When using /login, both the command console and the log show the user's unencrypted password

Pryaxis / TShock

☕️⚡️TShock provides Terraria servers with server-side characters, anti-cheat, and community management tools.

GNU General Public License v3.0

2.41k stars 377 forks source link

When using /login, both the command console and the log show the user's unencrypted password #1145

Closed ZakFahey closed 8 years ago

ZakFahey commented 8 years ago

This is the API version 22. Obviously, this is a pretty huge security flaw. Server owners can figure out the password of every registered user.

ZakFahey commented 8 years ago

What's also concerning is that when the user types the command, their unencrypted password will be sent over to the server anyway without any client-side encryption, so that data could be intercepted. I don't think there's any way around that, though.

hakusaro commented 8 years ago

Can you provide proof that this is happening with no plugins installed other than TShock and a default config.json file?

ZakFahey commented 8 years ago

Actually, when removing all plugins this stops. It must be an issue with one of my plugins.

hakusaro commented 8 years ago

@ZakFahey if you discover which plugin is causing that, please let us know. We'd love to know if something is purposefully extracting passwords in plaintext (that's a very bad thing). If you discover which plugin it is and we have it hosted our forums, please send me an email directly: shank@shanked.me