IMPORTANT: Found a serious vulnerabilty in the FTB launcher.

Status
Not open for further replies.

Juanitierno

New Member
Jul 29, 2019
579
0
0
Hello!

Ive found what i consider to be a big vulnerability in the FTB launcher, i would like to report it in a safe manner.

How would i go about doing so without actually letting people know of the problem?

I think the problem needs urgent solution.

Thanks for any advice!
 

Edoc

New Member
Jul 29, 2019
20
0
0
Let me guess, minecraft.net is down so you can see your password in the console?
 

Juanitierno

New Member
Jul 29, 2019
579
0
0
It wouldn't be a problem if I could see my own password...

edit: Actually, it would be, but a very minor one. Its not what ive found unfortunately.
 

Petra_Soft

New Member
Jul 29, 2019
18
0
0
Security through obscurity is not security. If there is a problem with FTB, it is best policy to spill it out in public. Hiding it only makes the people who do not know does not know of it vulnerable to the problem. If I knew there was a chance that your car can be started with out a key, it is better that you know about it as the owner then only the criminals know about it. So do us all a favor, warn us about what you have found and we can all judge the risk ourselves.
 

JezuitX

New Member
Jul 29, 2019
99
0
0
Well this has me vaguely worried. Seriously man you should spill out the nature of the threat here so at the least people know what to avoid doing until someone that's developing the launcher comes in and addresses the issue.
 

whythisname

New Member
Jul 29, 2019
474
0
0
I agree, if I should stop playing FTB because I risk losing my minecraft account (or worse) I'd really like to know.
 

Poppycocks

New Member
Jul 29, 2019
1,914
0
0
Yeah, that's the spirit, let everyone who read this thread know, so that they can stop using the launcher, and so that someone might use this knowledge on the rest of the people who didn't.

Yup, that's how it's done.
 

EpicEraser

New Member
Jul 29, 2019
73
0
0
You made me quite curious. I doubt anything really bad is possible, due to the nature of FTB.

Possible problems I see:
- MC Account disclosure - Logging in is done over https, so I suppose this is not the case.
- Code execution - I hope the downloaded packages are at least hash checked, but exploiting this would probably require a MITM attack, so I'm not sure whather this is extremely serious. You're downloading and executing the closed-source launcher and mod code anyway.

Now I would like to know the problem you encountered.
 

whythisname

New Member
Jul 29, 2019
474
0
0
Yeah, that's the spirit, let everyone who read this thread know, so that they can stop using the launcher, and so that someone might use this knowledge on the rest of the people who didn't.

Yup, that's how it's done.

Well the OP isn't the only one on this planet smart enough to find this vulnerability (no offense towards the OP), so sooner or later someone with bad intentions will find out as well (especially since that someone now knows there is a weakness...). The least the OP could do is tell us in what situations we need to be careful, like is it an SMP only issue? Or is SSP vulnerable as well? He doesn't have to explain exactly what the problem is (I'm no programmer so I doubt I'd really understand anything beyond layman's terms), but giving people information on how to avoid being targeted is something he can do.
 

Edoc

New Member
Jul 29, 2019
20
0
0
Is not something he/she can do, but something that must do.. if you don't give any info and the problem is really serious you are letting people at risk, and obviously making them panic.. like someone alredy said, secrecy does not mean security.
 

jjw123

New Member
Jul 29, 2019
152
0
0
we are not aware of any vulnerabilities that we havent already fixed. I cant help but think that the OP is a troll, but if there really is an issue, he can PM me.


EDIT: I'm moving this to the Launcher Feedback section
 

Juanitierno

New Member
Jul 29, 2019
579
0
0
Heya!

Im not a troll, the issue has been fixed in the latest FTB update (jjw123 confirmed it via private conversation)

Sorry for causing worry, but besides slowpoke i did not know who was working on the pack to properly report the issue in a safe manner.
 

ScottWears

New Member
Jul 29, 2019
233
0
0
Heya!

Im not a troll, the issue has been fixed in the latest FTB update (jjw123 confirmed it via private conversation)

Sorry for causing worry, but besides slowpoke i did not know who was working on the pack to properly report the issue in a safe manner.
IN the future feel free to pm any of the forum staff with any issues we will always make sure it is passed on to the right member of the team.

FYI
As the site grows we have decided to add several new people to the FTB Web Team. The following people have joined the team as Global Moderator. These 4 are responsible for running the moderators team and work closely with both myself and the other FTB members.

Global Moderator

Alexandria
Florastar
Jadedcat
Morvelaira.

To assist in the moderation, we have introduced a number of Sectional Moderators who will be the first point of contact for most issues.

Sectional Moderators


There will be more moderators added over time.

p.s. Anyone who asks to be a moderator will automatically be excluded from being invited to become one.



Trusted Member

These will be people who have been active and shown they are knowledgeable about the mods and other forum topics. They have no moderation privileges or responsibilities. They are just people the staff have found to be trustworthy.

As with moderators asking for this rank will ensure you do not receive it.
 
  • Like
Reactions: Lawbroken

Petra_Soft

New Member
Jul 29, 2019
18
0
0
Heya!

Im not a troll, the issue has been fixed in the latest FTB update (jjw123 confirmed it via private conversation)

Sorry for causing worry, but besides slowpoke i did not know who was working on the pack to properly report the issue in a safe manner.
Since it was fixed, what was it. A non answer here states it was the password bug. But withholding security information from the user is just flat out dangerous. Because the exploit will pass from those that would exploit it very quickly. But if it was not the password bug, I would like to know what it was. One unlocked door shows there could be an unlock door.

Security only works with knowing your vulnerabilities.
 

Juanitierno

New Member
Jul 29, 2019
579
0
0
It was the "pasted to pastebin" part of the password bug (which is much worse than you being able to see your own password in the console).

I was not able to describe the bug any further because any1 with a little bit of knoweledge could easily find all those accounts credentials if i did.

I was hoping to get in contact with some1 from the launcher (which i did) and that they would fix it quickly (like they did) before many other people found out about the pastebin part of it.

If i had described the bug and how to exploit it 50 people would have gotten access to those accounts before any of the FTB team had a chance to see my post.

Sorry for causing unnecesary panic, i couldnt think of a faster way to get in touch with the FTB ppl.
 

Petra_Soft

New Member
Jul 29, 2019
18
0
0
If i had described the bug and how to exploit it 50 people would have gotten access to those accounts before any of the FTB team had a chance to see my post.

Sorry for causing unnecesary panic, i couldnt think of a faster way to get in touch with the FTB ppl.

That was pretty much known from the start. It was pretty clear that anyone that pasted anything in the log file would expose their password. I will make a mental note, if your house is on fire, I will call the fire department, wait until the arrive before seeing if you are sleeping at home. Because I would not want to have 50 people know you where not home.

Anyone that knows anything about computers, knew about the log issue. They also knew it could be exposed by pastebin. But you decided that people who did not know about pastebin or the log issue would be exploited. Anyone that really wanted to do harm already figure it out. People that where completely innocent of computers where exposed so you can keep a secret that was not really a secret but to those that where going to get exploited anyway.

Security through obscurity is not security. Me not waking you to tell you your house is on fire is not going to save your life. If I do not wake you because it may inform someone that you are not home, I just endangered your life over security issue. You see the problem?

You know why open source is so much more secure the close source software. Everyone knows where the security risks are in opensource, and they fix, warn, and not use the feature until it is secure. Close source is way more at risk, because only the bad guys know where the security issues are.
 

Juanitierno

New Member
Jul 29, 2019
579
0
0
Im sorry but you are assuming everyone who knows about computers is evil, and anyone who does not is good willed ("People that where completely innocent of computers where exposed so you can keep a secret that was not really a secret but to those that where going to get exploited anyway").

I think theres an equal chance of anyone (computer saavy or not) to be "evil", so in this case i felt it was better if as few people as possible knew of the issue till it could be solved.

In my eyes it was not security through obscurity (not posting would have been that)...if anything i think it was a race against time to let the developers know before everyone else found out, so appropriate measures could be taken to mitigate the issue.
 
Status
Not open for further replies.