Bug/Security issue brute force login attack with openbullet desktop versiom

You found a bug? Post it here!
Post Reply
sergei45
Posts: 22
Joined: Sat Oct 29, 2022 4:28 pm

Bug/Security issue brute force login attack with openbullet desktop versiom

Post by sergei45 » Thu Dec 01, 2022 6:51 am

OV Account name: the one you were playing when you encountered the bug: no account use

Time of bug: if possible, use /time in game and report server time when you noticed the bug, otherwise "same time as post" or similar is still very helpful: n/a

Where: (where is the bug):.login system of desktop version of game
What: (what happened): brute force/credentials thef or cracking can be do using open source/market credential stuffing sofware like openbullet or it fork.
Why: (Why do you think this is a bug): attacker only need scrap username from forum or discord server since most of forum name using same name as in game or simply scrap user from discord. Then threat actor combine it with dictionary of pass to create combolist to load it into tool. Threat actor then need create config, since source code of game are not encrypted (ip server to) threat actor can easily figure out how to create config in order to launch attack.
Other comments: (add any other information you think is relevant): since dekstop version are still on development is understandable that many thing need to be done. Using of java as language is not main issue rather how to make sure critical part of source code are not easily to be anaylse by adversary. Adding simple captcha system on login menu can help prevent future attack. The possibility of attack are low but not zero.

Post Reply

Who is online

Users browsing this forum: No registered users and 0 guests