Set ID Vulnerability
The Set ID Vulnerability (also known as Set ID Vuln or the vuln) was a vulnerability found in the server on February 6th, 2022 that allowed anyone to account jam (permanently deny access to accounts), fill the user list, and essentially take over an entire account without knowing their password.
This vulnerability was found by melt2002, who had been working on a project and stumbled upon the vulnerability with the help of Tnix<ref>Tnix, https://discord.com/channels/910201937352347648/910208513740005447/940091492763074590</ref><ref>Tnix, https://discord.com/channels/910201937352347648/910208513740005447/940445873861705809</ref>.
Discovery[edit | edit source]
On February 6th, 2022, melt2002 had been working on an oAuth system for Meowex. Bloctans mentioned a certain error code, and melt2002 shared their solution of using:<ref>melt, https://discord.com/channels/910201937352347648/910208513740005447/940090177865547776</ref>{"cmd": "setid", "val": "(YOUR USERNAME)"}
melt2002 stated the error code occurred in a Scratch project with CL Turbo, and that they couldn't use a crucial Meower command without it. This continued for a while.
On February 7th, 2022, hours after getting the aforementioned project's source code, Tnix did testing and found out that the vulnerability didn't seem too severe. After more testing, Tnix found more severe aspects of the vulnerability, such as account jamming and taking over accounts.
Users were finding out about the issue as Tnix filled the server's username list with fake usernames using the vulnerability. The DNS record for server.meower.org was deleted due to MikeDEV being asleep and Tnix and william doing their best to deal with the issue. This event prevented people from logging in, and a maintenance page was put up on app.meower.org and beta.meower.org.
On February 8th, 2022, MikeDEV dealt with the vulnerability, and Meower was protected against the Set ID vulnerability.
On April 7th, 2022, Tnix discovered more about the vulnerability, while playing around with an old Beta 4.5 client they found it wasn't authenticating properly. After looking at the server source code they concluded what was causing it and it is if you set your client type to scratch it will not give it an auto ID. This caused some weird behavior, like being able to set an ID manually after authenticating, allowing you to set your ID as someone else and have full control over their account (including moderator permissions).