ryzomcore icon indicating copy to clipboard operation
ryzomcore copied to clipboard
verified publisher icon ryzom

Protect IOS from data leakage

Open kaetemi opened this issue 5 years ago • 2 comments

The IOS stores static strings in a cache, the client can request these by numeric value. The numeric values are sequential, which is handy for fast lookups on the server.

However, it's possible to abuse this mechanism to download all serverside static strings. This leaks private guild MOTD, and may spoil leveldesign texts.

Two proposed solutions:

  • Use a hashed transformation on the ID. Less predictable, but can still be figured out after enough data points.
  • Randomly skip identifiers, and instantly permaban any account that attempts to request invalid identifiers. This effectively blocks attempts at brute forcing all the identifiers. It does cause a larger identifier space to be used. Easy to implement.

kaetemi avatar Apr 11 '20 02:04 kaetemi

Randomly skip identifiers, and instantly permaban any account that attempts to request invalid identifiers.

Bug in client could lead to request and mass ban of innocent players.

mlcdev avatar Apr 16 '20 10:04 mlcdev

Hahaha. "bug" ;)

kaetemi avatar Apr 16 '20 11:04 kaetemi