![[PSA] MULegend Account Security Risk](https://www.elitepvpers.com/forum/iconimages/early-access-games/psa-mulegend-account-security-risk_ltr.gif){kind=small}
[PSA] MULegend Account Security Risk
Anyone who can get the right Authentication Key after you login can LOGIN any account without knowing the Exact Username & Password of that account.
How is that possible?
Simple because the Launcher from you are logging in store your Data in a encrypted string and pass it to the Client as the Parameter.
Example:
Mulegend.exe <YOUR ENCRYPTED DATA>
With that, MULegend.exe will validate it if the account is correct or not. But since there is already a validation from the Launcher. The Data being passed to the MULegend.exe is 100% Correct and it will just logged in that account.
How is this a risk to you?
A malicious programmer can create an application that gathers MULegend's Encrypted Data and save it or perhaps mail it back to him.
Once he has the data, he can login to any account according to the data he has gathered.
Since the Client (MULegend.exe) has no 2nd security authentication in game ANYONE CAN LOGIN ANY ACCOUNT AS LONG AS THE DATA IS CORRECT.
Ive included as simple app in this post to gather your AuthKey.
Instructions are in #README#.txt
I've included an example account (encrypted data) in Start Game.bat. For you to test.
Just a note, I have not tested this outside my network.
Edit:
Upon further observation, it appears there's also a SessionKey included. This sessionkey expires within certain amount of time. It may not be much but still risky if the malicious user gets your AuthKey and login as soon as possible.
