PSA: RCON password leaked by /debugpaste

We have detected that the RCON passwords were being leaked by /debugpaste both on Cloudburst Nukkit and PowerNukkit. If you have set enable-rcon to on in server.properties and you have used /debugpaste at least once, then you must change the rcon.password line in the same file and restart the server immediately! If you don’t have that enabled but you also used /debugpaste you should also change the rcon.password as it is now compromised.

RCON allows a remote administrator to execute commands in your PowerNukkit server with OP permissions as if the user were typing the commands in the console.

We have already patched the backend that receives /debugpaste upload from newer PowerNukkit versions to auto-remove the rcon.password and we have already removed the passwords that were leaked from the existing pastes, but a malicious user could have noticed it before and saved the password before our removal.

All /debugpaste upload (from newer PowerNukkit versions) are recorded in the debugpastes folder in your server, you can find all URLs that were generated in the .url files there.

After more investigation, it was noticed that the issue was patched on Cloudburst Nukkit since 2019-08-10 by:

PowerNukkit already had that patch since beginning but it had a regression at 2021-02-14 in the PR bellow when the command was improved:

Right now, when you run /debugpaste upload, the password is being auto-removed by our debugpaste backend. We will make it get auto-removed before sending too.

Now, the good news is that only a tiny amount of users have actually used /debugpaste upload before the patch, the regular/old /debugpaste was fine as the rcon.password line was removed before the upload to hastebin. But for security reasons we still recommend everybody to change the password.