Posted December 17, 2016 Well after hearing of a 2nd WU Player authentication breach, i think it's time someone made a Player Authenticator that makes it so when you join the server that has this mod on it, you can set a password for the character and if its typed incorrectly, it kicks you. If typed correctly, it let's you see your inventory, move, interact, talk on the server, etc. Perhaps use the method of not rendering the world/interacting with first joining a server/character creation? i dunno, just spitting idea's here Share this post Link to post Share on other sites
Posted December 17, 2016 (edited) I have written a potential fix for it. I'm not 100% certain it will work, but at least it's a start. Sindusk Server Tweaks Graham and Jonneh from the original Wyvern server wrote this fix and applied it a year ago. I believe they reported the issue but it was never resolved. This is an attempt to replicate their SecureAuthentication method in ago's modloader. Edited December 17, 2016 by Sindusk Share this post Link to post Share on other sites
Posted December 18, 2016 3 hours ago, Sindusk said: I have written a potential fix for it. I'm not 100% certain it will work, but at least it's a start. Sindusk Server Tweaks Graham and Jonneh from the original Wyvern server wrote this fix and applied it a year ago. I believe they reported the issue but it was never resolved. This is an attempt to replicate their SecureAuthentication method in ago's modloader. While that is most appreciated Sindusk, I think it would be best for a password feature to be introduced, So even if someone for some reason some how got into the server with your character, They still would need to know the password set for that server character in order to do anything whatsoever. Share this post Link to post Share on other sites
Posted December 20, 2016 What exactly is the case with the current "new exploit". As far as I cant see it was a physical system breach. Or I am missing something. The current system can use some tweaking (detecting ip changes, etc), but it's not a bad way to do it. Tying it to steam is not too bad. Besides we are still just using hashed steamid's in a sqlite db, over mostly non-SSL transports, so there could be bigger fish to fry if you're serious about it. Share this post Link to post Share on other sites