Censor onClientConsole for login command #132
Conversation
|
I'm not sure if its still possible today, but a few years ago you could create a clientside command handler with "login" as name and simply grab the parameters, which would be the username and password, and send them to a serverside script that outputs them to you. So whenever someone uses /login, you could get their passwords. This could be done by simple map scripts, only works while the map is running but due to people binding /login to a key you would still get a lot. |
|
There is no point in trying to prevent servers from having your credentials. If you don't trust a service provider then you should not reuse the same password. However, this commit is useful for preventing someone from stealing your credentials if you are logging in on a public computer. |
Issue: #9629: onClientConsole should skip "login" command
This pull request solves the issue in the link above, but it doesn't protect players from malicious servers, which look for the /register command, which isn't hard-coded. There are obviously other ways to steal a player's password too.