IP Spoofing Exploit (Page 1 of 2)

If there woulndt be such ppl, there wouldnt be any security progress

See https://github.com/teeworlds/teeworlds/pull/986

I have to say this: This issue is fixed since about a year i think, but it won't be in 0.6 anymore i guess because it would break the compability.

Wait until 0.7, there are no massive abuses so everything should be fine.

Also I dont feel like it is a good idea to break any compabilities because many mods wouldnt be playable anymore from one moment to the other.

Unexperienced players with the old client would be confused that they cant play anymore on the most servers.

Thoose might  be some reasons why the devs will only fix it in  0.7. If you want to speed the progress up, dont waste your time to create a topic that already has been discussed, but instead contribute to 0.7!

Edit: I couldnt take your post to serious after I saw that you said some names in particular. That makes you just a snitch to me.

@johndrad: you're totally wrong...

these people use a VPS, not a rootserver, just FYI^^

The next target is to bypass the password protection used to avoid dummies

and this thread is completly senseless, as e.g. when i developed a spoofing programm a teeworlds moderator was one of the first i showed it to

Greetings Piko

teeworlds security  too low ,   
in 0.7  they must cod tee  that no one see ip address of servers  and ip of players
use dns connection for server and use player identity for ban them in game by rcon
this is the soloution
but tee staffs  wont do this ,

"We"
No wonder you call me a "snitch".

So basically what you guys try to say is, if nobody extremly abuses this exploit, you wont fix anything?
So this exploit is known for more than 1 year, and nothing changed?

This is really a shame.
The first game i see, who accepts hackers.
Well done teeworlds...

Absolutely correct, not in 0.6.4, but in 0.7.

Let me refer both of you to https://github.com/teeworlds/teeworlds/ … -129743528

It is not true at all that teeworlds accepts hackers, why would they let anyone put them under pressure to release a unfinished, maybe buggy version of the game? As I said before, if you are not pleased with the current developement-speed feel free to contribute to 0.7.

It's not good we leave that impression. It wasn't fixed before because it seemed that it couldn't be fixed without backward-incompatiblities, now we know it's possible, and I agree with you that we should probably release as soon as possible.

(Note that the last time we had such a vulnerability we didn't take so long, the 0.6.3 release was out a lot faster.)

I dont see the problem about getting all IPs, as long as it is prevented to tell which IP is which player (spoofing...). Its a bad idea to let the masterserver provide all the server information, it would increase the traffic significantly.

And the other thing is: Why would my server be masterserver banned? It's a normal server where people can play on (and do).

Doubt the teeworlds masterserver has enough bandwidth to hide ips and handle all the refresh requests done by people every day.

This could work as one method, but It's kinda like you gotta type a generated code, which is shown as the server name in order to join a server, I'd prefer if the actual type in your password prompt would be a string sent by the server and used as that kinda handshake or whatever method automatically if it starts with whatever symbol would be good to get it to be seen by the client as the generated password.

I am not sure, but I think clients like DDNet use different sockets/ports for serverinfo requests and actual connections.
Try using such a client. That way people will have a hard time brute forcing your actual port.