Official Everybody Edits Forums

Do you think I could just leave this part blank and it'd be okay? We're just going to replace the whole thing with a header image anyway, right?

You are not logged in.

Donate!

pls donate


#1 2019-05-03 18:03:01

mikelolsuperman
Member
From: North Korea
Joined: 2016-06-26
Posts: 1,669
Website

Big security flaw

I have some problems with my pc outside of ee so I had to change  around some stuf and I got logged out from ee. When I went to log back in I typed my password but instead of pressing the Shift key I pressed caps lock and my entire password had uppercase and lowercase letters swapped. The problem is, ee didn't tell me it was a wrong password, so it's easier (while still hard) to guess someone's password since you don't have 62 characters for each digit (a-z, A-Z and 0-9) but only 36 (a-z and 0-9). I noticed caps lock was on when I typed uppercase without getting near the shift or caps lock key, so I couldn't have possibly turned it on after I typed my password.


Blue is my favourite color
BhC68b8.png

Signature made by Nebula

I also like lasagna, but not when it's blue

Offline

#2 2019-05-03 18:10:38

Tomahawk
Forum Mod
From: BiH
Joined: 2015-02-18
Posts: 2,133

Re: Big security flaw

Yeah, PlayerIO's game passwords aren't case sensitive.


One bot to rule them all, one bot to find them. One bot to bring them all... and with this cliché blind them.

Offline

Wooted by: (3)

#3 2019-05-03 18:35:06

LukeM
Dev Team
From: England
Joined: 2016-06-03
Posts: 2,838
Website

Re: Big security flaw

We'd much rather this wasn't the case, but annoyingly we don't get a choice with PlayerIO so theres not much we can do right now...

We'll make sure to fix these problems for EEU though (passwords will be case sensitive and require at least a minimum level of security, email addresses will be validated and not changable without additional authentication, etc)

Offline

#4 2019-05-03 20:37:51

XxAtillaxX
Member
From: Canada
Joined: 2015-11-28
Posts: 3,974

Re: Big security flaw

It isn't a large security flaw at all. You can't efficiently brute-force passwords with Player.IO and if you took the five minutes to try it, you'd quickly find they already have taken measures against it (i.e. rate limiting)
In reply to Luke, you could already validate email addresses in the game if you wanted to. Player.IO doesn't hold your hand in that regard, but you're free to pay for those services if you feel it's necessary.

"and require at least a minimum level of security"
You could already do this if you wanted to. Stop pretending like Player.IO is at fault for your laziness.


signature.png

Offline

Wooted by:

#5 2019-05-03 22:28:31, last edited by LukeM (2019-05-03 22:31:45)

LukeM
Dev Team
From: England
Joined: 2016-06-03
Posts: 2,838
Website

Re: Big security flaw

XxAtillaxX wrote:

It isn't a large security flaw at all. You can't efficiently brute-force passwords with Player.IO and if you took the five minutes to try it, you'd quickly find they already have taken measures against it (i.e. rate limiting)
In reply to Luke, you could already validate email addresses in the game if you wanted to. Player.IO doesn't hold your hand in that regard, but you're free to pay for those services if you feel it's necessary.

"and require at least a minimum level of security"
You could already do this if you wanted to. Stop pretending like Player.IO is at fault for your laziness.

I wasn't blaming PlayerIO for the second paragraph, I was just saying that those are the things we'll change in EEU. We could spend the time implementing email verification, but with EEU fairly close theres not much of a point doing it for the few new accounts that might sign up.

However, even though we could implement basic email verification and minimum password requirement systems, there would still be significant holes in those systems that we wouldn't be able to fix with PlayerIO. We can check the email and password during registration, but after that we're completely out of the loop, both email and password changes are done directly through PlayerIO, so we have no (meaningful) way of verifying that our requirements have been met.

Offline

#6 2019-05-04 05:26:19

XxAtillaxX
Member
From: Canada
Joined: 2015-11-28
Posts: 3,974

Re: Big security flaw

LukeM wrote:

We can check the email and password during registration, but after that we're completely out of the loop, both email and password changes are done directly through PlayerIO, so we have no (meaningful) way of verifying that our requirements have been met.

If you really wanted to (and I don't see why you would, if someone is adamant enough about having a weak password to directly change it through Player.IO) you could verify the account details remotely through an encrypted connection prior to allowing them to join the lobby (i.e. generate a temporary session token)

I find it rather ironic that you speak about security as though you're informed while being unable to contemplate very basic solutions to the problems you describe to be impossible.


signature.png

Offline

#7 2019-05-04 10:15:35

peace
Member
From: admin land
Joined: 2015-08-10
Posts: 5,985

Re: Big security flaw

wait so it doeesnt matter if you wirte your pass in caps or not?! geee wtf PIO wtf


OeaNm9Q.png              MYaIIs9.png
ty anatoly and nikko99 for a golden sig and blueclued for avatar and daneeko for pixelating my sign //forums.everybodyedits.com/img/smilies/cool3bluekeys.pngKFPwcx.jpg

Offline

#8 2019-05-06 14:41:43, last edited by LukeM (2019-05-06 14:42:14)

LukeM
Dev Team
From: England
Joined: 2016-06-03
Posts: 2,838
Website

Re: Big security flaw

XxAtillaxX wrote:
LukeM wrote:

We can check the email and password during registration, but after that we're completely out of the loop, both email and password changes are done directly through PlayerIO, so we have no (meaningful) way of verifying that our requirements have been met.

If you really wanted to (and I don't see why you would, if someone is adamant enough about having a weak password to directly change it through Player.IO) you could verify the account details remotely through an encrypted connection prior to allowing them to join the lobby (i.e. generate a temporary session token)

I find it rather ironic that you speak about security as though you're informed while being unable to contemplate very basic solutions to the problems you describe to be impossible.

Sorry, missed this reply somehow.

I'd agree with you if the standard way of changing a password was through a system we have control over, but it isn't, PlayerIO don't provide functionality to do it within the game. The problem with password requirements isn't that people have an option to change their password in a way that bypasses us if they look into it, its that this is the only way for people to change their password.

(And just clarifying that by "with PlayerIO" in my last reply I meant with the services that PlayerIO provide, we could technically set up our own account system on our own authentication servers that we would host ourselves, but the whole point of PlayerIO is that you don't need to set up your own servers, so this defeats the point)

Offline

#9 2019-05-06 15:44:30

peace
Member
From: admin land
Joined: 2015-08-10
Posts: 5,985

Re: Big security flaw

tho you can hack poeples EE acc if oyu can hack thier email aand  use it to change their ee password nothign you can do about that


OeaNm9Q.png              MYaIIs9.png
ty anatoly and nikko99 for a golden sig and blueclued for avatar and daneeko for pixelating my sign //forums.everybodyedits.com/img/smilies/cool3bluekeys.pngKFPwcx.jpg

Offline

peace1557153870748790

Board footer

Powered by FluxBB

[ Started around 1568755804.8561 - Generated in 0.038 seconds, 12 queries executed - Memory usage: 1.37 MiB (Peak: 1.51 MiB) ]