Jump to content

Mainlog.html reveals too much sensitive information

Yekaterina

By Yekaterina,
in Bug reports

 Share

Recommended Posts

Yekaterina Primus Pilus

Yekaterina

Posted
  • Author
Posted
1 hour ago, rm -rf said:

Would it implicitly mean that the ip database (as you have build @Helicity) is shared amongst several players? Or is there any other exploit of privacy?

I found that you do not even need to successfully connect to someone in order to gain their IP. You just double click on their room, then mainlog will write "Attempting to connect to <IP>".

Even if they disallow specs or have timeout error or port error, mainlog will still note down the IP that you were trying to reach and then comment after it "attempt failed". If you successfully join, there will be a line saying "successfully connected to <IP>"

That means, as soon as you host a game, anyone can obtain your IP even if you don't see them joining or have banned them.

Link to comment
Share on other sites
  • Replies 54
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

Popular Posts

Yekaterina
Yekaterina

Dear Devs: I would like to draw your attention to the contents of the file mainlog.html. It reveals too much personal data of the players, for example their IPs and the entire chat history of the lobb

Obelix
Obelix

fyi #6794

Yekaterina
Yekaterina

Yes, inside the mainlog.html and user.cfg the passwords are displayed as a string of alphanumerical gibberish. I haven't been able to convert this string back to the correct password. I am sugges

Posted Images

Yekaterina Primus Pilus

Yekaterina

Posted
  • Author
Posted
1 hour ago, rm -rf said:

Would it implicitly mean that the ip database (as you have build @Helicity) is shared amongst several players?

As far as I know, my IP database has been permanently deleted before anyone except Norse Harold had been able to gain access to it. I have never shared it with the public. In addition, I am not aware of anyone else who might be keeping such databases.

 

There is one other potential exploit, which is using packet sniffers or tracing software like WireShark. But that is beyond my tech skill level so I can't comment on it.

Link to comment
Share on other sites
Stan` Consul

Stan`

Posted
Posted
33 minutes ago, Helicity said:

I found that you do not even need to successfully connect to someone in order to gain their IP. You just double click on their room, then mainlog will write "Attempting to connect to <IP>".

Doesn't seem to work if the game is password protected.

Link to comment
Share on other sites
Guest

Guest

Posted
Posted
1 hour ago, Helicity said:

There is one other potential exploit, which is using packet sniffers or tracing software like WireShark. But that is beyond my tech skill level so I can't comment on it.

Yes you can still parse the pcap files but the program would be a little bit more complex. As TG host, you would have to find who is who between 7 or more IP sources.

It should be enough to block a 13y old player who loves putting all better players in a wall (@G.O.A.T you get my point right? BYW the list of people you hate is quite long)

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...