Jump to content
Bohemia Interactive Forums
Sign in to follow this  
Followers 0
batto

Ubisoft "Uplay" fail?

By batto, in OFFTOPIC - Games & Gaming

Recommended Posts

Placebo    28

Placebo
Posted

Kaspersky wouldn't allow me to visit the link ;)

Share this post

Link to post
Share on other sites

MissileMoose    10

MissileMoose
Posted
Kaspersky wouldn't allow me to visit the link ;)

It did the exact same with me, fantastic anti-virus/internet security. Eugene Kaspersky's son, Ivan was kidnapped in Russia and held for ransom a while back. I heard reports that he paid it outright, conflicting reports that he was rescued in a raid though. I wouldn't be supprised, since he's a billionaire. Off-topic I know, just a little food for though Placebo.

Back on topic to Ubisoft and I'm quite surprised at how quickly they "fixed" the issue. I have a slight feeling that they knew about the security issue and possible even coded it in on purpose for whatever reason, if that isn't the case then I would suggest they increase the amount of testing prior to releasing software. Anyway I highly doubt it anything more will be reported.

Share this post

Link to post
Share on other sites

batto    17

batto
Posted
Kaspersky wouldn't allow me to visit the link ;)
It did the exact same with me, fantastic anti-virus/internet security.

Are you sure that it would do the same two days ago ;) ?

Back on topic to Ubisoft and I'm quite surprised at how quickly they "fixed" the issue.

Still, long time has passed since Uplay was released and the good guy found and disclosed the hole. Damage has been done.

If yes, you're screwed because you supported DRM

... and crappy dumbed down console ports.

Share this post

Link to post
Share on other sites

Placebo    28

Placebo
Posted
It did the exact same with me, fantastic anti-virus/internet security. Eugene Kaspersky's son, Ivan was kidnapped in Russia and held for ransom a while back. I heard reports that he paid it outright, conflicting reports that he was rescued in a raid though. I wouldn't be supprised, since he's a billionaire. Off-topic I know, just a little food for though Placebo.

That's rough, you'd think that being super rich in a super risky locale they'd hire decent security.

Are you sure that it would do the same two days ago ;) ?

Good question, I got a browser warning and a warning from Kaspersky itself, pretty sure it hadn't updated in the last two days so it's possible ;)

Share this post

Link to post
Share on other sites

MissileMoose    10

MissileMoose
Posted

Still, long time has passed since Uplay was released and the good guy found and disclosed the hole. Damage has been done.

That's true but I was referring to the time since the security flaw was recognized and reported by the likes of RockPaperShotgun and PCGamer. :)

Share this post

Link to post
Share on other sites

krycek    349

krycek
Posted (edited)

I would like to say that because their retarded insane drm policy they caused lots of troubles for legit customers.Which frankly leads me to the next conclusion to this whole new mess::rofl:

Edited by Krycek

Share this post

Link to post
Share on other sites

Sniperwolf572    758

Sniperwolf572
Posted (edited)
Back on topic to Ubisoft and I'm quite surprised at how quickly they "fixed" the issue. I have a slight feeling that they knew about the security issue and possible even coded it in on purpose for whatever reason, if that isn't the case then I would suggest they increase the amount of testing prior to releasing software. Anyway I highly doubt it anything more will be reported.

Shitty and shifty as Uplay is, it's funny how conspiracy theories are formed over even the stupidest things.

What happened is that the browser plugin was naively coded and a developer at Ubi thought "Yup, Base64, nobody will ever break that!" and nobody noticed it.

No amount of regular QA testing would've caught this, because, the feature it was made for worked as expected. Unless of course they have QA that focuses on security issues like this. What would've probably caught it in a blink of an eye is a peer review of the code written from someone who understands the implications of not filtering any user input.

To put it in perspective, imagine one day we find out that '[] exec "Y2FsYy5leGU=";' allowed you to launch the calculator from the editor.

Now, would you blame BI QA for not catching that?

I know I wouldn't, but I also wouldn't like to be one of the guys whose name is on the commits relating to that hole.

Edited by Sniperwolf572

Share this post

Link to post
Share on other sites

batto    17

batto
Posted (edited)
Shitty and shifty as Uplay is, it's funny how conspiracy theories are formed over even the stupidest things.

What happened is that the browser plugin was naively coded and a developer at Ubi thought "Yup, Base64, nobody will ever break that!" and nobody noticed it.

No amount of regular QA testing would've caught this, because, the feature it was made for worked as expected. Unless of course they have QA that focuses on security issues like this. What would've probably caught it in a blink of an eye is a peer review of the code written from someone who understands the implications of not filtering any user input.

The stupid thing is that their browser plugin allow execution of local programs from JavaScript (eg. from anywhere). If they are TAHT stupid (as in "why on earth are such people allowed to code?") to think that no one will notice it from base64 (very easy to recognise) argument to option that is named orbit_exe_path, then, well, there'll be probably much more going on in the wild =).

Edited by batto

Share this post

Link to post
Share on other sites

rangerpl    13

rangerpl
Posted

Chrome opened the link but didn't open Calculator.

Good on you, Chrome.

Share this post

Link to post
Share on other sites

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
Sign in to follow this  
Followers 0
Go To Topic Listing OFFTOPIC - Games & Gaming
×