Malicious code in Atlas
[Edit] The new author has responded and stated that it was in there for testing purposes only, and that he has returned all the money he received. In the nature of giving people the benefit of the doubt and a second chance - if anyone who was bitten by this 'test' could let me know if they have actually received the money back by the author (not a GM), I'd appreciate it. Thanks.
Just to make sure everyone is aware: The 'new' author of Atlas changed some code in it to make it so that you mailed all of your money to his character. If you got the version posted by the new author, version # 1.3.2 (download may show 1417671638), you need to get rid of it immediately. We have pulled that version from the site and restored the last version that CrazyDutchGuy had posted. You want version 1.30a. If you had not updated to the new version by the new author and are still using version 1.30, you are fine and don't need to do anything. If you did use the version by the new author and did lose all of your money, send in a ticket to the GMs, letting them know that you'd been hacked by the addon. They are aware of the situation and will restore your money (once they've verified it on their end). Sorry this happened folks. :/ |
Unfortunately this has happened, and I have always have know there was the possibility to do so. I never understood why ZOS never removed this option or added an additional confirmation to it. Maybe they will do that in a future patch.
Anyways, these are not the things i like to see when I wake up and read my mail. Cairenn has dealt with the issue, and if you have been hit by this, contact a GM to get it restored. If there are any other questions, I am always available by mail :) Happy Gaming ! |
thanks guys for handling this. Hopdfully this ability will be blocked by ZOS.
Until then how can the coding ignorant protect themselves, besides suspect all addons? |
I really do hope Zeni & you guys have banned him/her permanently and sent out notifications right across the affiliated sites of this person.
Quote:
That being said this type of thing will never be rid of completely, just like lies in real life :( |
Quote:
|
Thanks Garkin, that would be great. Please email it to me? [email protected]
|
Quote:
1. Do nothing. The GMs have been very prompt in restoring any lost gold from this. If ZOS had issues responding it'd be more of a concern, but if something does happen it won't cause you to lose anything. 2. Keep the bulk of your gold in your bank. It can't be mailed from there. 3. Wait a few days before installing any addon update. 4. Search for the string "SendMail" in addons. If you see it, wait a few days and/or post to see if it's valid. Some addons do need to use it. We'll see if there are any systematic changes -- ZOS might add a gold send confirmation (or prevent addons sending mail, which would be unfortunate...). Also, it might be possible to create an addon that adds a confirmation dialog to any sent mail with gold attached or something along the lines of this bugfix to prevent all gold mailing. |
Quote:
|
Quote:
|
Quote:
For zeroing gold, not sure. You might be able to hook something the add function to prevent gold being added, tie into an event to zero immediately after, etc. From a more practical standpoint, ZOS is looking at this thread for feedback about how to block this. Since ZOS obviously gets to load code first, it's definitely possible. |
Just an Idea, until ZOS fixes this ,we could write an Addon that is preventing this,
by redefing the Function used to send automatic mail. So anyone who installed that Addon will not have to worry about it. It may however break some useful auto-mailer addons if installed (are there such addons?). But then if an Addon author is using that function in his code, it should be detected if possible directly by ESOUI.com, because if someone is using functions like that he might also try other tricks not yet known by the community. |
Writing an addon to prevent this is technologically impossible. Addon load order is not guaranteed, and there is no manifest option to force a load before all other addons.
|
Quote:
Simply put, it's something that ZOS needs to do, because they can have private functions that addons can't touch. |
1.5.8 patch notes:
Quote:
|
I hope the mail return bots still work with this "confirmation box" :)
|
Quote:
EVENT_CONFIRM_SEND_MAIL (to, subject, body, numAttachments, attachedMoney) And new private function: ConfirmSendMail(to, subject, body) |
Yeah dude needs to get beat with a banstick fahreelz
Quote:
ZoS should ban him and you guys should probably do the same. I'm sure he's not going to be stupid enough to try a stunt like this again, but it's the principle of it. You don't get to try to rip off tons of people and keep on playing. That being said, I'd love to find the addon zip file somewhere so I could see the bit of code he stuck in there. $20 says it doesn't even remotely look "accidental" and by that I mean it's probably right smack dab in the middle of a function in which it's completely out of context. |
There's no justifiable reason for Atlas to be sending gold to the author, even as a test.
|
Quote:
Out of curiosity, what was the decision made and actions taken as a result of this incident? |
I know people are complaining to this forum that he should be banned, but has anyone reported him to Zenimax?
If not people who were effected should report them. |
Quote:
On the ZOS side, they refunded the gold. After discussing with users and addon devs here (and I think the main site too), they implemented the confirmation box for sending mail with gold or attachments. They could have more drastically gutted the API for addons, but kept as much around for legitimate addons while still protecting users from this sort of action. Quote:
It's good policy to not comment on those, especially on something that can be as volatile as forums. Consider that there's no link established between ESOUI and an account name. While anyone who knows Lua can establish that the addon was deliberate and malicious, it's really not known who made it. The @name could've been someone else entirely that was being framed. Then again, they were rather sloppy in adding the code so perhaps they thought they'd get away with it. |
Quote:
Good, sorry you were effected but glad you reported. If the @name was the coder or someone who took it over doesn't really matter. In the latter case they should have taken the time to verify the code before publishing it. Anyway hopefully justice was served. |
About the @name inside code, and reporting it:
In 99% the person getting the gold in the LUA source code would be the addon developer. But waht if the @name inside source code was NOT the one of the "bad guy" who changed the addon, and someone poor (just pick any @name you get known ingame, what is really simple) will get all that money/stuff and doesn't know why he gets reported ;-) |
All times are GMT -6. The time now is 09:15 AM. |
vBulletin © 2024, Jelsoft Enterprises Ltd
© 2014 - 2022 MMOUI