??????
You are not logged in.
Pages: 1
There is slightly more non-PHP works going on here, but I figured most of it out. Mainly doing it so it would be possible to play friendly games over LAN for those dark winter nights.
Well, you have to muck around in the settings folder to switch servers (by changing the reflector), so I figure that anyone doing that will clear their account details, too.
You might clear the account details, but would John Doe do this if he is just told to switch the reflector URL? It sounds like the easiest piece of social engineering in the world:
Play Cordial Minuet right now and get 5 USD free! Open reflectorURL.ini and change the .com to .tk. Time to multiply free money!
To me it just seems like a lot of pain could be prevented if the game client didn’t sent out the account key without second thought.
I was toying with a private server implementation today and was surprised to see the game client tries to login with my (secret) account key no matter the server it is talking to. Wouldn’t this make for a possible attack vector?
While it would take a while to crack the HMAC (even though we know the key is 20 base-32 ASCII characters) couldn’t the private server start working as a proxy? It could be feeding the client a dummy play while using the HMACs sent by the client to start talking to the actual server. I haven’t tried to implement this yet, I simply do not have the time, but it feels possible.
It seems a good idea for the application to store account settings (email, accountKey, possibly serverPublicKey) on a per server (reflectorURL) basis to protect people from leaking data when switching game servers.
Pages: 1