search

multitheftauto / mtasa-blue

Multi Theft Auto is a game engine that incorporates an extendable network play element into a proprietary commercial single-player game.
https://multitheftauto.com
GNU General Public License v3.0
1.42k stars 438 forks source link

MTA Session ID #3432

Open Armisael2k opened 5 months ago

Armisael2k commented 5 months ago

Is your feature request related to a problem? Please describe.

Recently a hack has been released which can execute LUA code inside the client. For some reason every time a cheater join to a server using hacks and he needs to reconnect or change to another server it's necessary to restart MTA.

Describe the solution you'd like

Benefit: If an administrator detects any strange behavior from a player the Session ID can help to identify how many times the player has restarted their MTA. Therefore this can be implemented to custom anticheats.

Behavior: The Session ID should be generated each time the user open MTA, it should be immutable until the player opens the MTA again.

Describe alternatives you've considered

Functions Serverside: getPlayerSessionId(player) player: player:getSessionId

Variable player.sessionId

Additional context

I understand that the solution may be to force reconnect any player when he joins the server. But I think this may be an option to help identify those malicious users.

Security Policy

MegadreamsBE commented 5 months ago

How exactly would this be helpful to identify malicious users? I personally don't see a point in this

Armisael2k commented 5 months ago

How exactly would this be helpful to identify malicious users? I personally don't see a point in this

In my opinion, too many changes to that identifier would be a red flag for that player.

MegadreamsBE commented 5 months ago

How exactly would this be helpful to identify malicious users? I personally don't see a point in this

In my opinion, too many changes to that identifier would be a red flag for that player.

Hmm, I disagree. Plenty of reason why a player would restart their game often. You'd have a lot of false positives

Armisael2k commented 5 months ago

How exactly would this be helpful to identify malicious users? I personally don't see a point in this

In my opinion, too many changes to that identifier would be a red flag for that player.

Hmm, I disagree. Plenty of reason why a player would restart their game often. You'd have a lot of false positives

I understand that point, but I can imagine situations where a new player joins the server with a new account and keeps joining and rejoining repeatedly. Maybe the ID by itself it doesn't do anything, but a constant change of ID might be a variable to consider, since the most common thing is that they do a /reconnect.

Anyway, I'll leave the idea on the table

Disinterpreter commented 5 months ago

I can be wrong, but:

  1. what obstacles are stopping you doing this from code?
  2. About Lua injection, I guess you store sensitive changeable data in Web on frontend too? Without any serverside checking? Am I wrong?