Solution / : Custom Login Screen

Description: FileMaker custom login screens -- I'm looking for someone to try and hack this, crack this, break this, get through this, using whatever tools or methods they might have in FM or developer or anything else they seek fit to rely on.

I made this a while ago and i've forgotten the password soooo... But if no-one manages to crack it within two weeks, i'll recreate the file and post it in this thread as a sample.

[color:red]EDIT 3: DEVELOPMENT ON THIS FILE WILL NOT CONTINUE DUE TO VARIOUS METHODS DISCOVERED AROUND FM'S PRIVILEGE SETS

Working Under:

Solution Status: Untested

Pre-requisites:

Author(s): Genx

Date: 02/09/07

Credits:

Instructions / Other Info:

Disclaimer:

FM Forums does not endorse or warrantee these files are fit for any particular purpose. Do not post or distribute files without written approval from the copyright owner. All files are deemed public domain unless otherwise indictated. Please backup every file that you intend to modify.

customLogin_v2.zip

Forgot to mention, this is a Backend Frontend split.

Here you go:

Steve

Edited February 10, 200718 yr by Guest

How did you do it man?

I'd like to know how you hacked because I'd like to use a custom login screen but... it seems to be unsecure.

Thanks

I am definately not a hacker, and I don't want to make this widely known. It took less than 2 minutes.

I think Comment pointed out that unless you remove the abilty to modify the file (using the Developer Tools in 8-8.5 or similar in earlier versions), it is too easy to crack.

Steve

Is the original login screen of filemaker more secure than a custom one?

So much for that.. I'll be back.

And the answer is not certain at this point.

Edited February 10, 200718 yr by Guest

I invite other people to continue trying to get in -- I now know of only one method to do it. You're going to have to get very creative.

It's too easy, Genx

administrator

administrator

I just tried that and it doesn't work. If your right and it does work (which it probably does):

A) That's a real password and i set it to something simple so i wouldn't forget (but i did forget ... god i'm dumb)

That's a privelege password -- It'll get you into the front end but that's it. You have no access to the backend

sorry, Genx, I don't speak English.

What user name and password did you use though?

Because the only account with the same user and password in backend and front end was the administrator account.

... and i tried administrator administrator and i can't get it to work

Edited February 13, 200718 yr by Guest

Hi, Genx

You can use all account and password, but I can't tell you how I Did it.

I suggest you don't use in future a custom login screen.

Keep breaking please and if you do manage to break in, please Private Topic me and let me know how you did it and I'll try and stop it.

I don't think playing this game is helping anyone to understand the issues here.

That depends entirely on what "game" you think i'm playing comment.

Please read the PT i sent you before you reply to this

Hi Genx, I want help you.

for bypass your custom login screen I executed hidden script "unlock status

area"

et voilà.

Now, in your example, you can remove script "unlock status area" but in a large

solution there are many hidden scripts and I can execute one of this for bypass your

custom login screen.

I suggest you don't use custom login screen.

Bye

Ann

Thanks Ann!

In a larger solution, and in this one for that matter, that script shouldn't have been available for welcome users. Looks like i just forgot...

Thanks again.

Hi Genx

for "welcome" No but for other account Yes.

In a large solution also a GTRR script is sufficient for bypass your custom login screen and GTRR script is always available for "welcome"

Bye

Ann

True, but define scripts isn't... Also if layout access is disabled, well that options blocked too. I'll post another file tommorow some time to show what i mean.

A revised file is now available -- See original post for new file

Edited February 16, 200718 yr by Guest

Hi Genx,

another congratulation is now available.

Please don't use custom login screen.

I am not a hacker but I always can bypass it.

Australia 0 vs 2 France

Do you want do another round?

Ann :

Hmmmm... Care to share this time?

The reason being.. My main concern here is that that layout is not accessible to the welcome account at all -- i.e. it's blocked. So even if you had bypassed the script and managed to get to it, you shouldn't have been able to view the layout -- Whether you were using a custom login screen or not.

Can you please PT me a screenshot of the bottom portion of the layout?

Edited February 16, 200718 yr by Guest

OK Genx I want help you another time.

Ann

Thanks Ann.

So you actually logged in? Those calcs are pulling the real privilege sets... I'm at a real loss as to how you did that... Like i said, administrator accounts force you to login twice, using only FileMaker login.T

Edited February 16, 200718 yr by Guest

Hi Genx,

If you want that your custom login screen work, you must leave only "welcome" account.

but if you leave only "welcome" account your large solution don't work. :

sorry for English

Ann - France

Well last time you got in by unlocking the side bar... what did you do this time?

Genx, what do you hope to accomplish that FileMaker's own Privileges won't give you? You are attempting to reinvent the wheel that FileMaker Engineers have already invented (very well, I might add). It may not be totally uncrackable (nothing is) but, if THEY can't make it uncrackable, what makes you think YOU can?

I'm at a loss to understand ...

LaRetta :wink2:

Well last time you got in by unlocking the side bar... what did you do this time?

relogin

Ann

.... My question is now how FileMaker's privlege restrictions are being bypassed.

I can bypass your "default open script" and i can bypass your "default open account"

Ann

... and do what? That just means you have to login using FileMaker Relogin anyway... Which is exactly what you'd have to do even if there was no custom login screen.

Edited February 17, 200718 yr by Guest

While I can understand that some of this is fun, and some of it is frustration : , but there is a lot to learn from this

After trying for an hour now I can get into this file also, and I am no hacker also !

I have to say though that there is a need, other than what FMP staff has given us to use this kind of technique.

I have used this kind of approach for locking the screen when unattended. It would be a sucide to show it here though )

Xoomaster

All I can say now that there is too much on display even in a DB with the best login methods. I do not want to give anymore away, but what the hick is this about :

I hope version 9 fix this problem !

Xoomaster

Oh well. I guess I quit, Sorry for wasting everyone's time and looks like I'll just have to be happy with a splash screen... And at least now I know I can't trust FileMaker privileges for anything.

...... And at least now I know I can't trust FileMaker privileges for anything.

well Genx,

I have written that in my first one post :

I am sorry for my English.

Ann

Hi Ann,

All your points are taken, but i still don't know how you logged in to the administrator account -- It has nothing to do with the rest of this.

Hi Ann,

All your points are taken, but i still don't know how you logged in to the administrator account -- It has nothing to do with the rest of this.

Hi Genx

yes, It has nothing to do with the rest of this.

I use telepathic powers in order to make this . :

Ann

Hmmm yes, welllll

You know what really tells me something here though?... The fact that this topic got 2400 views.

Get your act together FMI and give us the ability to provide decent logins!

Hi Genx,

We can have a decent login only if we can stop "passware"!

Can you stop it?

Ann

I don't know if i could stop it, it's not my job to stop it, i don't work at FMI, i don't get paid to fix their software so I wouldn't waste my time... but, i do pay $432.00 AUD per license (thats more than the OS it runs on) for someone else to stop it.

SQL seems to stop it... MySQL seems to stop it... Zipped files are secure...

I wouldn't walk into a clients office and say here, buy my system for $10,000, it's good, but when it breaks down in 1 month because I couldn't do a decent job building it, you fix it, it's not my responsibility.

And just FYI, "passware" isn't stopped even with their current dialog login system... this is a flaw in their product and up to them to address it -- that's why they get paid -- not me.

Stop thinking that I have something against FMI as a whole... I like the product, but the truth is they are a commercial profit seeking company, that needs to be able to match itself to the competition... it can't do this if people like me don't whinge!

Edited March 28, 200718 yr by Guest

Hi Genx,

now it's not possible to have decent logins.

First FMI must stop "passware".

Ann

there is a way to stop "passware"

Try to crack this

Empty.zip

To log:

Account: Admin

Pwd: nopwd

Hi Danielle,

I have known this trick in 1999.

You must recover it.

et voilà

remember: only FMI can stop Passware!

Ann

Yes, but the recovered file has this pwd:

FZQTGJ8

Hi Daniele,

changes it something?

You can open the recovered file.

Ann

Am i missing something here?

Here is some simple advice :

Do not allow your files to be open by FMP Advance !

Also get ride of the option "Recover".

Build in an option that replaces the DB structure in case of illigal entry ! this one you have to work on !

Remeber the golden rule is "if they don't have your file, they can't crack it !" so keep your files safe !

Edited April 5, 200718 yr by Guest

Do not allow your files to be open by FMP Advance ! ... how does one achieve that?

Also get ride of the option "Recover".

... likewise here?