ID:1745086
 
Keywords: client, phishing, web
I feel like some security for users needs to be put in place regarding the web client. I feel phishing could be a major issue. I would dislike it if one of my players to potentially lose access to their account they use to sign in what appeared to be an embedded web client.

What are you guys thoughts on this?


Also is there anyway to force the player to sign in as a guest all the time- no interface to sign in as a member?
The guest keys are just "Guest_[computer_id]"
We'll eventually provide options to do direct logins as Guest (and the converse to restrict Guest logins).

The phishing issue is a legitimate concern. It is pretty easy to catch and ban offenders who do exploit this, but that isn't optimal since it relies on our involvement. A better alternative would be to have the login done through a popup to our site, but that is probably not as desirable for users who truly want to present a standalone experience (indeed, a few have requested that they be able to rebrand the login dialog). We'll give it some more thought.. (un)fortunately, no one is really using this yet so we have time.
I can crack any byond account I wish. It's honestly not hard and the login is what the security flaw lies in. I'd alert the community but it WOULD be used to abuse by anyone who saw my post about it, so I've been waiting for staff to contact me.
Here at-least let me show a little bit about what I mean. Most of you probably haven't heard of Sentry MBA. Well I code sentry mba configs. They are used to crack accounts on websites. Byond's config, too easy to make. Took less then 20 minutes, no proxies are needed to stress test it as-well.

The secure login link - https://secure.byond.com/login.cgi

As much proof as I'm going to post that I can crack byond accounts with ease. Staff get a-hold of me. I will give you the fix, and the vulnerability.
In response to JackMorrison34
If you believe you've stumbled upon a critical bug, then I'd recommend either using the support form to contact the Staff directly, or file a bug report (and ensure that you check the "Could this issue affect security?" box, so that only the Staff can see the report).
It's not a bug, it's a config I coded that seemed WAY to easy to crack accounts. The login security needs to be updated is all.
Also, you sound like an idiot. I'm not a hacker. I'm a coder, I code configs and sell them to people who brute-force. I thought it'd be cool to see how easy Byonds config would be, and it's easy. Also I could take your account, but I'm not black hat nor ever will be so lay off buddy.
In response to LordAndrew
LordAndrew wrote:
If you believe you've stumbled upon a critical bug, then I'd recommend either using the support form to contact the Staff directly, or file a bug report (and ensure that you check the "Could this issue affect security?" box, so that only the Staff can see the report).

Please follow these instructions if you know of any exploits or vulnerabilities. If you can provide a demonstration (with source if applicable), that's much more useful. We can only fix stuff we know about, but we do make these types of issues a top priority and will always fix them in the software regardless of whether we are actively developing new features.

As far as the OP, I think that a visible login to our site (even in a popup window) is probably the best way to go (Lummox has some concerns about popup blockers being an issue so we'll have to play with this). Long term, we'd like to eventually migrate BYOND logins to an OpenID/Google/Facebook/etc so that the authentication can be done in a more universal fashion.

This topic is about a specific vulnerability that we'll look into. All I am saying is that if you have information on other vulnerabilities, and you want to help shore them up, then make separate posts on them. In this way you can provide information in a private matter and we can have an exchange. I do not believe that the vulnerability Gateway Ra mentioned exists in modern versions of BYOND or java (we removed java execution in one of the standalone-ready builds). Nor do I know of other ways to directly execute programs on the user's drive. If you do know of these sorts of things, obviously we want to know about them too.