Author Topic: Key Compromise  (Read 29813 times)

Badspot

  • Administrator
A number of Blockland keys have been compromised.  The method is currently unknown.

Current hypotheses:
  • Remote code execution - A malicious server would exploit a buffer overflow or similar flaw to execute arbitrary code on clients that joined (or vice versa).  Exploits of this nature have been found before, and a number of bad actors are constantly looking for them. 
  • Exploit in Blockland Glass - I don't know anything about this mod.  Beyond social engineering attacks (ie making a fake 'enter your key' dialog), script code should not be able to read the key data, but there may be bugs/exploits/oversights around this protection.
  • Database compromise - This seems extremely unlikely to me because no famous retired accounts have been compromised.  My key has no special protections and I doubt an attacker could resist the temptation.

I have taken the following actions to mitigate the chaos while this plays out:
  • Disabled non-steam authentication
  • Disabled linking keys to Blockland forum accounts
  • Disabled converting Blockland keys to steam accounts

Email or message me if you have actual knowledge of the problem.

Edit: Blockland r2005 released.
« Last Edit: May 03, 2020, 04:34:33 AM by Badspot »




it could also be a leak of an old stuffty hosting service key database




I just want to block... me JIZZCAKE first forum post c'mon bro..

you able to provide the compromised with a new key? I have more than a few friends on there, and I don't wanna see em SOL

And the search continues...


104 Keys are taken

so do we get new keys or are we just forgeted

Is there any plan to salvage the 'compromised' accounts? A couple of well known veterans where hit, like Wrapperup, Sugar and Filipe1020.