Open ikey-ru opened 3 years ago
This is a great suggestion. Here's a conversation I had with the developer on Discord about this topic a few months ago.
Yeah, so this is kinda a funky issue. I've been working on adding native support for accessing SMServer out-of-network (check out the remote_changes
branch), and it's nearly done. I just need to finish up the desktop client that I'm working on and get a host server up and running (to relay messages between clients and hosts) and I can release it for everyone to use.
Once this new version is released, I'll be dropping official support for port forwarding/vpn/etc and instead recommend usage of the new websocket system that I've set up (if you want more details about how it'll work, check out the API docs in the remote_changes branch, or feel free to DM me on a another platform so we don't clog up these issues). This new system will connect directly between clients and hosts and will no longer rely on IP-based verification, so this vulnerability won't be an issue anymore.
In the meantime, one workaround would be SSH'ing into your phone and running killall -9 SMServer
. This will completely kill the app, automatically de-authing everyone connected to it, and then you can start up the CLI version of the server again at your convenience. Of course, this relies on you having SSH access, and knowing at least the basics of command line navigation.
How to force to log out? If Wi-Fi router is connected to a VPN server on which an external IP is forwarded to the phone's IP, then one authorization allows everyone to log in and see messages.