|
PSA: Flaw Identified in Voidwatch Addon (Ban Risk)
Asura.Eiryl
Serveur: Asura
Game: FFXI
By Asura.Eiryl 2019-11-18 19:12:59
Right, a smart person with the modded version just has to take 10 seconds, look at the original, and find the exploit.
[+]
Quetzalcoatl.Commencal
Serveur: Quetzalcoatl
Game: FFXI
Posts: 339
By Quetzalcoatl.Commencal 2019-11-18 19:14:25
Instead of guessing if your version is modified or not, it might be a better idea to stop using it altogether and lay low.
Serveur: Asura
Game: FFXI
Posts: 3184
By Asura.Geriond 2019-11-18 19:14:46
Don't mention there's an exploit with an upside, this will cause 10x the amount of bans then there ever would have been if they said nothing. You can't/won't stop people from figuring out the upside of the exploit when they -know- it's there. You can even just say there's a code of line added that's not intended which will lead to a potential ban if that lua is used, here's a non-dirty lua. The people who would be willing to try to figure out how the exploit works would do that anyway, regardless of if it was worded less explicitly.
This way it serves as a more effective deterrent to the people who are actually afraid of bans.
Serveur: Odin
Game: FFXI
Posts: 4
By Odin.Bluemule 2019-11-18 19:14:57
Doing that would both let the exploit fester for longer (opening up more people who are willing to take the risk to abuse it), give more chance for more people to get accidentally banned if SE figures it out first, and give them a higher chance of being retaliated against by SE because they knew about it but didn't immediately tell SE.
When has SE ever figured out something first especially with the manpower they have on their team currently.
Also, if people knowingly take the risk of trying to exploit something, especially immediately after the duping issue, then that's on them more than anything else. I also said phrase it in a way that's not saying it's explicitly an exploit, but use phrasing that should otherwise deter people while providing the fixed version.
But immediately reporting to SE can leave many people out of the loop and lead to potentially more bans on people who were not aware of the issue with no intention of trying to exploit it, especially if the spring update was supposedly supposed to be a "fixed" version.
Shiva.Thorny
Serveur: Shiva
Game: FFXI
Posts: 2746
By Shiva.Thorny 2019-11-18 19:16:34
This isn't some massive exploit, it let you get some extra pulse cells. Certainly nothing worth looking for or getting banned for.
It did not go active this month, I found it by accident 3 or 4 years ago.
It shouldn't be possible with the original lua. What happened in the later one was, someone modified code they didn't understand and overlooked a small thing, resulting in accidental exploitation.
That said, this just illustrates why some caution should be used when running a random lua some forum user told you to get. If you were using this AFK, you may have noticed you got a few cells without even realizing anything happened. Certainly not worth getting banned over.
Treat things with caution, and don't use scripts that use packets unless you absolutely trust the author of said scripts.
By spengler 2019-11-18 19:16:49
Right, a smart person with the modded version just has to take 10 seconds, look at the original, and find the exploit.
Yo Eiryl, I suggest you find out what it is and end on out to do some VW.
Report back in a week or so. make sure to take all your characters
[+]
Serveur: Asura
Game: FFXI
Posts: 3184
By Asura.Geriond 2019-11-18 19:18:25
Doing that would both let the exploit fester for longer (opening up more people who are willing to take the risk to abuse it), give more chance for more people to get accidentally banned if SE figures it out first, and give them a higher chance of being retaliated against by SE because they knew about it but didn't immediately tell SE.
When has SE ever figured out something first especially with the manpower they have on their team currently.
Also, if people knowingly take the risk of trying to exploit something, especially immediately after the duping issue, then that's on them more than anything else. I also said phrase it in a way that's not saying it's explicitly an exploit, but use phrasing that should otherwise deter people while providing the fixed version.
But immediately reporting to SE can leave many people out of the loop and lead to potentially more bans on people who were not aware of the issue with no intention of trying to exploit it, especially if the spring update was supposedly supposed to be a "fixed" version. Given that the topic said that the exploit was likely opened with the recent maintenance, and that SE is likely currently running over related code and possible exploiters with a fine-toothed comb, it's a lot higher than usual, I'd say.
Phrasing it differently would likely only hurt, not help. The people interested in figuring it out would take ANY announcement as a reason to inspect the coding closer to look for why it could be ban worthy, and making it explicit on WHY it could be ban worthy will more effectively scare off more legitimate players.
By cuddlyhamster 2019-11-18 19:21:05
Good on the team for notifying that ban could happen. but could have avoided the conspiracies and trolls if they just posted in the other thread "we fixed the problem, here you go."
Serveur: Odin
Game: FFXI
Posts: 4
By Odin.Bluemule 2019-11-18 19:21:50
This isn't some massive exploit, it let you get some extra pulse cells. Certainly nothing worth looking for or getting banned for.
It did not go active this month, I found it by accident 3 or 4 years ago.
Thorny confirmed for duping pulse cells.
I do gotta love that these recent exploits were created from shitty code from people not knowing exactly what they were trying to do, interacting with SE's spaghetti code.
[+]
Lakshmi.Byrth
VIP
Serveur: Lakshmi
Game: FFXI
Posts: 6184
By Lakshmi.Byrth 2019-11-18 19:21:56
That said, this just illustrates why some caution should be used when running a random lua some forum user told you to get. If you were using this AFK, you may have noticed you got a few cells without even realizing anything happened. Certainly not worth getting banned over.
Treat things with caution, and don't use scripts that use packets unless you absolutely trust the author of said scripts.
This is true.
The Windower team has always curated the add-ons hosted in the launcher and are fairly happy with the safety and relatively innocuous nature of the launcher add-ons.
If you stray out of our realm into the wilds of all possible add-ons, we cannot protect you from yourself.
By Jetackuu 2019-11-18 19:27:34
You're what we call a projector, attacking others immediately with insults then telling saying "grow up". I knew there were going to be trolls, but not bad ones like this. But you're right! They had no obligation since they don't support the addon they are in no way shape or form liable for backlash for the exploit aside from advertising it, which just happened. So a better way to handle it would be not at all for one instance.
It's funny that you think I'm insulting you. Again, grow up. There are trolls here, and I'm not one of them. Just the idiots like you who think the Windower team handled this poorly, which they didn't.
As for the idiots who say "what if I get banned, why did you report it?" Using any third party tools at any time can get you banned, it's no surprise. Don't be a *** moron.
[+]
By Artsncrafts 2019-11-18 19:28:46
That said, this just illustrates why some caution should be used when running a random lua some forum user told you to get. If you were using this AFK, you may have noticed you got a few cells without even realizing anything happened. Certainly not worth getting banned over.
Treat things with caution, and don't use scripts that use packets unless you absolutely trust the author of said scripts.
This is true.
The Windower team has always curated the add-ons hosted in the launcher and are fairly happy with the safety and relatively innocuous nature of the launcher add-ons.
If you stray out of our realm into the wilds of all possible add-ons, we cannot protect you from yourself.
All im thinking about is how the guy who reported the exploit is gonna get rekt all the same
Shiva.Thorny
Serveur: Shiva
Game: FFXI
Posts: 2746
By Shiva.Thorny 2019-11-18 19:29:42
All im thinking about is how the guy who reported the exploit is gonna get rekt all the same
tbh, the entire addon is a bot, it's not like it was masquerading as some innocuous helper, there's *** running easyfarm or whatever free farm bot on top of it on every HMP flux 24/7
this isn't something that deserves sympathy, be glad SE didn't ban you for the bot in the first place..
Lakshmi.Byrth
VIP
Serveur: Lakshmi
Game: FFXI
Posts: 6184
By Lakshmi.Byrth 2019-11-18 19:30:30
lol, as if SE will even respond to this without massive JP outcry.
By zaxtiss 2019-11-18 19:39:07
they might with recent events.
By ryukin182 2019-11-18 19:40:09
It's funny that you think I'm insulting you. Again, grow up. There are trolls here, and I'm not one of them. Just the idiots like you who think the Windower team handled this poorly, which they didn't.
I can't stop laughing.
"Not at all, what is wrong with you and the rest of these vaccine drinking morons?"
"Just the idiots like you who"
Yeah I must have imagined you insulting me then telling me to grow up like I'm the child you clearly are. This is 10/10 bad troll. This made my night better, thanks for the laugh. Can't make this up
Asura.Arico
Serveur: Asura
Game: FFXI
Posts: 535
By Asura.Arico 2019-11-18 19:46:08
lol, as if SE will even respond to this without massive JP outcry.
You’re implying a few extra cells isn’t going to shatter the economy the likes we’ve never seen.
By Felgarr 2019-11-18 20:07:24
This morning (November 18th, 2019) we were contacted by an anonymous user who had discoverd a serious flaw in certain modified versions of the unsupported voidwatch addon that has been widely distributed throughout the community. Use of these modified versions of the addon could result in a ban. In light of recent events and the likelihood that users could unintentionally trigger this flaw we felt it was necessary to bring this to the community's attention.
We have contacted the author and confirmed that the original version distributed at the link below does not have this flaw. We believe this flaw was initially benign, but became exploitable following the emergency maintenance on November 13th, 2019; however, we cannot be certain of this. We will not provide details of how to exploit this flaw, and this issue has been reported to SE.
The original unmodified version of the voidwatch addon can be found at https://www.dropbox.com/s/ex1jtgqz4jtmxd8/voidwatch.lua?dl=0
This addon is not distrubuted by Windower, and is not endorsed by us in any way. Use at your own risk.
If the windower team is going to own the unmodified version of this addon, can you put it on github or made available through the launcher? ....Dropbox links are so ephemeral. Besides, the launcher or github would ensure the modified Lua one doesn't get surreptitiously passed around for the unmodified one.
Lakshmi.Byrth
VIP
Serveur: Lakshmi
Game: FFXI
Posts: 6184
By Lakshmi.Byrth 2019-11-18 20:10:35
The point is not to promote the add-on, but to encourage people to stop using the version that can unintentionally trigger the exploit.
Asura.Chiaia
VIP
Serveur: Asura
Game: FFXI
Posts: 1656
By Asura.Chiaia 2019-11-18 20:11:13
If the windower team is going to own the unmodified version of this addon, can you put it on github or made available through the launcher? ....Dropbox links are so ephemeral. Besides, the launcher or githuh would ensure the modified Lua one doesn't get surreptitiously passed around for the unmodified one. No, we are not owning it. I think you missed the point of why we even linked the unmodified version.
By Felgarr 2019-11-18 20:44:52
The point is not to promote the add-on, but to encourage people to stop using the version that can unintentionally trigger the exploit.
I understand that and I'm supplementing that point, with what should be the source of truth for trusted windower addons.
If the windower team is going to own the unmodified version of this addon, can you put it on github or made available through the launcher? ....Dropbox links are so ephemeral. Besides, the launcher or githuh would ensure the modified Lua one doesn't get surreptitiously passed around for the unmodified one. No, we are not owning it. I think you missed the point of why we even linked the unmodified version.
I missed nothing. I was referring more to the method in which this addon was being discouraged (and apparently, the source of truth here ...is a dropbox link which could be dead tommorow). You're welcome to dismiss my point and move on if you don't see the reasoning behind my suggestion.
Lakshmi.Elidyr
Serveur: Lakshmi
Game: FFXI
Posts: 912
By Lakshmi.Elidyr 2019-11-18 20:56:27
It's like deja vu....
Does anyone ever take responsibility for doing ***they choose to do around here, or just continually move the 'gray line' around to fit their own personal needs lol. I feel bad for the windower devs. They give us nice ***, and some people have the audacity to give them ***for giving the community tools.
[+]
By Draylo 2019-11-18 21:00:05
Odin.Slore
Serveur: Odin
Game: FFXI
Posts: 1350
By Odin.Slore 2019-11-18 21:08:12
It's like deja vu....
Does anyone ever take responsibility for doing ***they choose to do around here, or just continually move the 'gray line' around to fit their own personal needs lol. I feel bad for the windower devs. They give us nice ***, and some people have the audacity to give them ***for giving the community tools.
I appreciate the dev team highly and none of my posts have been negative towards them. I just disagree with their vagueness on this topic and disagreeing doesn't mean I despise someone.
My concern is the announcement. "you may have a bad addon that is getting used by loads of people cause of event, that may have duped for you, and may get you banned, and may have been out for years but here is a clean version of it and we reported it to SE." I get you gave a clean version but without even releasing one bit of code that a user can search for to see if they have been using the bad version and are possibly going to eat a banhammer, they have no way to check if they were or not. I am not saying release the code but release like 4 phrases of it or something dumb like that so people can check the one they used and see if they are *** or not.
I don't care cause I don't use it but you got dickloads of people shitting their pants without knowing if they gonna get the ban slap for using a bad addon that they have no idea if they have or not. Follow me?
By hobo 2019-11-18 21:09:54
what should be the source of truth for trusted windower addons.
its not trusted, thats why its not on the launcher. The only trusted addons are the ones officially on the launcher.
The Windower team has always curated the add-ons hosted in the launcher and are fairly happy with the safety and relatively innocuous nature of the launcher add-ons.
If you stray out of our realm into the wilds of all possible add-ons, we cannot protect you from yourself.
[+]
Lakshmi.Elidyr
Serveur: Lakshmi
Game: FFXI
Posts: 912
By Lakshmi.Elidyr 2019-11-18 21:22:19
It's like deja vu....
Does anyone ever take responsibility for doing ***they choose to do around here, or just continually move the 'gray line' around to fit their own personal needs lol. I feel bad for the windower devs. They give us nice ***, and some people have the audacity to give them ***for giving the community tools.
I appreciate the dev team highly and none of my posts have been negative towards them. I just disagree with their vagueness on this topic and disagreeing doesn't mean I despise someone.
My concern is the announcement. "you may have a bad addon that is getting used by loads of people cause of event, that may have duped for you, and may get you banned, and may have been out for years but here is a clean version of it and we reported it to SE." I get you gave a clean version but without even releasing one bit of code that a user can search for to see if they have been using the bad version and are possibly going to eat a banhammer, they have no way to check if they were or not. I am not saying release the code but release like 4 phrases of it or something dumb like that so people can check the one they used and see if they are *** or not.
I don't care cause I don't use it but you got dickloads of people shitting their pants without knowing if they gonna get the ban slap for using a bad addon that they have no idea if they have or not. Follow me?
I'm not sure what your specific post was targeted at originally, and I'm not gonna disregard nor disagree with you. It's just there is multiple people in and around here that are not understanding. TOS is not gray, it's pretty black and white. If you are using any, ANY add-on of any sort, or windower/ashita, that is more than enough to get a temp ban, or banned for good. We all know this fact making decisions as what I think most people in here are somewhat adult enough to understand. Easiest method would be to not use those things, not blame any one for using software that will in itself potentially get you banned; it's just silly to me.
Edit; I get why they are not releasing it and I can understand. It can be frustrating, but it's for the best. I would just say if you are doing something that isnt allowed; Windower/Ashita/R*T/Botting/etc, just chill and let it die down a bit, or enjoy playing and just keep doing what you do.
By segfaultvicta 2019-11-18 23:19:11
From what I understand you'll absolutely know if you've triggered the exploit it's possible to trigger using the modified version of this script; I don't think people have to go around /worrying about whether they did something wrong/.
Leviathan.Arcon
VIP
Serveur: Leviathan
Game: FFXI
Posts: 666
By Leviathan.Arcon 2019-11-19 01:00:50
Upon receiving the information there were four possible reactions on our side:
1. Don't tell the community, don't tell SE
Simple. No one gets upset at us. Exposes more people to the exploit who were not even aware of it. They get some unfair bonus while people not using it do not. All is well, since SE does not know.
Disregarding that the "unfair bonus" alone is a reason for me to not go this route, this hinges strongly on SE not finding out. Which may be the case, but likely not. They are slow to take notice, but usually they take notice after a while (even if it is years), especially if it becomes more well known and used, and since people contacted us there is a chance that was going to happen. Even more so with the Voidwatch campaign. Betting on SE not finding out is a stupid choice for all kinds of reasons and it would make me feel personally responsible if something happened, because I had the chance to warn people but did not.
2. Tell the community, don't tell SE
This is equivalent to "tell the community, tell SE", since if we do not tell, someone else will. Not worth discussing. The only difference is that it will take slightly longer (a day or two, if that). All it would have done is increased the chance of someone exploiting it without getting banned. And not getting banned is a bad thing in this case, more on that later.
3. Don't tell the community, tell SE
SE will do what SE does, which is who the *** knows. They might do something about it, they might not. They might fix it, they might not. They might ban people, they might not. They are SE, place your bets.
But if they do end up banning people we would be responsible for people who have used it after the point we knew about it getting banned.
4. Tell the community, tell SE
I am not going to pretend this was a perfect choice, it was not. There simply was no perfect choice here. Same as in point 3, SE wil be SE and do whatever they will do. Like I said in point 1, SE finding out was from my perspective inevitable. The longer it went on, the more people would have been affected, and every person affected after the point we knew about it would have been on our conscience.
A few things were written that were maybe not thought through fully. Someone asked if we would not feel responsible for the people who got "curious" and got banned because they looked into it. No? Should we? If you are trying to trigger an exploit, get banned. I would feel responsible if that did not happen.
I do very much feel bad for the person who reported it to us. They were only trying to do the right thing and might get caught up in this mess. The choice was essentially between them coming into the crosshairs for certain or everyone coming into the crosshairs maybe (some would argue, eventually). That was the crux of the gamble we had to take.
I will also feel bad if SE decide they ban people for this (unless they keep logs and find someone actively exploiting it). I truly hope they decide against that, since it has affected many people who were not intentionally doing it. But I would have felt just as bad when they eventually found out without us telling them and people got banned for it.
Also some people believe we should not have been so vague in describing the bug. Explaining the flaw in any kind of detail will just increase the risk of further exploitation by people who can move money around quickly and do not care for throwaway accounts getting banned. And it helps absolutely nobody. Or how do you think "knowing you were affected" would help you in any way? All the cards are dealt, there is nothing you can do but not use it any further, which you can by using the file we provided instead (or not use any such addon at all). I understand that people want to know, but there are active risks in disclosing that information. Let it go and pray for the best.
And finally, about providing a better way to get the file than a dropbox link... I can kinda understand that, but we are actually careful and selective about which addons we host ourselves for a number of reasons I think anyone can figure out. That is the reason why most addons are developed outside of our own ecosystem at this point and this is no different. And if we put it into the launcher it would not have a massive chance of being found by people already using an affected version either, as we have no proper way of announcing new additions in the launcher.
All in all, this is a shitty situation we really did not want to be in (especially after the recent medal exploit). But we are, and of the options we had I am still convinced that it was really the only one we could have taken. We have not had to deal with something like this before, but having gone through this and discussing it with other members of the team we will make this our official disclosure policy.
This morning (November 18th, 2019) we were contacted by an anonymous user who had discoverd a serious flaw in certain modified versions of the unsupported voidwatch addon that has been widely distributed throughout the community. Use of these modified versions of the addon could result in a ban. In light of recent events and the likelihood that users could unintentionally trigger this flaw we felt it was necessary to bring this to the community's attention.
We have contacted the author and confirmed that the original version distributed at the link below does not have this flaw. We believe this flaw was initially benign, but became exploitable following the emergency maintenance on November 13th, 2019; however, we cannot be certain of this. We will not provide details of how to exploit this flaw, and this issue has been reported to SE.
The original unmodified version of the voidwatch addon can be found at https://www.dropbox.com/s/ex1jtgqz4jtmxd8/voidwatch.lua?dl=0
This addon is not distrubuted by Windower, and is not endorsed by us in any way. Use at your own risk.
|
|