Harassment Campaign Using dynmap #4169
Comments
|
I can confirm this is an issue, me and dam have been harassed a lot today, maybe more people as well |
|
Can confirm too. This is like the third time this is being done against me, happened multiple months ago already. |
|
Yeah, can confirm that this currently being used and has been used to harass DAM and the members of Server Scanning Inc. |
|
Question to those who have experience from this. Do they do actually anything or it this just spamming? And is there something I could do to not get those messages? I had been also harassed with this this morning. |
|
They use scanning software to find servers with this config option set wrong where they can spam the servers console with messages, and usually spam links to people they do not like, telling the owners to go and harass people from whatever discord server thats completely unreleated, in attempt to get the owners of the discord server and other members harassed for something they never did |
open the dynmap config and change the setting - class: org.dynmap.SimpleWebChatComponent
allowchat: true
# If true, web UI users can supply name for chat using 'playername' URL parameter. 'trustclientname' must also be set true.allowchat to " |
|
Is there any other ways to do that. I mean, I wouldn't necessarily want to disable chat on the dynmap. If I remember correct, was there a some sort of auth system for it? If not Then i guess i have to disable it for now :( |
|
Yeah, this is a significant security issue |
|
Agreed. This is a pretty big issue. |
@MrJuuq You can re-enable chat and under |
|
Whoever enabled the chat functionality by default, and allow anonymous people spamming it, was drunk, in my opinion. |
|
It shouldnt take place in ANY software. Even if they do not want to disable chat by default, they should at least implement authentication, so only people trusted by the server owner can chat there, and view messages |
|
I agree, sending messages without authentication should not have been a default option. I have been a witness of this on both the server owner part and as a moderator of Funtimes' community. |
|
This simple misconfiguration has caused several issues in many communities, such as moderator overload, a risk of having the server terminated via mass-report, and spamming welcome messages (and accompanying wave stickers, in some circumstances) in chats of these communities as well. No level of harassment should be tolerated, and as such, require-player-login-ip should be set to true by default. |
|
Pretty big issue. More sane and secure defaults should really be in order here to stop this from happening again in the future, when the feature is inevitably targeted once more. |
|
It should be the responsibility of the developer of a software to provide safe default options. |
most users don't change the defaults (unless instructed/forced to), so keeping the defaults insecure by default is an issue on the developer's side |
|
i want to confirm this is an issue |
Dynmap is indirectly enabling these kinds of smear campaigns by refusing to change the defaults despite the numerous cases of the feature in question being used in a malicious way |
|
I also think this should be changed, I've seen many people be a victim of this and it hurts our community |
|
I also think this should be changed |
Switching to bluemap rn |
|
Please do not clutter the issue. A lot of people also get notifications via email. It's not fair that we fill their inboxes. |
They can unsubscribe |
|
I'd also like to see it changed. |
|
yeah.. seems like the devs behind this arent really listening |
|
Another time I am reminded why Bluemap is so much better |
Users can unsubscribe if they wish. That doesn't mean users can't state new insights into why this should be disabled. |
If the maintainers wish to not hear about those affected, they can fix the issue. And as for cluttering the inboxes of those who are simply replying to this thread, that is unfortunate but I don’t believe the maintainers of dynmap will do anything about this issue unless we make our voices heard. |
|
migrated everything to bluemap and my ingame chat is now super clean - no more crypto scam advertisements which appeared when i was using dynmap :D |
a lot of features that were good got closed or ignored. switched to bluemap a long time ago, never going back |
|
Secure defaults should be the least a user can expect. I don't see why #4027 shouldn't be merged. It doesn't detract from functionality, and makes enabling an unsafe option a conscious process from the user's side. No features are removed and your users want this, I can't think of why this hasn't been merged yet? |
|
yay bluemap |
The devs have lives too, y'know. They do work on Dynmap WHEN they can, and that's a fact from issues/PR's before this.
It's a 2-way street:
In any case, let's just wait for an updated release and not act like kids. |
there already was a pullrequest to fix this and it was declined |
You can say this about alot of things, but in this case the insecure default doesn't just effect the person who installs the software. It's like when windows had a huge security vulnerability that you had to configure your own firewall to fix that it was the end users fault that they got hacked, not windows default firewall not protecting SMB properly. (Refering to EternalBlue) You cannot expect a kid to properly protect their first Minecraft server on their own. |
it should be the developers responsibility to disable vulnerable features by default |
blu. |
|
This is happening to me again, please can we have an update? |
MonkeySaint
changed the title
MonkeySaint
changed the title
|
Mod dev of Discord Integration here I already made a PSA about this on my discord telling everyone to disable their webchat, or make it login only, and to not pay any ransom. |
and others
Dear the dynmap team
There is currently a harassment campaign against the group SSI and the people Funtimes909 aka Amy, damcraftde aka Dami.
The group doing this used to be advertising their Discord server by spamming servers using your chat!
After their Discord server got terminated, they realized they could enact a personal vendetta.
This doesn't just affect your users but also many other people.
This would be fixed by enabling require-player-login-ip by default, disabling chat or adding any kind of security to the chat so harassment bots cannot keep spamming servers.
Please look at #4027 which enables require-player-login-ip by default. At least as a temporary fix until there is some security added to the chat of dynmap
Thank you,
MonkeySaint
The text was updated successfully, but these errors were encountered: