Hacker trick to take a player's place in a game

[Beherith]

Old proof: http://replays.adune.nl/?1370
Cefte got hacked, by [Clans] dude, who are pyb smurfs.
Also, note the multiple transhacks.

[Evil4Zerggin]

btw: should admin edit these posts.. if security is that lacking then perhaps obscurity is a good idea

I think it's a bit late for obscurity >_>

[Neddie]

I mentioned this to other members of the moderation team when we were dealing with some people a while back, but I didn't know the means and I don't think the discussion went anywhere - I am loathe to discuss things I don't know because I hate being wrong.

[ZellSF]

[ 0] Player ZellSF is already ingame
[ 0] Player ZellSF_ not found in script, rejecting connection attempt

I was a spectator, why would they try and fail miserably at taking my spot

[KaiserJ]

is there any way the IP addresses of the people doing this can be collected and banned? its a pain in the ass

[Neddie]

You report 'em, I'll punk 'em.

[KaiserJ]

how would i go about finding out who it was? i dont even think the person was in the battleroom (i was playing with Zell a little earlier)

[Neddie]

The autohost should know, or anybody with a replay.

[SirMaverick]

The autohost should know, or anybody with a replay.

You can't because spring does not provide ips ingame (and there is no other information who tried to connect) and you don't need to be joined to the game in the lobby to do this.
You only need to be in the lobby to see, when the game starts. So anybody in the lobby could have done that.

[ 0] Player ZellSF is already ingame
[ 0] Player ZellSF_ not found in script, rejecting connection attempt

I was a spectator, why would they try and fail miserably at taking my spot

Without joining a game, you can't say who is player and who is spectator.
Maybe he didn't join the game and had to randomly try a name. He picked the wrong one.

[momfreeek]

The autohost should know, or anybody with a replay.

You can't because spring does not provide ips ingame (and there is no other information who tried to connect) and you don't need to be joined to the game in the lobby to do this.
You only need to be in the lobby to see, when the game starts. So anybody in the lobby could have done that.

do you even need to know when the game starts? if you expect it to start soon, you can be trying to connect already

[eyu100]

This can be exploited without having a computer connected to the server, so bans can't solve the problem completely.

1) connect to the server from one computer
2) use another computer to do the hack, taking the info from the computer that is connected to the server but otherwise not doing anything

(I'm not sure if you can get the info without joining a game, but if you know the IP of a popular autohost you can !status it and try to connect when the game is about to start. If you can get the info without doing anything unusual and you use unrelated IP's to perform the hack, it is very hard to prevent a person from doing the hack, especially if you can't find their IP ingame.)

[Wombat]

on adune is replay when cefte hacks me in game ^^

easy to see that his cursor is not moving when second com is moving... in the end, cefte's com was idling like most of the game.

(while writing this cefte fucked another game, gg)

http://replays.adune.nl/?1485

oh and according to pyb, have seen niobium doing this either

[Caydr]

If developers are willing to try to fix this, which can be hacked around just as easily as fixes to LUA cheats, why aren't they willing to fix the much more prevalent problem. Yes, how'd you guess: LUA cheats.

[SinbadEV]

If developers are willing to try to fix this, which can be hacked around just as easily as fixes to LUA cheats, why aren't they willing to fix the much more prevalent problem. Yes, how'd you guess: LUA cheats.

LUA cheats are not cheats any more then cybernetic implants and performance enhancing drugs are cheats.

[lurker]

1. You can't hack around sending the host and client a password.
2. Fixing certain flaws in lua's restrictions is very difficult.

[momfreeek]

If developers are willing to try to fix this, which can be hacked around just as easily as fixes to LUA cheats, why aren't they willing to fix the much more prevalent problem. Yes, how'd you guess: LUA cheats.

its quite trivial to fix this in a way thats not at all easy to circumvent:
lobby hands each client a unique id on game start.. host requires this unique id to connect.
you'd need to do man-in-the-middle packet sniffing to get around that... simple changes to your executable would not help.

[TradeMark]

is this the same bug?

http://replays.adune.nl/?1568

[eyu100]

is this the same bug?

http://replays.adune.nl/?1568

What version of Spring are you using? I know that in 0.79.1.0 a spectator can resign player 0 or give all his units away (it's a bug).

[SirMaverick]

is this the same bug?

Don't cross post. This thread is about the same bug as the other thread. And still not your bug.

What version of Spring are you using? I know that in 0.79.1.0 a spectator can resign player 0 or give all his units away (it's a bug).

The suspected cheater was running 0.79.1.0 and the attacked player was team 0.

[eyu100]

The suspected cheater was running 0.79.1.0

?!?!?!

It's the version the host is using that matters.