|
PSA: Flaw Identified in Voidwatch Addon (Ban Risk)
Quetzalcoatl.Langly
Serveur: Quetzalcoatl
Game: FFXI
Posts: 684
By Quetzalcoatl.Langly 2019-11-18 18:02:10
Remember to comment out the pulse weapon part or enjoy your cells :)
cells
interlinked
[+]
VIP
Serveur: Fenrir
Game: FFXI
Posts: 674
By Fenrir.Niflheim 2019-11-18 18:10:18
Was he reporting “normal use” so he didn’t seem like he was purposely hacking the addon...
It was confirmed the use case is normal during the look into the issue, the person who reported the issue is also not likely the one who modified the file, though couldn't really say who did modify the file.
Great time to inform SE about this during a VW event. How many people were using this in last 2 weeks? How many people are gonna get nailed for this now inadvertently using it under normal conditions having no knowledge about a hack? Think SE will care that they didn't know about it?
This probably just killed a ton of people.
This is why the flaw was reported it now. To inform the community of the flaw and not SE then the flaw will be exploited.
To inform only SE and not the community then more people might be banned.
It is also not know how wide spread the use of the given variant for voidwatch.lua is or how SE will react the the report. If the issue has only come up as a result of the patch and no consistent exploitation is evident then there may be no bans, we just dont know.
The logic was almost coherent. Afraid of getting nailed again from last exploit and windower team getting blamed/targeted for lack of transparency. Now they are trying to do the right thing and be transparent... In the dumbest/stupidest/thoughtless possible way imaginable. At least their heart was in the right place?
It seemed this was the reaction the community expects, If the windower team is informed of an exploitable flaw in the game the flaw should be reported. This is the first time its happened for the current team and that is what ended up being done with the information.
Leviathan.Nitenichi
Serveur: Leviathan
Game: FFXI
Posts: 383
By Leviathan.Nitenichi 2019-11-18 18:11:46
In the dumbest/stupidest/thoughtless possible way imaginable. Not at all, what is wrong with you and the rest of these vaccine drinking morons? ^^^
This, I can't believe ya'll. Are you that obtuse that you can't see? I mean the Windower team are the same people who don't really get ***for making the game better with things they bring to the table (additions QOL etc), what do most people here bring, just a lot of bitching, self-entitlement and crying. Man grow the *** up already.
[+]
Odin.Slore
Serveur: Odin
Game: FFXI
Posts: 1350
By Odin.Slore 2019-11-18 18:15:36
Quote: It is also not know how wide spread the use of the given variant for voidwatch.lua is or how SE will react the the report. If the issue has only come up as a result of the patch and no consistent exploitation is evident then there may be no bans, we just dont know.
It would be great to know what some of the code was or a identifiable portion so people can check to know if people have that in their file. Think SE is going to be nice to those people and say, well you didn't know so we will let you slide this time?
Incoming ban hammer round 3? What we up to for rounds this week?
VIP
Serveur: Fenrir
Game: FFXI
Posts: 674
By Fenrir.Niflheim 2019-11-18 18:17:21
Is this an excellent troll, an actual dupe that got reported, or both?
The underlying behavior that allows the flaw to became an exploit was reported to SE, yes was actually reported.
[+]
By spengler 2019-11-18 18:19:29
Quote: It is also not know how wide spread the use of the given variant for voidwatch.lua is or how SE will react the the report. If the issue has only come up as a result of the patch and no consistent exploitation is evident then there may be no bans, we just dont know.
It would be great to know what some of the code was or a identifiable portion so people can check to know if people have that in their file. Think SE is going to be nice to those people and say, well you didn't know so we will let you slide this time?
Incoming ban hammer round 3? What we up to for rounds this week?
Dude... delete your file and download the one in OP if you want to continue using this add-on. What problem do you have with this logic?
holy ***...
Odin.Slore
Serveur: Odin
Game: FFXI
Posts: 1350
By Odin.Slore 2019-11-18 18:21:43
WTF good does it do to people that already have a file that do not know if that code is even in there? They may have it in there and not even know. Yes they can get the new one but if they used the modified one what the hell good will that do?
Seriously spengler stop talking about ***you don't know
VIP
Serveur: Fenrir
Game: FFXI
Posts: 674
By Fenrir.Niflheim 2019-11-18 18:21:59
It would be great to know what some of the code was or a identifiable portion so people can check to know if people have that in their file.
Any code that differs from the one linked in the OP is likely bad, aside from just having values in the tables at the top of the file commented out.
Serveur: Asura
Game: FFXI
Posts: 3184
By Asura.Geriond 2019-11-18 18:23:12
WTF good does it do to people that already have a file that do not know if that code is even in there? They may have it in there and not even know. Yes they can get the new one but if they used the modified one what the hell good will that do?
Seriously spengler stop talking about ***you don't know The solution is to discard the old one regardless of whether you know which one it is. It's not hard.
[+]
By Jetackuu 2019-11-18 18:25:43
Leviathan.Nitenichi said: »In the dumbest/stupidest/thoughtless possible way imaginable. Not at all, what is wrong with you and the rest of these vaccine drinking morons? ^^^
This, I can't believe ya'll. Are you that obtuse that you can't see? I mean the Windower team are the same people who don't really get ***for making the game better with things they bring to the table (additions QOL etc), what do most people here bring, just a lot of bitching, self-entitlement and crying. Man grow the *** up already. Indeed:
hmm newsflash: windower on it's own is a bannable offense, although an unlikely one, everyone who has used it ever knows the risks, grow up.
By ryukin182 2019-11-18 18:29:06
In the dumbest/stupidest/thoughtless possible way imaginable. Not at all, what is wrong with you and the rest of these vaccine drinking morons?
It's clear you thought about how they could have done it better for about as long as it took you to think of that extremely weird and stupid insult.
They could have done a lot better job with how/when/what information was given.
By Jetackuu 2019-11-18 18:31:15
In the dumbest/stupidest/thoughtless possible way imaginable. Not at all, what is wrong with you and the rest of these vaccine drinking morons?
It's clear you thought about how they could have done it better for about as long as it took you to think of that extremely weird and stupid insult.
They could have done a lot better job with how/when/what information was given.
They have no obligation to. Grow up.
[+]
VIP
Serveur: Fenrir
Game: FFXI
Posts: 674
By Fenrir.Niflheim 2019-11-18 18:32:13
They could have done a lot better job with how/when/what information was given.
The team welcomes constructive criticism this is the first time this has happened. if you have example of how you would have liked it handled I encourage you to share it.
By Shichishito 2019-11-18 18:36:03
By Jetackuu 2019-11-18 18:36:42
temp bans from the Quetz lua sauce?
By segfaultvicta 2019-11-18 18:41:56
It's hard to do better than "<X> version of a piece of software has a glitch that could get you *** over, use <Y> instead, and any further details than that go to the authorities", from the perspective of someone who does computer security for part of their job. ;P Y'all just need to get over yourselves.
Props to the Windower team for the PSA; it's an unsupported addon so they easily could have said nothing and let tons of people screw themselves.
Literally nobody cares about bots that automate chest-popping except for pearl-clutching aunties who like to pretend they're not using GearSwap. SE doesn't, any more than they care about Windower itself. But something that sounds like it has the potential for some kind of severe, /unintentional/ bannable exploit is the kind of thing users ought to be made aware of ASAP.
By Chimerawizard 2019-11-18 18:42:04
They could have done a lot better job with how/when/what information was given.
The team welcomes constructive criticism this is the first time this has happened. if you have example of how you would have liked it handled I encourage you to share it. that depends on the results, if SE goes ban happy on everyone who used a bad version before this thread was created ... tell us you told SE, but don't actually tell SE.
If SE doesn't get ban happy for using a non-sanitized version before this thread, keep up the good work.
[+]
Odin.Slore
Serveur: Odin
Game: FFXI
Posts: 1350
By Odin.Slore 2019-11-18 18:42:05
I do not give a damn for me cause I don't use it. I do have a ancient copy on my system but with the exception of some wording location it is the same.
I mention this because no information was provided like code was changed around such and such a timeframe or section of code is such and such so if people have that they understand they probably screwed but causing a panic without anything identifiable for the person is kinda wrong.
A simple if you have this partial line of code in your vw lua I got bad news for ya. Obviously it has already been reported so if anyone uses it after that they are a complete dumbass and deserve to be banned.
Serveur: Asura
Game: FFXI
Posts: 3184
By Asura.Geriond 2019-11-18 18:46:13
Whether you know if your version is risky (well, riskier than just the normal version) doesn't help you; all that matters is what you do in the future with it, which they supplied sufficient information for.
Asura.Eiryl
Serveur: Asura
Game: FFXI
By Asura.Eiryl 2019-11-18 18:49:33
Here's the thing though, the original was modified BECAUSE the cell/glow logic was flawed. It got modified to work properly.
Unless it's something else that was modified, this is why you can't be this vague.
Now I highly doubt that simply switching two numbers or REMOVING a line of code caused it, but nothing would surprise me.
Serveur: Asura
Game: FFXI
Posts: 34187
By Asura.Kingnobody 2019-11-18 18:53:22
[+]
Serveur: Odin
Game: FFXI
Posts: 4
By Odin.Bluemule 2019-11-18 18:56:19
Honestly a community PSA that said hey shits bugged, could lead to easier/more noticeable detection and bans, use this instead, we are investigating the issue and will report to SE when finished. Let the word get around without describing it explicitly as an exploit with potential upside, then after the ***storm calms down announce an end to said investigation (obviously can already found, potentially recreated and verified) report it to SE to allow for a better time window for the community to adjust what they have and give less of an excuse to the ignorant and stupid for continually using busted ***.
Granted this will probably only be rolling temp bans ala sphere botting or quetz so who really cares. But you can make the difference between putting people in the cross-hairs and helping the community.
Also follow up after (if any) SE action takes place to verify it's been fixed and what was the cause would be much appreciated.
Lakshmi.Avereith
Serveur: Lakshmi
Game: FFXI
Posts: 1214
By Lakshmi.Avereith 2019-11-18 18:56:49
is the modded one the the one with heavy metal pouches being declared important items? idk
By cuddlyhamster 2019-11-18 18:58:35
Quote: Literally nobody cares about bots that automate chest-popping except for pearl-clutching aunties who like to pretend they're not using GearSwap. SE doesn't, any more than they care about Windower itself. But something that sounds like it has the potential for some kind of severe, /unintentional/ bannable exploit is the kind of thing users ought to be made aware of ASAP.
I always thought SE cared a lot about Windower. Thats why they added to vanilla; Windower, Tparty, Timestamp, Yarnball, Spellcast
Serveur: Asura
Game: FFXI
Posts: 3184
By Asura.Geriond 2019-11-18 19:00:48
Doing that would both let the exploit fester for longer (opening up more people who are willing to take the risk to abuse it), give more chance for more people to get accidentally banned if SE figures it out first, and give them a higher chance of being retaliated against by SE because they knew about it but didn't immediately tell SE.
By gunn 2019-11-18 19:03:10
Who will be left in 2020?
By Artsncrafts 2019-11-18 19:07:40
This is what you get for doing Voidwatch in 2019
[+]
By ryukin182 2019-11-18 19:11:04
They have no obligation to. Grow up. You're what we call a projector, attacking others immediately with insults then telling saying "grow up". I knew there were going to be trolls, but not bad ones like this. But you're right! They had no obligation since they don't support the addon they are in no way shape or form liable for backlash for the exploit aside from advertising it, which just happened. So a better way to handle it would be not at all for one instance.
But an even better way?
Honestly a community PSA that said hey shits bugged, could lead to easier/more noticeable detection and bans, use this instead, we are investigating the issue and will report to SE when finished. Let the word get around without describing it explicitly as an exploit with potential upside
Don't mention there's an exploit with an upside, this will cause 10x the amount of bans then there ever would have been if they said nothing. You can't/won't stop people from figuring out the upside of the exploit when they -know- it's there. You can even just say there's a code of line added that's not intended which will lead to a potential ban if that lua is used, here's a non-dirty lua.
This morning (November 18th, 2019) we were contacted by an anonymous user who had discoverd a serious flaw in certain modified versions of the unsupported voidwatch addon that has been widely distributed throughout the community. Use of these modified versions of the addon could result in a ban. In light of recent events and the likelihood that users could unintentionally trigger this flaw we felt it was necessary to bring this to the community's attention.
We have contacted the author and confirmed that the original version distributed at the link below does not have this flaw. We believe this flaw was initially benign, but became exploitable following the emergency maintenance on November 13th, 2019; however, we cannot be certain of this. We will not provide details of how to exploit this flaw, and this issue has been reported to SE.
The original unmodified version of the voidwatch addon can be found at https://www.dropbox.com/s/ex1jtgqz4jtmxd8/voidwatch.lua?dl=0
This addon is not distrubuted by Windower, and is not endorsed by us in any way. Use at your own risk.
|
|