Alice asks the Bob to add her RAF/client ID as his recruiter, and once Bob enters the Alice's ID into his profile as the recruiter, he sees the username/login name that Alice is using in order to log into the game.
Not only that Bob already knows the Alice's login name(which is supposed to be secret), but now the Alice is also having the Bob's login name, and one day when he breaks her heart, the evil may get into her, she may try to login as Bob and do some damage/revenge.
Of course you guys might have some protection regarding the password attempts, but if we look at this situation from the CIA triad standpoint(Confidentiality, Integrity, Availability), it definitely compromises the C(onfidentiality) and is not an expected behavior.
In simple words, if you already know the target's username, you are half way there and only need to figure out the password.
(another example would be the old school root account on UNIX systems, and believe me, there are still people who are logging directly by root and even over SSH and other protocols...)
Wish you guys the best and I would be more than happy if I can help you with anything.
love and peace
nicoaravena
commented
2 years ago
https://github.com/chromiecraft/chromiecraft/issues/3082 Per user: