Please don't use keyauth for your projects

Chapter 1:An old friend

In the last 3 weeks I’ve been messing around with projects made in python and their license systems.

A name that rang an old bell was the name KeyAuth, an very old service that advertises itself as Effortless, Next-Level Authentication while having Craft Secure and Reliable Applications as its main selling point.

I was no stranger to KeyAuth, as I was a customer back in 2022, even being a part of the staff for a short time under the name SmoK

However I have stopped it due to the lack of security and the plentiful of “patchers” for it.

Chapter 2:The Idea that shouldn’t have worked

Seeing it again I decided to mess around with it a bit using mitmproxy. I was dissapointed to see that they still use plaintext for credentials

Seeing this struck me with an idea: what if using a mitmproxy script I can just replace the auth credentials to my own? So I did just that

The script was not complex in any way, all it does is intercept the request to it and change the information

IT WORKED

It allowed me to change the authentification and just use a license key generated by myself

This left me speechless, a service with 5 years of experience specifically on this should not be vulnerable to an attack like this. I’ve immediately notified the coders of the app that was using keyauth

Chapter 3: Gratitude comes a long way

The coders of the app were extremely grateful and friendly, a rare thing in today’s vibe coding world, even thinking that it was their fault (it wasn’t in any sort of way)

In the end I want to express my sincere opinion: Please for the love of god do not use keyauth in production-ready versions of your application, actually please do not use it at all, all you’re doing is trusting another service to take care of the most important thing when making a digital product: the licensing, and they do it terribly