Missing IP address information in the MasterServer list allows stealing of admin pw's

Status
Not open for further replies.

u4704

Member
In my opinion, it's a big problem that there is currently no way to determine if a server is the real one or just an impostor by looking at the ingame server list.

The ingame server list should at least contain the IP address of the server; a better and more convenient solution might be generating a hash from the IP and using it to generate an unique image (like an Identicon).


The current way of listing servers ingame allows anyone to host a server with the same name and same options to wait for an admin to try to login (thus showing the admin password to the impostor). If the fake server has a lower ping than the original server, chances are even better to compromise a server just by creating another one with the same name.

I really hope this will be fixed in 2.1, because I want to host 24/7 again and the current situation does not really allow me to give out admin passwords. Also, this is not only a theoretical scenario - it actually happened to me. I hosted a server and someone imposted it; my only luck was that the title contained umlaut characters which the impostor was unable to enter.
 
Best suggestion I can give is make them join via IP. There's nowhere to put an IP, the menu system is very inefficient with space and doesn't allow much information to be displayed at all.
 
The ultimate problem is that we do not have a master server that supports accounts. No matter how you slice it, that's the issue at hand.

The simplest way to do what you're trying to do is to get contact information outside the MS and send passwords that way.

Moved out of bug reports because this is not a bug.
 
Status
Not open for further replies.

Who is viewing this thread (Total: 0, Members: 0, Guests: 0)

Back
Top