PSA: Flaw Identified In Voidwatch Addon (Ban Risk) |
||
PSA: Flaw Identified in Voidwatch Addon (Ban Risk)
Right, a smart person with the modded version just has to take 10 seconds, look at the original, and find the exploit.
Instead of guessing if your version is modified or not, it might be a better idea to stop using it altogether and lay low.
ryukin182 said: » Don't mention there's an exploit with an upside, this will cause 10x the amount of bans then there ever would have been if they said nothing. You can't/won't stop people from figuring out the upside of the exploit when they -know- it's there. You can even just say there's a code of line added that's not intended which will lead to a potential ban if that lua is used, here's a non-dirty lua. This way it serves as a more effective deterrent to the people who are actually afraid of bans. Asura.Geriond said: » Doing that would both let the exploit fester for longer (opening up more people who are willing to take the risk to abuse it), give more chance for more people to get accidentally banned if SE figures it out first, and give them a higher chance of being retaliated against by SE because they knew about it but didn't immediately tell SE. When has SE ever figured out something first especially with the manpower they have on their team currently. Also, if people knowingly take the risk of trying to exploit something, especially immediately after the duping issue, then that's on them more than anything else. I also said phrase it in a way that's not saying it's explicitly an exploit, but use phrasing that should otherwise deter people while providing the fixed version. But immediately reporting to SE can leave many people out of the loop and lead to potentially more bans on people who were not aware of the issue with no intention of trying to exploit it, especially if the spring update was supposedly supposed to be a "fixed" version. This isn't some massive exploit, it let you get some extra pulse cells. Certainly nothing worth looking for or getting banned for.
It did not go active this month, I found it by accident 3 or 4 years ago. It shouldn't be possible with the original lua. What happened in the later one was, someone modified code they didn't understand and overlooked a small thing, resulting in accidental exploitation. That said, this just illustrates why some caution should be used when running a random lua some forum user told you to get. If you were using this AFK, you may have noticed you got a few cells without even realizing anything happened. Certainly not worth getting banned over. Treat things with caution, and don't use scripts that use packets unless you absolutely trust the author of said scripts. Offline
Posts: 163
Asura.Eiryl said: » Right, a smart person with the modded version just has to take 10 seconds, look at the original, and find the exploit. Yo Eiryl, I suggest you find out what it is and end on out to do some VW. Report back in a week or so. make sure to take all your characters Odin.Bluemule said: » Asura.Geriond said: » Doing that would both let the exploit fester for longer (opening up more people who are willing to take the risk to abuse it), give more chance for more people to get accidentally banned if SE figures it out first, and give them a higher chance of being retaliated against by SE because they knew about it but didn't immediately tell SE. When has SE ever figured out something first especially with the manpower they have on their team currently. Also, if people knowingly take the risk of trying to exploit something, especially immediately after the duping issue, then that's on them more than anything else. I also said phrase it in a way that's not saying it's explicitly an exploit, but use phrasing that should otherwise deter people while providing the fixed version. But immediately reporting to SE can leave many people out of the loop and lead to potentially more bans on people who were not aware of the issue with no intention of trying to exploit it, especially if the spring update was supposedly supposed to be a "fixed" version. Phrasing it differently would likely only hurt, not help. The people interested in figuring it out would take ANY announcement as a reason to inspect the coding closer to look for why it could be ban worthy, and making it explicit on WHY it could be ban worthy will more effectively scare off more legitimate players. Offline
Posts: 233
Good on the team for notifying that ban could happen. but could have avoided the conspiracies and trolls if they just posted in the other thread "we fixed the problem, here you go."
Shiva.Thorny said: » This isn't some massive exploit, it let you get some extra pulse cells. Certainly nothing worth looking for or getting banned for. It did not go active this month, I found it by accident 3 or 4 years ago. Thorny confirmed for duping pulse cells. I do gotta love that these recent exploits were created from shitty code from people not knowing exactly what they were trying to do, interacting with SE's spaghetti code. Shiva.Thorny said: » That said, this just illustrates why some caution should be used when running a random lua some forum user told you to get. If you were using this AFK, you may have noticed you got a few cells without even realizing anything happened. Certainly not worth getting banned over. Treat things with caution, and don't use scripts that use packets unless you absolutely trust the author of said scripts. This is true. The Windower team has always curated the add-ons hosted in the launcher and are fairly happy with the safety and relatively innocuous nature of the launcher add-ons. If you stray out of our realm into the wilds of all possible add-ons, we cannot protect you from yourself. ryukin182 said: » You're what we call a projector, attacking others immediately with insults then telling saying "grow up". I knew there were going to be trolls, but not bad ones like this. But you're right! They had no obligation since they don't support the addon they are in no way shape or form liable for backlash for the exploit aside from advertising it, which just happened. So a better way to handle it would be not at all for one instance. It's funny that you think I'm insulting you. Again, grow up. There are trolls here, and I'm not one of them. Just the idiots like you who think the Windower team handled this poorly, which they didn't. As for the idiots who say "what if I get banned, why did you report it?" Using any third party tools at any time can get you banned, it's no surprise. Don't be a *** moron. Offline
Posts: 173
Lakshmi.Byrth said: » Shiva.Thorny said: » That said, this just illustrates why some caution should be used when running a random lua some forum user told you to get. If you were using this AFK, you may have noticed you got a few cells without even realizing anything happened. Certainly not worth getting banned over. Treat things with caution, and don't use scripts that use packets unless you absolutely trust the author of said scripts. This is true. The Windower team has always curated the add-ons hosted in the launcher and are fairly happy with the safety and relatively innocuous nature of the launcher add-ons. If you stray out of our realm into the wilds of all possible add-ons, we cannot protect you from yourself. All im thinking about is how the guy who reported the exploit is gonna get rekt all the same Artsncrafts said: » All im thinking about is how the guy who reported the exploit is gonna get rekt all the same tbh, the entire addon is a bot, it's not like it was masquerading as some innocuous helper, there's *** running easyfarm or whatever free farm bot on top of it on every HMP flux 24/7 this isn't something that deserves sympathy, be glad SE didn't ban you for the bot in the first place.. lol, as if SE will even respond to this without massive JP outcry.
they might with recent events.
Offline
Posts: 189
Jetackuu said: » It's funny that you think I'm insulting you. Again, grow up. There are trolls here, and I'm not one of them. Just the idiots like you who think the Windower team handled this poorly, which they didn't. I can't stop laughing. "Not at all, what is wrong with you and the rest of these vaccine drinking morons?" "Just the idiots like you who" Yeah I must have imagined you insulting me then telling me to grow up like I'm the child you clearly are. This is 10/10 bad troll. This made my night better, thanks for the laugh. Can't make this up Lakshmi.Byrth said: » lol, as if SE will even respond to this without massive JP outcry. You’re implying a few extra cells isn’t going to shatter the economy the likes we’ve never seen. Offline
Posts: 1697
Iryoku said: » This morning (November 18th, 2019) we were contacted by an anonymous user who had discoverd a serious flaw in certain modified versions of the unsupported voidwatch addon that has been widely distributed throughout the community. Use of these modified versions of the addon could result in a ban. In light of recent events and the likelihood that users could unintentionally trigger this flaw we felt it was necessary to bring this to the community's attention. We have contacted the author and confirmed that the original version distributed at the link below does not have this flaw. We believe this flaw was initially benign, but became exploitable following the emergency maintenance on November 13th, 2019; however, we cannot be certain of this. We will not provide details of how to exploit this flaw, and this issue has been reported to SE. The original unmodified version of the voidwatch addon can be found at https://www.dropbox.com/s/ex1jtgqz4jtmxd8/voidwatch.lua?dl=0 This addon is not distrubuted by Windower, and is not endorsed by us in any way. Use at your own risk. If the windower team is going to own the unmodified version of this addon, can you put it on github or made available through the launcher? ....Dropbox links are so ephemeral. Besides, the launcher or github would ensure the modified Lua one doesn't get surreptitiously passed around for the unmodified one. The point is not to promote the add-on, but to encourage people to stop using the version that can unintentionally trigger the exploit.
Felgarr said: » If the windower team is going to own the unmodified version of this addon, can you put it on github or made available through the launcher? ....Dropbox links are so ephemeral. Besides, the launcher or githuh would ensure the modified Lua one doesn't get surreptitiously passed around for the unmodified one. Offline
Posts: 1697
Lakshmi.Byrth said: » The point is not to promote the add-on, but to encourage people to stop using the version that can unintentionally trigger the exploit. I understand that and I'm supplementing that point, with what should be the source of truth for trusted windower addons. Asura.Chiaia said: » Felgarr said: » If the windower team is going to own the unmodified version of this addon, can you put it on github or made available through the launcher? ....Dropbox links are so ephemeral. Besides, the launcher or githuh would ensure the modified Lua one doesn't get surreptitiously passed around for the unmodified one. I missed nothing. I was referring more to the method in which this addon was being discouraged (and apparently, the source of truth here ...is a dropbox link which could be dead tommorow). You're welcome to dismiss my point and move on if you don't see the reasoning behind my suggestion. It's like deja vu....
Does anyone ever take responsibility for doing ***they choose to do around here, or just continually move the 'gray line' around to fit their own personal needs lol. I feel bad for the windower devs. They give us nice ***, and some people have the audacity to give them ***for giving the community tools. Lakshmi.Elidyr said: » It's like deja vu.... Does anyone ever take responsibility for doing ***they choose to do around here, or just continually move the 'gray line' around to fit their own personal needs lol. I feel bad for the windower devs. They give us nice ***, and some people have the audacity to give them ***for giving the community tools. I appreciate the dev team highly and none of my posts have been negative towards them. I just disagree with their vagueness on this topic and disagreeing doesn't mean I despise someone. My concern is the announcement. "you may have a bad addon that is getting used by loads of people cause of event, that may have duped for you, and may get you banned, and may have been out for years but here is a clean version of it and we reported it to SE." I get you gave a clean version but without even releasing one bit of code that a user can search for to see if they have been using the bad version and are possibly going to eat a banhammer, they have no way to check if they were or not. I am not saying release the code but release like 4 phrases of it or something dumb like that so people can check the one they used and see if they are *** or not. I don't care cause I don't use it but you got dickloads of people shitting their pants without knowing if they gonna get the ban slap for using a bad addon that they have no idea if they have or not. Follow me? Offline
Posts: 251
Felgarr said: » what should be the source of truth for trusted windower addons. its not trusted, thats why its not on the launcher. The only trusted addons are the ones officially on the launcher. Lakshmi.Byrth said: » The Windower team has always curated the add-ons hosted in the launcher and are fairly happy with the safety and relatively innocuous nature of the launcher add-ons. If you stray out of our realm into the wilds of all possible add-ons, we cannot protect you from yourself. Odin.Slore said: » Lakshmi.Elidyr said: » It's like deja vu.... Does anyone ever take responsibility for doing ***they choose to do around here, or just continually move the 'gray line' around to fit their own personal needs lol. I feel bad for the windower devs. They give us nice ***, and some people have the audacity to give them ***for giving the community tools. I appreciate the dev team highly and none of my posts have been negative towards them. I just disagree with their vagueness on this topic and disagreeing doesn't mean I despise someone. My concern is the announcement. "you may have a bad addon that is getting used by loads of people cause of event, that may have duped for you, and may get you banned, and may have been out for years but here is a clean version of it and we reported it to SE." I get you gave a clean version but without even releasing one bit of code that a user can search for to see if they have been using the bad version and are possibly going to eat a banhammer, they have no way to check if they were or not. I am not saying release the code but release like 4 phrases of it or something dumb like that so people can check the one they used and see if they are *** or not. I don't care cause I don't use it but you got dickloads of people shitting their pants without knowing if they gonna get the ban slap for using a bad addon that they have no idea if they have or not. Follow me? I'm not sure what your specific post was targeted at originally, and I'm not gonna disregard nor disagree with you. It's just there is multiple people in and around here that are not understanding. TOS is not gray, it's pretty black and white. If you are using any, ANY add-on of any sort, or windower/ashita, that is more than enough to get a temp ban, or banned for good. We all know this fact making decisions as what I think most people in here are somewhat adult enough to understand. Easiest method would be to not use those things, not blame any one for using software that will in itself potentially get you banned; it's just silly to me. Edit; I get why they are not releasing it and I can understand. It can be frustrating, but it's for the best. I would just say if you are doing something that isnt allowed; Windower/Ashita/R*T/Botting/etc, just chill and let it die down a bit, or enjoy playing and just keep doing what you do. Offline
Posts: 14
From what I understand you'll absolutely know if you've triggered the exploit it's possible to trigger using the modified version of this script; I don't think people have to go around /worrying about whether they did something wrong/.
Upon receiving the information there were four possible reactions on our side:
1. Don't tell the community, don't tell SE Simple. No one gets upset at us. Exposes more people to the exploit who were not even aware of it. They get some unfair bonus while people not using it do not. All is well, since SE does not know. Disregarding that the "unfair bonus" alone is a reason for me to not go this route, this hinges strongly on SE not finding out. Which may be the case, but likely not. They are slow to take notice, but usually they take notice after a while (even if it is years), especially if it becomes more well known and used, and since people contacted us there is a chance that was going to happen. Even more so with the Voidwatch campaign. Betting on SE not finding out is a stupid choice for all kinds of reasons and it would make me feel personally responsible if something happened, because I had the chance to warn people but did not. 2. Tell the community, don't tell SE This is equivalent to "tell the community, tell SE", since if we do not tell, someone else will. Not worth discussing. The only difference is that it will take slightly longer (a day or two, if that). All it would have done is increased the chance of someone exploiting it without getting banned. And not getting banned is a bad thing in this case, more on that later. 3. Don't tell the community, tell SE SE will do what SE does, which is who the *** knows. They might do something about it, they might not. They might fix it, they might not. They might ban people, they might not. They are SE, place your bets. But if they do end up banning people we would be responsible for people who have used it after the point we knew about it getting banned. 4. Tell the community, tell SE I am not going to pretend this was a perfect choice, it was not. There simply was no perfect choice here. Same as in point 3, SE wil be SE and do whatever they will do. Like I said in point 1, SE finding out was from my perspective inevitable. The longer it went on, the more people would have been affected, and every person affected after the point we knew about it would have been on our conscience. A few things were written that were maybe not thought through fully. Someone asked if we would not feel responsible for the people who got "curious" and got banned because they looked into it. No? Should we? If you are trying to trigger an exploit, get banned. I would feel responsible if that did not happen. I do very much feel bad for the person who reported it to us. They were only trying to do the right thing and might get caught up in this mess. The choice was essentially between them coming into the crosshairs for certain or everyone coming into the crosshairs maybe (some would argue, eventually). That was the crux of the gamble we had to take. I will also feel bad if SE decide they ban people for this (unless they keep logs and find someone actively exploiting it). I truly hope they decide against that, since it has affected many people who were not intentionally doing it. But I would have felt just as bad when they eventually found out without us telling them and people got banned for it. Also some people believe we should not have been so vague in describing the bug. Explaining the flaw in any kind of detail will just increase the risk of further exploitation by people who can move money around quickly and do not care for throwaway accounts getting banned. And it helps absolutely nobody. Or how do you think "knowing you were affected" would help you in any way? All the cards are dealt, there is nothing you can do but not use it any further, which you can by using the file we provided instead (or not use any such addon at all). I understand that people want to know, but there are active risks in disclosing that information. Let it go and pray for the best. And finally, about providing a better way to get the file than a dropbox link... I can kinda understand that, but we are actually careful and selective about which addons we host ourselves for a number of reasons I think anyone can figure out. That is the reason why most addons are developed outside of our own ecosystem at this point and this is no different. And if we put it into the launcher it would not have a massive chance of being found by people already using an affected version either, as we have no proper way of announcing new additions in the launcher. All in all, this is a shitty situation we really did not want to be in (especially after the recent medal exploit). But we are, and of the options we had I am still convinced that it was really the only one we could have taken. We have not had to deal with something like this before, but having gone through this and discussing it with other members of the team we will make this our official disclosure policy. |
||
All FFXI content and images © 2002-2024 SQUARE ENIX CO., LTD. FINAL
FANTASY is a registered trademark of Square Enix Co., Ltd.
|