LabyMod Feedback Client

Use HTTPS to encrypt all traffic betweem Client and LM


Bixilon
Bixilon
2020-04-17 16:37:21
11 Votes
Description
The Client sends unencrypted requests to dl.labymod.com

Please: Use HTTPS!

This is a heavy security issue!

Comments

  • KeksToby
    KeksToby
    2020-04-17 19:43:24
    I dont think so...
    would this be a security issue... LabyMod would use HTTPS all the time

  • Bixilon
    Bixilon
    2020-04-17 19:57:39
    It is. All data (that means updates, chat messages, server joins, addons, blacklists,..) is getting sent unencrypted! Every man in the middle hacker could easily do the following things:
    • Updates: The Update checker checks for updates on "http://dl.labymod.net/versions.json". An hacker could manipulate these files => Easy remote code execution!
    • icons in the client (left upper corner on start): Somebody could display fake news
    • chat messages, friend requests, ... Accoring to my java decompiler: There is something called LabyParty. A Hacker could foce people to join minecraft servers! They can chat with your friends, ready your chat history,...
    • User data: They see what you have bought on labymod
    • LabyMod Dashboard: A "pin" is getting generated on start: An hacker can easily log in to the labymod without password
    I do not know exactly how the authentication for the chat works, but it could be possible, that eaven your Minecraftaccount is in danger (NOT CONFIRMED!)

    I think this really is a big security issue!

  • i_Louis_i
    i_Louis_i
    2020-04-17 20:16:09
    Seems Important

  • Bixilon
    Bixilon
    2020-04-17 22:18:36
    Small update: Your Minecarft account is not in danger. And also there is an authentication for logging in via sockerts

    But still absoultly unacceptable!

  • Bixilon
    Bixilon
    2020-04-22 01:05:36
    Sorry guys but this issue is not solved yet!
    Congratulations the remote code execution is kind of fixed in 3.6.7, BUT:
    • My Client still  send unencrypted requests to optifine.net (But this is not your problem/fault)
    • https://dl.labymod.net/groups.json is getting requested without encryption!
    • dl.labymod.net/emotes/emotedata too
    • https://dl.labymod.net/advertisement/icons/twitter.png, https://dl.labymod.net/advertisement/icons/discord.png and https://dl.labymod.net/advertisement/icons/shop.png is also unencrypted
    • dl.labymod.net is still listening for unencrypted connections (This is maybe to update the old clients). http://dl.labymod.net should redirect to https://dl.labymod.net
    This was just http!

    Now the complete LabyConnect Protocol is still completly unencrypted!
    So a Hacker could read and manipulate the following:
    • Chat messages (old ones, new ones, all of them)
    • Send and accept (fake) friend requests, ...
    • Force players to connect to fake minecraft servers
    • get the dashboard pin for loggin in on labymod.net (buy stuff, open and comment on issues)
    • ...
    Maybe you could anwer to the issue?

    And more important: I do not like your changelog!
    "Fixed some important security issues" its not "some" issue. Please write it like this: "Fixes heavy security issues (remote code execution, ...)"

    And because the patch is not a full patch, here are some points (mini soulutions) to this topic, you need to do:
    • The old unencrypted protocol must stop! You need to completly stop it, so there is no danger anymore!
    • The host dl.labymod.net musn't respond a vaild answer on http protocol. Only on https
    • Notify your users about this security issue and make this issue public again (I will not give any instructions how to hack the labymod client practically). This is not something you can hide!
    • Force update the client (you are doing already, but make the client stop working on old versions)
    • ...
    I will write these days a small blog article (german only!) about this topic. You will find it here: https://bixilon.de/blog.php?id=1
     I hope to hear from you, feel free to get advice from me ([email protected])
    Protoct your users!

  • Bixilon
    Bixilon
    2020-04-22 01:33:30
    Small Update: The Remote Code Execution was NOT fixed! The Update is completly useless! More in my Blog tomorrow

  • Bixilon
    Bixilon
    2020-04-22 01:58:15
    I released my blog article. Here for LabyMod: The Updater.jar still requests all data via http

  • LabyStudio
    LabyStudio
    2020-04-23 02:04:35
    We have implemented and published all changes. Thank you for your help!

  • Bixilon
    Bixilon
    2020-04-23 13:03:32
    Good, version 3.6.8 fixes the remote code execution, but there are still things to do:
    • The disabled addons are still getting requested via http://dl.labymod.net/disabled_addons.json (Somebody could disable and delete all your addons in a mitm attack)
    • The LabyConnect stuff is still unencrypted (I think I do not need to explain it anymore)
    Optifine and Forge are still sending requests via http, but that is not your fault.

    And: Thank you your answer and the fix:)

  • LabyStudio
    LabyStudio
    2020-04-23 14:28:32
    We have added an encryption for LabyConnect and removed every http call. Are you sure you have the latest LabyMod version?
    There is nothing useful/readable for me in Wireshark.

    Do you have any errors in your game output?

  • LabyStudio
    LabyStudio
    2020-04-23 14:34:11
    You need the protocol version 24 or higher to enable the encryption

  • Bixilon
    Bixilon
    2020-04-23 20:24:19
    Hi,
    Hmm. Now I can not see this http request anymore. Funny.
    But: I can still see part of the data. The chat messages are encrypted now. But my UUID, my username, my timezone, my motd, addon list and the authentication are still unencrypted. You still must do 2 things:
    • Start the connection encrypted and not after some other things.
    • Do not use a symmetric key: If I am a hacker, I will receive the key and can decrypt all traffic.
    • Sign the encryption: A mitm attack is still possible, because the client can not verify if the server is the "real" server
    I have a question about the authentication: If I am not wrong, your account is in danger, because: The encryption is getting enabled after the authentication. Because there is no check about the public key labymod sent to you. I could try to connect to gommehd.net with username=GommeHD. Now I use my hacking skills to get the serverid and send it with my public key to labymod. LabyMod send an join server packet to mojang. I will get the verify token  encrypted. Now I decrypt it (with my private key) and reencrypt it and send it to gommehd.net. Can this work or not? I am not sure about this.

Please sign in to leave a comment.