Updated Chatroom
LoneAce (226)

Hello there!

Just a brief intro this is an updated version of my previous Python Chatroom post

Link is here: https://repl.it/talk/share/Python-Public-Chatroom/21474

For public viewers please use the route "public"


Updates:
~> Public chatroom that is more secure (Can't pretend to be a mod)
~> Private chatroom (Only for close friends for now)
~> /read to read messages without having to press enter (But if you want to send a new message restart the program
~> /quit to quit and change routes (As in for those allowed into the private chats)
~> /kick to kick everyone from a certain chatroom (For mods only)
~> Client and server separated, and server is a private repl so that its very secure


A journey of a thousand lines begin with a single line

You are viewing a single comment. View All
GabeEE (4)

I hate to say it, but all you need is a bcrypt utility and you can get into lone's account.
I suggest using salts in your encryption, to slow down intrusions.

LoneAce (226)

@GabeEE Can you elaborate using python? I'm not really experienced in it

GabeEE (4)

@LoneAce
Just encrypt a hash that's already encrypted.
Sounds complex, but it's really not.

[deleted]

@GabeEE You are completely incorrect. Do you even know what hashing is? Try accessing his account, let me know how it goes.

GabeEE (4)

@sanjaykdragon
Easy, just replace his hash with your own bcrypt hash, and use that instead of his password when you login.

[deleted]

@GabeEE thats not "cracking" the program. And he should be doing serverside authentication for security anyways

LoneAce (226)

@sanjaykdragon So pardon the intrusion, am I doing it right or wrong? Or would you like me to do the authentication for a mod account in the server? Please elaborate

[deleted]

@LoneAce If you have control of the serverside, you should authenticate users on the serverside too. check my chatroom ex on my profile (has client and server, with authenticated users)

superwhiskers (40)

@GabeEE you don't even need to have the password, or crack it, or anything. all you need to do it remove the code that checks the password/removes [MOD] and you're good. the "server" itself only returns a jsonstore secret anyways so all you need to do is take that and you can edit anything you want, even wipe the chat.

superwhiskers (40)

@superwhiskers here. https://chatroom-database.loneace.repl.co/public this is the url to the secret of the public chatroom.

to remedy this, i'd suggest having the server itself proxy messages to a store and require authentication on the serverside for moderation actions

LoneAce (226)

@superwhiskers I am trying that out. Is there any way I can authenticate through IP addresses though?

LoneAce (226)

@sanjaykdragon Thanks for helping me all this while mate. Do you have an insta account so that I can contact you more easily?

[deleted]

@LoneAce I don't give my instagram out to internet ppl.
Also you can authenticate by IP address by saving an array of "good" ip addresses, and comparing the user who connects to the array, and if they are in there, accept their moderation command

superwhiskers (40)

@LoneAce

  1. authentication via ip addresses is insecure as ip addresses can change and don't represent single people
  2. you can't as your repl is behind a reverse proxy anyways, and the returned ip from the ip layer would be that of the proxy. (but it may be accessible through a header)
LoneAce (226)

@superwhiskers Oh ya... then could you tell me how to do server side authentication when others can just fork the real and remove it.

superwhiskers (40)

@LoneAce you should really just open source the server. i highly doubt that there's anything that would be an issue exposing to the public assuming you secured the appropriate data

LoneAce (226)

@superwhiskers I don't know whether this works in Python but if another person runs the code won't they be able to see the data in the log? Anyway I am also using the server for other projects so I made it private for the meantime

superwhiskers (40)

@LoneAce assuming you don't log it, no. but i could try and bruteforce the endpoints anyways. point is, there was zero security in the architecture to begin with, open sourcing it would only save me the time

LoneAce (226)

@superwhiskers Hm true. Would take days but I know it will work