Closed ZakFahey closed 8 years ago
What's also concerning is that when the user types the command, their unencrypted password will be sent over to the server anyway without any client-side encryption, so that data could be intercepted. I don't think there's any way around that, though.
Can you provide proof that this is happening with no plugins installed other than TShock and a default config.json file?
Actually, when removing all plugins this stops. It must be an issue with one of my plugins.
@ZakFahey if you discover which plugin is causing that, please let us know. We'd love to know if something is purposefully extracting passwords in plaintext (that's a very bad thing). If you discover which plugin it is and we have it hosted our forums, please send me an email directly: shank@shanked.me
This is the API version 22. Obviously, this is a pretty huge security flaw. Server owners can figure out the password of every registered user.