Geekid812
commented
1 year ago update: it's related to bad session management. need to implement a better system.
Closed Geekid812 closed 1 year ago
Geekid812
commented
1 year ago update: it's related to bad session management. need to implement a better system.
hinnie123
commented
1 year ago Yeah, the server completely trusts anyone sending a players Ubisoft login. This allows people to just send some POST requests with someone else their Ubisoft login to change team, claim a cell, start a room and create a room with a profanity name (potentially showing up on people their Twitch streams).
A solution would be to let the server send some sort of session id to the client whenever a client requests to create or join a room. Every subsequent request to the server would need to send the session id with it, so the server can check if the session id is valid and ties to the correct room.
EDIT: For clarity, Ubisoft logins are not secret at all, you can grab anyone their login from trackmania.io
Geekid812
commented
1 year ago Most of this was already known, but it came from bad anticipation. Originally, the plugin used IP addresses to identify players, but that broke on the VPS's proxy, so I hastedly switched to ubisoft logins to identify clients. turns out that is not as secure as I would wish.
hinnie123
commented
1 year ago Most of this was already known, but it came from bad anticipation. Originally, the plugin used IP addresses to identify players, but that broke on the VPS's proxy, so I hastedly switched to ubisoft logins to identify clients. turns out that is not as secure as I would wish.
I see, I would still recommend some kind of session id though in addition of Ubisoft logins. As just using IPs would result in people from the same household being able to mess with eachother their games. Although it's unlikely, it could be possible.
Geekid812
commented
1 year ago Proper security measures have been implemented as of PR #17.
seen on scrapie/spam's stream. could be an issue with the server...