[WIP] Steal My Password

Discussion in 'Work-In-Progress Mods' started by wondible, June 8, 2014.

  1. wondible

    wondible Post Master General

    Messages:
    3,315
    Likes Received:
    2,089
    Saves your password and logs in. User accepts all responsibility for lost or compromised passwords and accounts. There is a button under Settings, Servers to forget the password. I recommend exiting afterwards because there isn't a proper logout, and didn't see any provision for logging off of chat.

    Applies to direct launch (NOT the UberLauncher) via UberNet only (I think). Button to forget password in Settings, Servers. Applies light obfuscation so someone browsing localStorage doesn't go "hey look, a password", but it's open source Javascript, so read the name again if you have any security questions. It's basically like putting your front door key under the doormat - everybody knows where to look.

    - https://github.com/JustinLove/steal_my_password
    Last edited: June 9, 2014
  2. tatsujb

    tatsujb Post Master General

    Messages:
    12,902
    Likes Received:
    5,385
    hey thanks for this. Still no ideas on how to get this working on the Uber Lancher? I delved into it when it first came out but the code is all compiled and there isn't any appdata files for this program that are of any use.
    Last edited: June 9, 2014
  3. wondible

    wondible Post Master General

    Messages:
    3,315
    Likes Received:
    2,089
    Windows may be different; OSX still has a UI directory.

    It doesn't load ui mods, and the binaries do not have the string 'mods' for possible shadows, so you'd have to forcibly replace the files and hope the self-updater didn't overwrite them. I don't think we could do anything better than the inline hacking you were doing before.
  4. exterminans

    exterminans Post Master General

    Messages:
    1,881
    Likes Received:
    986
    Please don't do this.

    Saving passwords locally for a "remain logged in" functionality is a horrible idea, even when encrypted. This feature must be implemented by Uber only, since they are the only ones who can implement this in a safe manner. Only they can provide permanent auth/session keys upon login which are the only safe way to implement this feature.

    Right now you are not only leaving the password almost unprotected lying around, there is also no way to revoke the login without changing the password...

    Doing it for yourself: Sure, if you need it? But you shouldn't promote that type of mod publicly, it's to dangerous.
  5. tatsujb

    tatsujb Post Master General

    Messages:
    12,902
    Likes Received:
    5,385
    read the title. madeline-police.png
  6. exterminans

    exterminans Post Master General

    Messages:
    1,881
    Likes Received:
    986
    I have read the title, but I also know that people tend to shut of their brain as soon as they see keywords like "more comfort" or alike. Heck, they would probably even be willing to store their passwords in plaintext in the command line argument for the launcher if they were told how to. Or their credit card informations if someone promised one-click-shopping in the Uber store.
    PeggleFrank likes this.
  7. cola_colin

    cola_colin Moderator Alumni

    Messages:
    12,074
    Likes Received:
    16,221
    Hmm, the UI layer actually has already access to the session key once you are logged in and there is a way to log in via such a session key by passing it as a command line parameter. Dunno how long they last, but it may be possible to build something that uses such a session key. It may be possible to autologin for a while that way. Could be helpful for stuff like rapid testing that includes restarting PA.

    So i.e. I can open the chrome debugger on the forums, copy my the value of the "auth" cookie and use that to start pa like this:

    pa.exe --ticket <auth session thing>
    and it starts PA and logs in, based on the auth session that was created when I used the forums login... a while ago.
    That auth session btw is not directly the forums login, it seems to be a byproduct of using the ubernet login form for ubernet.com stuff.

    Dunno about all security implications of this though. No idea how one would go about invalidating such a session key in case it has been leaked. It may do so on a change of my IP... will see tomorrow.
    Last edited: June 10, 2014
    tatsujb likes this.
  8. exterminans

    exterminans Post Master General

    Messages:
    1,881
    Likes Received:
    986
    Unfortunately: It does. Even though this would be the right way to do it. Store the session locally (instead of saving the password!) and reuse that. This will allow you to stay logged in, at least as long as your IP doesn't change.

    It would be on Ubers part to allow for persistent sessions. (And a management function which allows to cancel such sessions remotely, even though that's optional for the first pass.)
  9. cola_colin

    cola_colin Moderator Alumni

    Messages:
    12,074
    Likes Received:
    16,221
    Nope the session key stays valid for PA. I made a link that uses the auth session I found in my browser (which wasn't exactly from today, rather from weeks ago) and it worked. Then I got a new IP and it still works.
    The thing that is invalidated on new IPs is the forums specific session, that's a thing since the new forums, I use a static (private) proxy for the forums because of that. But the general ubernet session seems to stay valid even after your IP changes. No idea what invalidates it, but considering that I can't even remember anymore when I must have gotten that auth session it seems to live a pretty long time.
  10. wondible

    wondible Post Master General

    Messages:
    3,315
    Likes Received:
    2,089
    Thanks guys; I started thinking about this as soon as sessions came up but had to go. Reuse between sites is especially interesting.

    Makes me wonder if you could make a browser extension that would start PA from the forums. Would be really handy if it intercepted replay links and added the session token.
    cwarner7264 likes this.
  11. wondible

    wondible Post Master General

    Messages:
    3,315
    Likes Received:
    2,089
    Reloaded context... There is a SessionTicket passed to Jabber, but the call to log in via ticket takes no parameters, so if that's even the same, I don't know to reuse it (short of going outside the game and creating a shell script)

    It's the same for UberLauncher - the only place "--ticket" appears is in the binary.
  12. wondible

    wondible Post Master General

    Messages:
    3,315
    Likes Received:
    2,089
    the "jabberToken" does allow you to login via --ticket, multiple times.

    Does the UI know the path to PA executable? I don't think it knows what stream it's on, since a given build can appear on either.
  13. cola_colin

    cola_colin Moderator Alumni

    Messages:
    12,074
    Likes Received:
    16,221
    The link with my forum session key still works...
    The jabberToken indeed is just the kind of session key I am talking about.
    If you want to get such a session key outside of PA, there is a login webservice you can use:

    curl --data '{TitleId: 4, AuthMethod: "UberCredentials", UberName: "user", Password: "password"}' --header "Content-Type: application/json" https://uberent.com/GC/Authenticate

    returns something like:

    {"SessionTicket":"<session>","UberName":"cclausen","UberId":15535003602013880865,"DisplayName":"?","UberIdString":"15535003602013880865"}

    That's what PA does internally as well as what the UberLauncher does.

    I just wonder if there is a way to actually break such a session.

    EDIT:
    Weird, I setup a link for both of my testing accounts and suddenly with one of them I could start PA, it would seem to log me in, but it kept failing to create a game. Only with a new session that works again. Though if I pass in a completely random value as session ticket the login in the mainmenu already fails. So the session was supposed to be valid.

    EDIT 2:
    Another quite interesting effect of logging in via the --ticket is that it suddenly sets my old displayname, the one before the displayname became changeable ingame.
    Weird, so I basically get different displayed usernames if I log in via the uber launcher
    Last edited: June 10, 2014
    wondible and tatsujb like this.
  14. wondible

    wondible Post Master General

    Messages:
    3,315
    Likes Received:
    2,089
    That could probably be filed as a bug.
  15. tatsujb

    tatsujb Post Master General

    Messages:
    12,902
    Likes Received:
    5,385
  16. wondible

    wondible Post Master General

    Messages:
    3,315
    Likes Received:
    2,089
  17. thetrophysystem

    thetrophysystem Post Master General

    Messages:
    7,050
    Likes Received:
    2,874
    I totally would...

    ...and while you are begging me not to, I will and pardon my french, simply respond with "**** the police". I will then proceed to walk down the hall, tilting every painting as I walk past it.

    Seriously though, for someone to steal my password, they would either have to have forced entry onto my network and allowance to the file (they don't have one of those), or allowed access to my physical computer.

    Now, everyone's computer and/or network is different. However, I have faith in mine. I suggest nobody else have as much faith, as they are probably completely computer illiterate, while I am the self proclaimed godmaster.
  18. tatsujb

    tatsujb Post Master General

    Messages:
    12,902
    Likes Received:
    5,385
    I'm having issues using this, could you please give me a quick run down. it's activated in Pamm already, do i have to manually edit the files?
  19. DeathByDenim

    DeathByDenim Post Master General

    Messages:
    4,327
    Likes Received:
    2,125
    Judging from the source, it saves the password the very first time you log in using PA itself. Subsequent starts of PA will then autologin.
  20. tatsujb

    tatsujb Post Master General

    Messages:
    12,902
    Likes Received:
    5,385
    didn't work :(

Share This Page