StarMade 0.09473: Security Fix

    schema

    Cat God
    Joined
    Feb 17, 2012
    Messages
    1,552
    Reaction score
    2,604
    • Schine
    Hello players,

    I have to release a new version now, as there is a security leak on older version that can be exploited.

    Security

    Note that passwords were never in danger (as they were never sent to anything besides star-made.org), it was only possible to reset the password on ones account. This has also already been fixed as you now require an old password to change your current, and you need an email confirmation to change your email. To reset your password (if you really have forgotten it), you have to be logged out. A "request new password" link will appear under the login block.

    The breach was possible due to session hijacking. Fortunately no damage was done, and it has been fixed 100%.

    Since there is no point in security through obfuscation, this is how it works:

    1. client logs into star-made.org
    2. clients creates a code and sets it on his account (only possible when logged in)
    3. client logs into server and supplies the code he set
    4. server can request the current code for a client (but nothing else)
    5. if code is the server is requested is the same as the client supplied, the client is who he says he is.
    6. after logging in the client resets the code, so it's basically one time use only

    This system will be replaced with a faster token system when the new website is ready.

    Structure Tab

    Please not that this is still work in progress, so it's not complete yet, and there might be bugs.



    Thank you for playing StarMade,

    - schema
     
    Joined
    Jun 20, 2013
    Messages
    2,827
    Reaction score
    1,181
    • Video Genius
    • Legacy Citizen 4
    • Top Forum Contributor
    I\'d like to see those npcs give out randomly generated missions - would be very fun!
     

    therimmer96

    The Cake Network Staff Senior button unpusher
    Joined
    Jun 21, 2013
    Messages
    3,603
    Reaction score
    1,053
    Why can I not download this in the launcher? It says I am running the latest version
     
    Joined
    Sep 4, 2013
    Messages
    267
    Reaction score
    1
    Will you still tell us about the new stuff tomorrow? I played the pre-build, but i saw nothing unusual.
     

    therimmer96

    The Cake Network Staff Senior button unpusher
    Joined
    Jun 21, 2013
    Messages
    3,603
    Reaction score
    1,053
    Is this update actually coming out? It has been 2 hours. Please dont tease me on something I really want!
     
    Joined
    Jun 23, 2013
    Messages
    15
    Reaction score
    0
    Just tried to run this update, which was released a little over 2 hours ago, and the console for my servers, say they are running the latest version already.

    \"version 20131111_192915\"

    Is this update not acctually pushed out to the public yet?
     

    Fum

    Joined
    Jul 1, 2013
    Messages
    54
    Reaction score
    0
    • Purchased!
    I am a little concerned these tokens will be exploited. The Minecraft name stealing hack was done by making a player connect to hacker\'s server X, which then as soon as the client authenticated with a unique single-use token, took that token and with this token attempted to login to normal server Y.
    Basically, if a player connects to a malicious server, the server owner can steal and use the token on normal severs pretending to be the player. I do not know how Minecraft solved it, but from your description the same is now possible in Star Made.
     
    Joined
    Jun 20, 2013
    Messages
    293
    Reaction score
    48
    • Purchased!
    If as a server owner I get the code, can I spoof being anyone who connects to my server? You should look into a public/private key setup like BTC has if that is the case
     

    schema

    Cat God
    Joined
    Feb 17, 2012
    Messages
    1,552
    Reaction score
    2,604
    • Schine
    This is not possible on star-made, as the token doesn\'t get reset by the server, but the client. Even if the server doesn\'t use the token, the client will invalidate it after he logged in (or failed to log in), making that token useless to use for anyone else
     

    schema

    Cat God
    Joined
    Feb 17, 2012
    Messages
    1,552
    Reaction score
    2,604
    • Schine
    This is not possible on star-made, as the token doesn\'t get reset by the server, but the client. Even if the server doesn\'t use the token, the client will invalidate it after he logged in (or failed to log in), making that token useless to use for anyone else.



    but this is only a temporary solution anyway until the new site gives me a lot more options to implement a 100% safe way
     

    therimmer96

    The Cake Network Staff Senior button unpusher
    Joined
    Jun 21, 2013
    Messages
    3,603
    Reaction score
    1,053
    I understand it is not done yet, but i must say I was expecting the ability to control more than doors and AI. I was hoping for light groupings mainly that can be turned off. Still brilliant. Just not very user friendly for bigger ships yet
     

    schema

    Cat God
    Joined
    Feb 17, 2012
    Messages
    1,552
    Reaction score
    2,604
    • Schine
    there might be an issue with not yet updated servers doing auth before version check right now, not leting you in. You should be able to joing play.star-made.org:4242
     

    therimmer96

    The Cake Network Staff Senior button unpusher
    Joined
    Jun 21, 2013
    Messages
    3,603
    Reaction score
    1,053
    Salvaging just wont work for us anymore. We see the beams, but no salvaging :(
     
    Joined
    Aug 15, 2013
    Messages
    23
    Reaction score
    0
    My universe was reset after this update on my single player...
     
    Joined
    Sep 9, 2013
    Messages
    68
    Reaction score
    10
    • Legacy Citizen 3
    I can\'t aim turrets when piloting them in this ver. Well, you can \'aim\' them (within the direction they\'re pointing), but they don\'t move.