9 years ago
some1 just seems to have found an exploit in zero k which allows him to take over accounts and write and play as them and easily hijack admin powers.
it just threw me out a game "connection refused, user already ingame" and when i was in lobby i see "snokerciffer: its ok now" what i never wrote.
also chesti and alcurs accounts have been used to exit our games and kick users also tried to ban!
+0 / -0
It seems whoever is doing it, is spoofing ingame player name, not actually taking over the account. I hope.
+0 / -0
9 years ago
[01:24] somewhatm8 !spoofname Alcur#true
[01:25] somewhatm8 woops my bad
[01:26] Iodine1 [Alcur]!kickban Huj
[01:27] Iodine1 [Alcur]!ban Huj
[01:27] Iodine1 [Alcur]!kick huh

hope u close this bug quickly
+0 / -0
9 years ago
Now this mad piece of shit made !cheats, and flooded with meteors.

[5:43] * Iodine1 Cheats!
[5:43] Iodine1 [Alcur]!cheats
[5:47] * WutPotatoPower Going to Zero-K: All Welcome zk://@join_player:Springiee551
[5:48] * Iodine1 Poll: Exit this game? [!y=1/3, !n=0/3]
[5:48] Iodine1 [Huj]!exit
[5:48] * NorthChileanG Going to Zero-K: All Welcome zk://@join_player:Springiee551
[5:48] Iodine1 [[RUSSIA]Masterbot]!vote 1
[5:48] Iodine1 [Huj]!vote 1
[5:48] Iodine1 [pear]A hacker is fucking games up
+1 / -0
DErankexploit is often found in zk.

Is Spring doing any kind of authentication? Else this would be an engine bug that can't be addressed directly by zkdevs.(Turned out I was wrong and Spring does authentication while zk ignores this feature). I could think of a modified startscript.

FIrankAdminAlcur enabling cheats and DErankChesti kicking people seems normal behaviour to me..

+2 / -0
What I can confirm is that someone joined one game using my accountname and did "!kick Alcur" and "!exit". I was in lobby room, but didn't even have Spring running. Apparently he did the same with Chesti's and Alcur's names too.
+2 / -0
9 years ago
um its normal behavour text i never wrote appears in chat with my name before?
and hours we cant play cause games keep getting ruined by spoofed admin accounts?
who should i adress such lacks of security to if not to the developers? shouldnt they take care they dont use bugged exploitable libraries
+1 / -0
I guess this means we should just go back to our families/friends and have a nice Christmas Eve while the trollz without friends can enjoy the evening as well.
+9 / -0
9 years ago
"I guess this means we should just go back to our families/friends and have a nice Christmas Eve while the trollz without friends can enjoy the evening as well. " do you write this to all forums today?

well i think this is a serious security lack if some1 can hijack admin accounts and kick and ban people and this should be taken serious
+0 / -0
9 years ago
I agree with snokeciffer. This is a serious exploit and it must be fixed immediately else we risk losing more people in this one mess of a christmas parade lel.
+1 / -0
9 years ago
I think its fixed, a game is going on now fine lel
+0 / -0

9 years ago
This has been known for ages. The engine does authentication but the ZK autohosts ruin it.
+5 / -0
9 years ago
Did I miss all the fun again? :(
God damn
+1 / -0
9 years ago
Yes you did Firepluk XD
+0 / -0
You have to read between the lines.
This can only be used to spoof names ingame and won't give access to the database or website. Afaik there are some nice CZrankAdminLicho only(Lvl99) Springiee commands though.

I just tried and am able to reproduce the issue. Firepluk can still have fun, but maybe not for long.
+0 / -0
Taking over some1 elses nick gain you his power untill next logout.

@Rafal[ZK] remember when you once changed nick to trollsomething and I ninjaed your nick? I was able to join #zkadmin easly, even tho my account itself didn't have such permission. (And noone noticed cuz same flag, lulz)
+0 / -0
9 years ago
"This can only be used to spoof names ingame and won't give access to the database or website. "
i have seen this gives access to admin commands which affect the database (kick and ban)

even if it doesnt effect the db
i dont want to get kicked by script kiddies with no reason and tips like "lets just chill let them destroy zk completely and instead of doing anything we have a great christmas" is no real help so whats the sense of this`?
+1 / -0

9 years ago
I'm working on the fix, it's fairly far along now.
+0 / -0
9 years ago
This has been known for ages. The engine does authentication but the ZK autohosts ruin it.

It seems that the easiest way to hack zk is just look for some exploits is reported issues.
+6 / -0
9 years ago
I think would be better to put down the affected services (springie if I got it correct) rather than let them be and have a couple of trolls annoy people.
+1 / -0
