Invision Community 4: SEO, prepare for v5 and dormant account notifications By Matt Monday at 02:04 PM
NovaRO Posted August 26, 2016 Posted August 26, 2016 So I have something of an issue. I've got a database of players for an online game, where you can use an e-mail multiple times to register. Now say my in-game Administrator account is Administrator125, and I decided to make my forum account Admin. Using the current External Database Login Handler feature, a player could create the Admin account in-game, and log in to my Admin forum account using their game credentials. This is obviously a huge security hole and doesn't just affect forum admins/moderators. Does anyone have any ideas or methods to avoid such a thing from happening? Say, if the username/account already exists in the forum SQL, have it give you a random number to the right of your username, or give you an option to select a new username? Thanks for your replies.
Colonel_mortis Posted August 26, 2016 Posted August 26, 2016 That sounds like a security vulnerability, and you should probably submit a ticket so that the devs can take a look at it.
NovaRO Posted August 27, 2016 Author Posted August 27, 2016 Reply I got. Not really a security issue, I'm just allowing registrations on my other DB.
Rhett Posted August 27, 2016 Posted August 27, 2016 9 hours ago, Colonel_mortis said: That sounds like a security vulnerability, and you should probably submit a ticket so that the devs can take a look at it. If the external database is open and there are no restrictions on what accounts and how many are allowed, and you select to use that database, it's only as good as the data it contains in this case. "Using the current External Database Login Handler feature, a player could create the Admin account in-game" I'm not sure how this could be a security issue on our side if you select to use that data for logins, and anyone can add an admin to it? Sounds like you need a custom SSO setup, so no matter what the account is on your game server, it's always put into the members group. When you use "External Data" for logins, what you have Externally is what you are using, so it would need to be controlled at the source.
NovaRO Posted August 27, 2016 Author Posted August 27, 2016 By "The Admin account" I don't mean an admin-level account, I mean an account with the username Admin. Which is not a security hole, but a name. A harmless one too, unless you happen to have an account named "Admin" on the forums as well. Here, I'll paint a more harmless example. You make your Rhett forum account, and someone decides they don't like you. They make an in-game account with the username Rhett, then log in using the External Database feature, using their in-game credentials, thus hijacking your forum account. But I understand that the External Login feature is pretty lightweight and will just be looking into creating a custom login handler which will check if the username is already taken.
Colonel_mortis Posted August 27, 2016 Posted August 27, 2016 5 hours ago, Rhett said: If the external database is open and there are no restrictions on what accounts and how many are allowed, and you select to use that database, it's only as good as the data it contains in this case. "Using the current External Database Login Handler feature, a player could create the Admin account in-game" I'm not sure how this could be a security issue on our side if you select to use that data for logins, and anyone can add an admin to it? Sounds like you need a custom SSO setup, so no matter what the account is on your game server, it's always put into the members group. When you use "External Data" for logins, what you have Externally is what you are using, so it would need to be controlled at the source. Ipsconnect stores the remote db row id and uses that to authenticate, whereas with the remote db the token used to connect accounts is the username, which is not remotely secure - as described here, if someone has an account on the forum, it can be hijacked by creating an account on the external db with the same username.
TSP Posted August 28, 2016 Posted August 28, 2016 I don't follow. Even if a new user from the app choose the same name as Admin, they still don't have the password, so it shouldn't work either way? Or does IPS Connect work so that it sends a request towards the other site that only contains the username (and that they have been authenticated) after they have been authenticated on the other website and that also logs them into the forum? As I'm writing this I realize that's probably the case. I'm not sure I see how it would be up to IPS to fix this though, as it would be solved through a more detailed SSO-setup. What would the appropiate fix be without making this more complicated than necessary? How about changing the approach of your external website. Use email to log in, and then they can select which of their game account usernames to use in the game after they've logged in (or create new ones)
Recommended Posts
Archived
This topic is now archived and is closed to further replies.