Impact
The AutoRegister plugin generates passwords for the users that it registers in a predictable way, using their IPv4 address, their Client UUID, and their character name. Because of this, any server using AutoRegister may unexpectedly have its users impersonated. All of the ingredients used to create the passwords can be gathered by having a player connect to a malicious server. While much the same risk is involved if the player uses UUID based authentication, it is not made clear to server operators the risk here. For example, UUID login can be disabled. However, this plugin's damage has already been done at that point. It is trivial to attack a server retroactively, whereas UUID login can simply be disabled.
Patches
No patched version is available at this time.
Workarounds
For public servers, you should edit the database and change the bcrypt hashes to something that isn't predictable. Remove the plugin, and change the underlying passwords in the database.
For private servers, you may not need to do anything to "patch" the issue if you don't have users that play on other servers.
Impact
The AutoRegister plugin generates passwords for the users that it registers in a predictable way, using their
IPv4 address, theirClient UUID, and their character name. Because of this, any server using AutoRegister may unexpectedly have its users impersonated. All of the ingredients used to create the passwords can be gathered by having a player connect to a malicious server. While much the same risk is involved if the player uses UUID based authentication, it is not made clear to server operators the risk here. For example, UUID login can be disabled. However, this plugin's damage has already been done at that point. It is trivial to attack a server retroactively, whereas UUID login can simply be disabled.Patches
No patched version is available at this time.
Workarounds
For public servers, you should edit the database and change the
bcrypthashes to something that isn't predictable. Remove the plugin, and change the underlying passwords in the database.For private servers, you may not need to do anything to "patch" the issue if you don't have users that play on other servers.