PSA: VASSAL Security Issue

By Ardaedhel, in Star Wars: Armada

Posted at

Hey guys, sorry to post what's really an off-topic on the main forum, but this is actually potentially kind of serious.

Bottom line up front: if you have ever used a "real" password in VASSAL (i.e., one that you use for anything else), that password has been exposed publicly and you need to go change the credentials on any other account that uses that password. Do not ever use a real password on VASSAL.

If you're interested in the details:

I'm a security analyst IRL, and like to dabble in coding for funsies. I'm working on a project that involves interacting directly with .vlogs, so I dug into the structure of those files. After reading the code that obfuscates those files, it was extremely trivial to deobfuscate them. I probably could have guessed it faster than it took me to read the code to figure it out.

When I started poking around to figure out the structure of the log file, I found that the VASSAL log file saves the username and password of every player who was in the room at any time while that log was running, in (trivially obfuscated) plain text . This means that any opponent you've had that ran a log of your game has your password; anywhere you've posted a logfile for tournament results, they were exposed there; anyone who dropped in to watch your game could have run a .vlog to get your credentials--and not only that, but they were almost definitely passed in cleartext over the open internet in the creation of the game room (I haven't bothered to run an actual packet capture to verify this, as it's not very important).

Free advice: if you're putting a password into an application that feels a little bit hinky, use a throwaway. In fact, since I'm on my soap box anyway, you should use a password manager so this isn't an issue for you anymore.

And just to be clear, this does not mean that it is dangerous to use VASSAL and you need to stop using it. I have no reason to think, nor am I particularly qualified to identify, that VASSAL has any kind of other vulnerabilities. So, keep playing... just know the risks so that you can protect yourself.

For anyone concerned about ethical disclosure:

I've been in touch with the lead dev on VASSAL, who assured me that remediating this is on their roadmap for a future release. "Don't use a real password" is their workaround in the mean time.

Edited by Ardaedhel
Posted at

Again, sorry for the churn--if this doesn't apply to you, feel free to ignore it. I felt that there is a significant enough portion of our community that uses VASSAL, some less tech-literate than others, that there's a pretty good chance that someone here is impacted by this.

And I'd rather make 50 people read it here and think "pfft, VASSAL passwords are insecure, duh!" and catch that one guy whose bank account was exposed, than stick it in Off-Topic for all five people that would see it there.

Posted at

Haven’t been on Vassal for a while, but I guess it was time to change my passwords anyways. Thanks for the heads up, Ard!

Posted at

Interesting - not sure I used a 'real' password for VASSAL (at least, not one I've used online within the past decade or so). Any easy way to check? Pretty obvious that the .VLOG itself is a zip file, including a group of compressed files. Two of them obviously XML format, but the third is...what? I assume the source of the security vulnerability? Not sure I see how to parse that thing, though...

Posted at
11 minutes ago, xanderf said:

Interesting - not sure I used a 'real' password for VASSAL (at least, not one I've used online within the past decade or so). Any easy way to check? Pretty obvious that the .VLOG itself is a zip file, including a group of compressed files. Two of them obviously XML format, but the third is...what? I assume the source of the security vulnerability? Not sure I see how to parse that thing, though...

If you're not sure what password you used, it's also stored locally in plaintext.

Mine (I'm pretty it's the default location) is stored in: 

C:\Users\(username)\AppDate\Roaming\VASSAL\prefs\Star_20_Wars_20_Armada

Open that file in Notepad and look for "SecretName=". If you have a password saved in your preferences, it'll be there. In plain text.

Edited by Ardaedhel
Posted at

For what its worth you can change the password in preferences. it doesnt look like you can, but just write something new in, and it will be changed.

This is outright appaling. I knew it was bad, but to have it as part of the log file is awful.

Ah well, cheers for the info Ard.

Posted at

I use the most secure password ever known in the whole galaxy.

Edited by Marinealver
Posted at

Thanks @Ardaedhel . I don't use Vassal myself, but I sincerely applaud your efforts in this matter.

Posted at

Didnt some just talk about on facebook the superiority of Vassal over TTS?

Posted at

Thanks for the heads up. Not everything has enigma machine level security it's just good to know who dose and who dosent.

Posted at
16 hours ago, Ardaedhel said:

If you're not sure what password you used, it's also stored locally in plaintext.

Mine (I'm pretty it's the default location) is stored in: 


C:\Users\(username)\AppDate\Roaming\VASSAL\prefs\Star_20_Wars_20_Armada

Open that file in Notepad and look for "SecretName=". If you have a password saved in your preferences, it'll be there. In plain text.

Right, but that isn't exactly the logfile, no? I mean, when you upload a vlog or something to report on a match, that isn't included in it.

(In plaintext is one thing, in plaintext and also copied to a potentially-public logfile is something else quite different)

Posted at
Just now, xanderf said:

Right, but that isn't exactly the logfile, no? I mean, when you upload a vlog or something to report on a match, that isn't included in it.

No, that's not the logfile.

Yes, the password is also in the logfile.

No, I'm not going to explicitly detail here how to retrieve passwords from the logfiles that are all over the forum and everywhere. :)

Posted at

It bothers me that Ard could now get into my Warlords account and change all my sensor teams to ordnance experts.