Jump to content

Third party authentication security


Shadow

Recommended Posts

Hello explorers,

 

I see more and more communities and organizations setting up authentication based on Dual Universe account in order to identify players on Discords, websites or other places outside the game.
However, it's not a simple process and there are lots of potential security breaches (I've seen and reported a few).

 

Thus, I decided to write this post where I describe good security practices and point some common attack scenarios.
While this post is mostly directed towards developers and webmasters, I think it's also a good and interested read for all players.

 

How authentication works

 

Currently, Novaquark doesn't provide any way for third party applications to identify a player (they have other priorities like creating the game for now).
So, how to do it then ?
Usually, we rely on authenticating a player on the third party application via standard login/password authentication and then give to the player a random token he must show on his/her profile.

 

In other words, the authentication process works using the following steps:

  1. The player create an account on the third party application.
  2. The third party application generates and gives a token to the player (ex: "my-app-auth:396943934983749839").
  3. The player logs into his Dual Universe account and updates his profile, appending the token.
  4. The player tells the application that token is uploaded on his profile (specifying his/her profile name or URL).
  5. The application browses the profile, read the player name and public information (organizations, titles, etc.). It also double-check that the token is present and correct.

The application then "links" the local account to the player profile and may autorise access to restricted content.

 

When security fails

 

This list is not exhaustive, but contains most problems I've seen or can think about.

For easier reading, I put in red the attack scenario and in green the good practices you should use/see.

 

1) Token randomness
A secret must be random! Else, someone could just predict or guess the token and use it on his/her own profile.
Standard random() functions provided by languages are actually not random and may present collisions: you can predict their output (see https://medium.com/@betable/tifu-by-using-math-random-f1c308c4fd9d if you don't trust me).
Thus, it is important to use strong random generators like:

  • java.security.secureRandom() for Java
  • random_bytes() or openssl_random_pseudo_bytes() in PHP
  • crypto.randomBytes() for NodeJS
  • secrets.token_bytes() (or secrets.token_hex()) in Python
  • Etc.

 

2) Your token is actually public!

Yes, the token is public: you put it on your public profile as the application needs to read it.
A hacker could read it when you update your profile and authenticates at your place before you get the time to do it yourself. If you think that it is too hard to watch all forums accounts for a new posted secret and authenticate before the player, note that there is a RSS feed which gives in real time all profiles changes.
How to prevent the attack ? Make sure to bind the token to the third party account. This way, if someone else tries to authenticate with the token, the local account won't match.
As a good practice, also send the token in private and not in a public channel.

 

3) Weak or lack of verification
Some applications may forget to actually verify the token (don't laugh, a bug is always possible).

So make sure to test it after each code update.

Another important point: the forums user feed also contains data from the posts liked or messages posted. If the verification function just looks for the token anywhere in the page, a hacker could create a post with his token in the title and this secret will appear in the feed of whoever likes or answers it.
So make sure to only check in profile updates.

 

4) Validating the wrong profile

If the player enters the URL of his profile (on the forum, this is nearly mandatory as there is no easy way to know the profile URL based only on the player name), it is possible to host a webpage on another website with a copy of your profile with modified information about your pledge, title or organizations.
Thus, it is important to double-check when validating the token and gathering player information that the URL domain is actually correct!
Hint: it should be something like *.dualthegame.com (make sure to test against URLs like "*.dualthegame.com.hacker.com" or "hacker.com/*.dualthegame.com").

 

5) Luring someone else to edit his/her own profile
This one is a bit tricky. Let me break it down into a detailed scenario:

  • I start authenticating on Achilles' Discord which requests me to put the "123456" token in my forums profile.
  • I don't do it right now and instead setup my own application with authentication.
  • I share my application with Hector who tries to authenticate there. He is requested to put the same "123456" token on his profile.
  • Hector put the token on his profile (and finishes authentication on my application for what matters).
  • I finalize authentication on Achilles' Discord indicating that I'm "Hector".

And now, Achilles' Discord thinks that I'm Hector. Tricky.

A quick and easy recommendation is to generate a token which is clearly related to your application.
So, for example, Achilles' Discord could have generated a token like `Code for authenticating with Achilles' Discord (don't use this code if it was not given to you by the "Achilles' Bot"): 123456`.
As Hector is a smart guy, he would probably not put this token for authenticating with an application which is not named "Achilles' Discord".
It is not perfect as a player who is not paying attention can blindly copy/paste the code.

 

6) Quits and bans
Last but not least: players may quit an organization, be kicked from ATV or lose their backer title for whatever reasons.
Thus, if a third party application records groups and roles only once during authentication, the player rights may become outdated in the future.

It is important to regularly check the player organisations, titles and rights and update them accordingly (ideally before any request, but realistically a check every hour or day is ok-ish).

 

 

I hope this post will help. Feel free to ask questions or repost it anywhere.

 

Regards,

Shadow

Link to comment
Share on other sites

Raising security awareness is good and the OP makes good points

 

However there are two minor things:

i) Calling an authentication token a "secret", is disingenuous. If the best practices listed in 2 are followed, it is useless to anyone else. Usually authentication tokens also have a limited shelf life i.e. a time limit in which they can be used, but this extra security is not warranted in this case imo.

ii) Regarding 6: before a bot was made to automate giving roles, adding the role was a manual process. Removing the role is still a manual process, so nothing has changed there.  Polling a thousand+ accounts every few minutes/hour because someone *might* have changed their backer status seems overkill. Also thanks to the "hide backer status" feature, there can also be false positives. I am certain there are other solutions to this.

Link to comment
Share on other sites

59 minutes ago, Lethys said:

Yeah, I won't link my account to any bot/third party. 

 

But nice explanation and description, thanks

Why is that Lethy? Any particular reason or just that you don't trust them?

Link to comment
Share on other sites

36 minutes ago, Kurock said:

i) Calling an authentication token a "secret", is disingenuous. If the best practices listed in 2 are followed, it is useless to anyone else. Usually authentication tokens also have a limited shelf life i.e. a time limit in which they can be used, but this extra security is not warranted in this case imo.

I can probably call it a "token". Post edited.

 

37 minutes ago, Kurock said:

ii) Regarding 6: before a bot was made to automate giving roles, adding the role was a manual process. Removing the role is still a manual process, so nothing has changed there.  Polling a thousand+ accounts every few minutes/hour because someone *might* have changed their backer status seems overkill. Also thanks to the "hide backer status" feature, there can also be false positives. I am certain there are other solutions to this.

Well, that's why automatisation is better :).

We had the case for ATV Discord where we had to remove someone. In this case, NQ did warm us and we manually removed him. But is NQ didn't, he would still have access to NDA'd information.

I'm sure that several persons did loose their early access and NQ didn't post an announcement about it. This is where automatic check helps.

I'd be happy to update the post with another solution if you have one.

 

PS: for pure organization related membership, manual removal may still be enough.

 

Regards,

Shadow

Link to comment
Share on other sites

13 minutes ago, Kael said:

Why is that Lethy? Any particular reason or just that you don't trust them?

No reason to give someone free info about my profile. Yeah it's public anyway, but I don't trust them in any way - they could just use that data later on for other stuff. Better to force them to write a scraper which does that, so they have to work for it at least.

 

And yes this suspicion is only because I would do that lol

Link to comment
Share on other sites

9 minutes ago, Lethys said:

No reason to give someone free info about my profile. Yeah it's public anyway, but I don't trust them in any way - they could just use that data later on for other stuff. Better to force them to write a scraper which does that, so they have to work for it at least.

 

And yes this suspicion is only because I would do that lol

Yes I agree ! I am a very private person my self and the fewer people that know a secrete/information the less likely that information will get out !  I'm also suspicious about people and programs wanted my private information !

Link to comment
Share on other sites

13 hours ago, Shadow said:

...

But is NQ didn't, he would still have access to NDA'd information.

...

I'd be happy to update the post with another solution if you have one.

...

The first line is less of an issue since once under NDA, always under NDA.

 

As for the second... My suggestion is NQ lets us know when they remove someone. How practical that is, is another matter ;)

Link to comment
Share on other sites

  • 2 weeks later...

The issue with point 2 can be avoided by requiring a password while linking the profile hosting the hash. Either make the user specify one when starting the whole process, or have the third party service communicate one to the user initiating said process. If a hostile person tries to bind your profile to his account, he'd need to supply it for it to go through.

Link to comment
Share on other sites

The fearmongering being spread through this thread is a bit disingenuous considering that nobody actually asked me how the authentication actually works or what is being collected (regardless of the fact that all of it is open source and available for anyone to look at).

 

So I will break it down here.

 

  • It doesn't matter if you know how the hash is generated, in fact, I'll tell you that it's an MD5 sum of the Discord User ID. Having a way of generating a users hash does absolutely nothing for you trying to authenticate as them against the forums because a hash is tied to a specific Discord ID. The auth tool generates the hash for a user (from their ID) entering a command and validates the hash on the forum against it. Even if you know another user's hashed ID, you're not going to be able to do anything with it. Many people have connected their discord accounts to their forum accounts and have left their hashes up publicly. 
  • Again, a hash by itself is useless. 
  • Unless you have access to the bot by changing its source code and somehow breaking into the container that it's being hosted from, you're not going to get the bot to accept someone else's hash against your own discord id. And if you were going to go to all those lengths, you may as well change the source code to just give you the roles without having to auth at all. 
  • The only way someone is going to link to a profile that isn't theirs is if someone convinces another person to post that message on the forums on their behalf, which would be akin to sharing your password or account with someone. 
  • Manual verification of ATV status and pledge statuses has been going on for far longer than any of the auth bots have been around for other Discord's that are out there. The only thing the auth bot does is makes it an automatic process. Someone could just have easily taken advantage of the manual verification by having someone else send a message on their behalf. 
  • The only things being saved are the forum profile links and the pledge statuses (if made public on the forums). If you don't want your pledge status tracked (which only gives out colored roles to founder pack backers) then make your pledge status private on the forums. We're not saving anything that you're not already giving away by virtue of having a public profile on the forums. And this is only if you go through the account linking process. We are not scraping the forums collecting data on anyone who has not explicitly agreed to it by using the auth tool and running the ~linkprofile command. 
  • If you're concerned about what is being stored, again the source code is all open for anyone to look at (and more importantly, submit patches) here https://github.com/yamamushi/du-discordbot

 

I've been working on a phone app for Dual Universe, but considering how much people complain (and it's always the same people) about everything else I get involved in for whatever reasons, I'm not really sure I want to continue at this point. 

Link to comment
Share on other sites

Just to be clear: this thread is not targeted against yamamushi's bot (or any other specific bot for that matters).

I've done some tests on it and I have not found any evidence of major security breach (I won't say any as there is always a risk in any application, even minimal).

 

Besides, any information gathered by the bots are publicly available (you can only hide your pledge status and, in this case, the bots won't  find it either).

 

The potential problem is identity theft: someone saying that he is you backed by a bot validation.

Don't trust someone if you didn't verified it yourself correctly or trust the bot having verified him.

 

20 hours ago, SirJohn85 said:

I am still waiting for an option to set my profile private.

I am not going to link anything with my account.

What do you want to hide exactly (and to who) ?

 

Regards,

Shadow

Link to comment
Share on other sites

2 hours ago, Shadow said:

What do you want to hide exactly (and to who) ?

 

Regards,

Shadow

It's always dangerous to equate "privacy" with "hiding." It isn't about hiding, it's about controlling whether or not you can hide. In bigger words, "informational self-determination." Privacy is the right to control information about yourself.

 

If you make the choice that you are okay with the world seeing your pledge, your location, your organisations,  and so on, that's totally fine. That's still privacy. That's still you exerting control over your information. If someone else makes the choice to let the world see your pledge, your location, or organisations, and so on, without your consent, that's not fine. That's a violation of your privacy. That's you losing control over your information.

 

You having nothing to hide? Good for you. I on the other hand have a lot to hide, none of it is criminal, it's just nobody else's business. 

 

You can now make fun of what the data is about. Nevertheless, I take privacy seriously. Maybe it does not matter to you, but it does matter to me. And that is to be respected.

Link to comment
Share on other sites

3 hours ago, SirJohn85 said:

It's always dangerous to equate "privacy" with "hiding." It isn't about hiding, it's about controlling whether or not you can hide. In bigger words, "informational self-determination." Privacy is the right to control information about yourself.

Ok, the "hide" word was probably not the best choice, but my question has no other meaning than "what kind of information do you would like to limit (and how would you like to share it)" because:

  • You can already hide your pledge (but the option is an opt-out).
  • Location and personal information are not mandatory and you can just not give them (actually, I don't really see the point to fill them in).
  • Most of the other information (like name, etc.) are visible more globally and actually required.

I was just curious about it (and I think that NQ may need more details about what you wanted).

I guess that what matters to you is the organizations members being public. In that case, I believe that we will have to wait until complete RDMS implementation :ph34r: (that's also why I don't belong to any organisation except ATV).

 

3 hours ago, Glowtape said:

Hah, I like the "nothing to hide" argument. For some reason the people that keep spewing that line still don't like to take a shit in view of the public, though.

This is not my point of view, that's actually the contrary.

 

Regards,

Shadow

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...