PeterP Posted March 18, 2011 Share Posted March 18, 2011 (edited) Security-leak in DCS:Warthog 1.1.0.6 To all: Please keep the discussion civilised! Don't discuses how this can happen -this doesn't help at all right now. This post is only to inform you! The Developers are aware of this and working on a fix: http://forums.eagle.ru/showthread.php?p=1142609#post1142609 To the Moderators: Feel free to close this Thread and delete it when a fix is provided. (this relates also to all other of my posts that relate to this subject ) Edit: If you use the "save password" function in multi-player Be aware that other people can easily get your login information for your http://www.digitalcombatsimulator.com account (by using some nasty tricks). And use this to suck up your Product-keys and take over your account. To avoid this: -Never (!) share your Network.cfg -much better: Don't use the "Save Password" option (Un-check it!) -use only mods from trusted sources ! -Only download the installation files from http://www.digitalcombatsimulator.com -Change your password for your Account at http://www.digitalcombatsimulator.com -if someone ask you to send/post your Network.cfg : report this to the moderators ! If you are not sure if the data is still there: Override your Network.cfg with the attached default one. Default Network.cfg: connection = { "Default", 131072, 65536, } player_name = "" server = { client_params = "motd=\"Welcome to Flaming Cliffs 2 server!\";", max_players = 32, name = "A-10C", client_outbound_limit = 0, pause_on_load = true, client_inbound_limit = 0, disable_events = false, integrity_check = { "Config/Weapons", }, } client = { history_size = 16, history = { "", }, mode = 0, } master_login = "" chat = { view_rows = 3, offset = 0, } The Developers are aware of this and working on a fix: http://forums.eagle.ru/showthread.php?p=1142609#post1142609 Where is my Network.cfg ? Windows 7: C:\Users\<USER NAME>\Saved Games\DCS Warthog\Config Windos Vista/XP: ...\DCS A-10C\DCS Warthog\Config Download: Default Network.cfg.zip Edited March 18, 2011 by PeterP 11 Link to comment Share on other sites More sharing options...
Legolasindar Posted March 18, 2011 Share Posted March 18, 2011 Thanks PeterP [sIGPIC][/sIGPIC] Cavallers del Cel - Comunintat Catalana de Simulació http://www.cavallersdelcel.cat Link to comment Share on other sites More sharing options...
Pteradon Posted March 18, 2011 Share Posted March 18, 2011 Thanks for the warning. :thumbup: 1 Asus ROG Maximus X HERO | I7 8700k @ 5.1Ghz | Corsair Vengeance 32GB DDR4-3200 | Samsung 960 PRO m2 1TB | ASUS GeForce GTX 1080 Ti Strix OC Gaming 11G Tagan TG900-BZ PipeRock 900W | Oculus Rift CV | TM Warthog #67074 | Saitek Pro Flight Combat Rudder Pedals | Windows 10 Enterprise x64 Link to comment Share on other sites More sharing options...
PeterP Posted March 19, 2011 Author Share Posted March 19, 2011 (edited) USSR_Rik (ED-Team) Has confiremed that the security-leak is closed already in a Beta that is in Testing. < MY INTERPRETATION Если коротко, то пароль пользователя в network.cfg хранится в открытом, незашифрованном виде, что может создать потенциальную угрозу его (пароля) крадежа. Я (лично я как юзер и вирпил) не думаю, что это серьезная проблема, поскольку открывать в общий доступ каталоги игры и/или раздавать эти файлы направо и налево вряд ли кому-то придет в голову. А вот кстати, "заманчивый" мод какого-нибудь злоумышленника - тут да, опасность действительно есть и я с PeterP абсолютно согласен. Дырка будет заткнута и это правильно (собственно, она уже заткнута). Google Translate: In short, the user's password in network.cfg stored in an open, unencrypted, which could create a potential threat to it (a password) kradezha. I (personally, I like user and Virpi) do not think this is a serious problem, because it opens a shared directory of the game and / or distribute these files to the right and left is unlikely anyone will come to mind. But by the way, "tempting" modes of any intruder - then yes, the danger is really there and I absolutely agree with PeterP. The hole will be plugged and it is right (actually, it's already plugged). Edited March 19, 2011 by PeterP Link to comment Share on other sites More sharing options...
RAF74_Raptor Posted March 19, 2011 Share Posted March 19, 2011 Thanks for the heads up I came I saw I got blown up by a SA-8:pilotfly: [sIGPIC][/sIGPIC] http://www.firstfighterwing.com/forums/content.php Link to comment Share on other sites More sharing options...
ED Team USSR_Rik Posted March 19, 2011 ED Team Share Posted March 19, 2011 (it's translation of my answer to PeterP's post in russian forum) In short, the user password saved in network.cfg is not encrypted, that can cause potential threat to theft it. I (personally I as an user and virtual pilot) do not think that it's serious issue, because nobody will share their game folder. But I'm agree with PeterP, that there is danger in some "nice" modes. This vulnerability will by closed and it's absolutely right (actually, it's already closed). 1 Men may keep a sort of level of good, but no man has ever been able to keep on one level of evil. That road goes down and down. Можно держаться на одном уровне добра, но никому и никогда не удавалось удержаться на одном уровне зла. Эта дорога ведёт вниз и вниз. G.K. Chesterton DCS World 2.5: Часто задаваемые вопросы Link to comment Share on other sites More sharing options...
PeterP Posted March 20, 2011 Author Share Posted March 20, 2011 (edited) Another Developer comment regarding the delivery of the encrypted password: All communication with Master is done via HTTPS/TLS. It is the storage login/password in local config file that was overlooked. But now it is fixed and after the patch, it will be stored in the encrypted form. I want to Thank the Developers for their input and the quick and open communication in this Case! Edited March 20, 2011 by PeterP Link to comment Share on other sites More sharing options...
Antartis Posted March 20, 2011 Share Posted March 20, 2011 +1 rep. Thank for the warning. 1 Asus Prime Z-370-A Intel core I7-8700K 3.70Ghz Ram g.skill f4-3200c16d 32gb Evga rtx 2070 Ssd samgung 960 evo m.2 500gb Syria, Nevada, Persian Gulf, Normandy 1944 Combined Arms A-10C, Mirage-2000C, F-16C, FC3 Spitfire LF Mk. IX UH-1H, Gazelle Link to comment Share on other sites More sharing options...
Renato71 Posted March 21, 2011 Share Posted March 21, 2011 Excuse my ignorance, but I'm not up to date with DCS-WH. However, I have to inform my buddies about latest developments, and I would like to ask for a clear (clear to me, hehe) confirmation: This security issue related to the latest patch, correct? And the latest one is 1.1.0.6? Thanks in advance. I'm selling MiG-21 activation key. Also selling Suncom F-15E Talon HOTAS with MIDI connectors, several sets. Contact via PM. Link to comment Share on other sites More sharing options...
MTFDarkEagle Posted March 21, 2011 Share Posted March 21, 2011 Security-leak in DCS:Warthog 1.1.0.6 Yes, it's 1106 :) Lukas - "TIN TIN" - 9th Shrek Air Strike Squadron TIN TIN's Cockpit thread Link to comment Share on other sites More sharing options...
PeterP Posted April 7, 2011 Author Share Posted April 7, 2011 Patch 1.1.0.7 for DCS: A-10C Warthog closed the security-leak. This Thread can be closed!:) Link to comment Share on other sites More sharing options...
Recommended Posts