords. They use SHA1 I believe.
  14. Brutus
    Offline

    Brutus New Member

    Joined:
    Aug 31, 2015
    Posts:
    21
    This does not really make a material difference. What hashing passwords does is make it so that if someone breaks into your system and database, they don't have easy access to a treasure trove of past input passwords.

    What password hashing does not do, is stop server owners from capturing plaintext passwords. Hashing just makes it so you have to trust the server's own security against outside attackers less. It in no way solves the problem of whether you can trust the server owner in the first place. Passwords entered into chat are still sent to the server in plaintext and are extremely easy to capture as a server owner.

    I will also point out that any solution to this problem that makes it marginally harder for run-of-the-mill server owners to snoop on passwords might, in practical terms, make users less secure. If players are more willing to trust servers with valuable secrets because we make it barely difficult for script kiddies to intercept passwords, all that will do is create an illusion of security that does not exist. The door would still be wide open to people with any level of sophistication that will have the ability and know-how to do potentially really bad things with stolen passwords, rather than just being irresponsible kids.

    In summary: there is no solution to this problem that does not involve stopping altogether the practice of servers storing passwords. Any half steps only make mischief harder for unsophisticated bad actors and leaves the door wide open for real bad guys. In the meantime all users can do is use passwords that they do not care about getting stolen.
    HotFireyDeath and PEMapModder like this.
  15. PEMapModder
    Offline

    PEMapModder Notable Member Plugin Developer

    Joined:
    Oct 9, 2013
    Posts:
    7,294
    Plugins:
    11
    Minecraft User:
    PEMapModder
    It uses [SHA512] XOR [WHIRLPOOL] together.
  16. ProjectInfinity
    Offline

    ProjectInfinity Active Member Plugin Developer

    Joined:
    Sep 7, 2014
    Posts:
    112
    Plugins:
    3
    Minecraft User:
    ProjectInfinity
    This. Just had the pleasure of translating that function to Java for the MCPC edition of LeetAuth. For the first time I actually prefer the way PHP does something as opposed to other programming languages.
    Jankirby and PEMapModder like this.

Share This Page

Advertisement