Jump to content




[CC 1.33] [MC1.2.5] Computer Global Chat with Minescraft.net Login


10 replies to this topic

#1 monsticraft

  • New Members
  • 15 posts

Posted 18 July 2012 - 10:46 PM

Hi guys,

I Hope you like.

This is a default chat program with authentication in minecraft.net.

Enjoy!

MinesCraft Tekkit
http://www.mineScraft.com.br
Tekkit MC: 198.136.62.131:2000

http://pastebin.com/b0qbtyYY

CAUTION: Don't run this program by now, whaiting for help to fix.

#2 Lyqyd

    Lua Liquidator

  • Moderators
  • 8,465 posts

Posted 19 July 2012 - 12:47 AM

I wish to advise anyone reading this topic to not run this in a multiplayer environment for any reason. While it does not seem to transmit your minecraft password anywhere, it does store it as a global variable and so could be read by anyone else with access to the machine, even prior to you putting it in (latent malware running in parallel).

I won't report this as malicious, but I think it would be very wise to avoid this and any other software that asks for your Minecraft account password.

#3 monsticraft

  • New Members
  • 15 posts

Posted 19 July 2012 - 03:36 AM

How? The password it's not send by broadcast, it's only check via http, I don't understand where is fail?

#4 Lyqyd

    Lua Liquidator

  • Moderators
  • 8,465 posts

Posted 19 July 2012 - 03:55 AM

Well, that's one vector already; unscrupulous server owners could be sniffing network traffic to and from minecraft.net and could intercept player passwords in plaintext.

However, the attack vector I mentioned previously is to just use another piece of software on the same machine to check the value of nickpass and report any changes to another computer.

#5 monsticraft

  • New Members
  • 15 posts

Posted 19 July 2012 - 04:27 AM

Man, what you saying? are u crazy? This is Minecraft API, offer by minecraft to check users, via URL request, this API are used in phpbb3, and a lot sites and programs.

In my server, my users trust me, and I thing it's impossible do what you are saying... Sorry, I need more PRO suggest...


GG.

Monstic

#6 minizbot2012

  • Members
  • 122 posts
  • LocationPalm Bay, Florida

Posted 19 July 2012 - 04:34 AM

What he is saying is that you can see the scope of vars from another program on the computer! This means that it is a global var. To make it a local var (not accessible from another piece of code) add local before the var name! Your current code uses global vars (accessible from outside the program)
Global: somevar = something
Local: local somevar = something

#7 monsticraft

  • New Members
  • 15 posts

Posted 19 July 2012 - 04:47 AM

miniz, can u fix the code please?

#8 minizbot2012

  • Members
  • 122 posts
  • LocationPalm Bay, Florida

Posted 19 July 2012 - 04:49 AM

I can but I cannot right now it is 1am here, and I need sleep.
I will after school tomorrow.
K?

#9 monsticraft

  • New Members
  • 15 posts

Posted 19 July 2012 - 04:50 AM

Ok, tanks..

:P/>

#10 Lyqyd

    Lua Liquidator

  • Moderators
  • 8,465 posts

Posted 19 July 2012 - 04:57 AM

View Postmonsticraft, on 19 July 2012 - 04:27 AM, said:

Man, what you saying? are u crazy? This is Minecraft API, offer by minecraft to check users, via URL request, this API are used in phpbb3, and a lot sites and programs.

In my server, my users trust me, and I thing it's impossible do what you are saying... Sorry, I need more PRO suggest...


GG.

Monstic

I'm sorry, you must not understand what I'm saying. I'm saying that it's a bad idea to send passwords through plaintext, which this does. I'm saying it's a bad idea to let passwords-in-plaintext traffic pass through potentially untrusted nodes (which is fine for your users on your server, I guess, but is not fine practically anywhere else), which this does. I'm saying that it's a bad idea to also leave the password in plaintext sitting in a completely unsecured environment in-game without even putting it in a local scope, which this does. I'm saying that it's a bad idea for people to trust your program with their password to an account that they paid actual money for, which it is.

I'm sorry that you lack reading comprehension and critical thinking skills. You should not try to pass these deficiencies off on others who are simply trying to help you. Your lack of understanding of basic security principles means that neither you, nor any code you write, should be handling anybody's paid-for account information.

#11 monsticraft

  • New Members
  • 15 posts

Posted 19 July 2012 - 01:18 PM

Yes, I understand now... sorry for the comment.

Can someone help to fix this code?

Or better, how can I check auth of my phpbb3 forum?

Tanks, and again, sorry ofr my noob words... :P/>


Att.
Hermann





1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users