ESOUI

ESOUI (https://www.esoui.com/forums/index.php)
-   News (https://www.esoui.com/forums/forumdisplay.php?f=5)
-   -   Malicious code in Atlas (https://www.esoui.com/forums/showthread.php?t=2493)

Cairenn 12/04/14 12:10 AM

Malicious code in Atlas
 
[Edit] The new author has responded and stated that it was in there for testing purposes only, and that he has returned all the money he received. In the nature of giving people the benefit of the doubt and a second chance - if anyone who was bitten by this 'test' could let me know if they have actually received the money back by the author (not a GM), I'd appreciate it. Thanks.


Just to make sure everyone is aware:

The 'new' author of Atlas changed some code in it to make it so that you mailed all of your money to his character. If you got the version posted by the new author, version # 1.3.2 (download may show 1417671638), you need to get rid of it immediately. We have pulled that version from the site and restored the last version that CrazyDutchGuy had posted. You want version 1.30a. If you had not updated to the new version by the new author and are still using version 1.30, you are fine and don't need to do anything.

If you did use the version by the new author and did lose all of your money, send in a ticket to the GMs, letting them know that you'd been hacked by the addon. They are aware of the situation and will restore your money (once they've verified it on their end).

Sorry this happened folks. :/

CrazyDutchGuy 12/04/14 02:41 AM

Unfortunately this has happened, and I have always have know there was the possibility to do so. I never understood why ZOS never removed this option or added an additional confirmation to it. Maybe they will do that in a future patch.

Anyways, these are not the things i like to see when I wake up and read my mail. Cairenn has dealt with the issue, and if you have been hit by this, contact a GM to get it restored.

If there are any other questions, I am always available by mail :) Happy Gaming !

TribeofOne 12/04/14 04:03 AM

thanks guys for handling this. Hopdfully this ability will be blocked by ZOS.
Until then how can the coding ignorant protect themselves, besides suspect all addons?

BornDownUnder 12/04/14 05:45 AM

I really do hope Zeni & you guys have banned him/her permanently and sent out notifications right across the affiliated sites of this person.

Quote:

Originally Posted by TribeofOne
Until then how can the coding ignorant protect themselves, besides suspect all addons?

Best rule of thumb is to always wait a few days and read comments, etc. on the site where you get the addons. Unless of course you know the author of the addon is decent/genuine.

That being said this type of thing will never be rid of completely, just like lies in real life :(

Garkin 12/04/14 06:18 AM

Quote:

Originally Posted by Cairenn (Post 13637)
The 'new' author of Atlas changed some code in it to make it so that you mailed all of your money to his character. If you got the version posted by the new author, version # 1.3.2 (download may show 1417671638), you need to get rid of it immediately. We have pulled that version from the site and restored the last version that CrazyDutchGuy had posted. You want version 1.30a. If you had not updated to the new version by the new author and are still using version 1.30, you are fine and don't need to do anything.

The last version of ATLAS uploaded by CrazyDutchGuy was 1.31, not 1.30. I still have this version installed. In version 1.31 was fix for a typo in XML file which was reported by spoqster in addon comments 09/21/2014. If you want, I can share this version.

Cairenn 12/04/14 08:55 AM

Thanks Garkin, that would be great. Please email it to me? [email protected]

Sasky 12/04/14 12:22 PM

Quote:

Originally Posted by TribeofOne (Post 13642)
thanks guys for handling this. Hopdfully this ability will be blocked by ZOS.
Until then how can the coding ignorant protect themselves, besides suspect all addons?

Here's a few things you can do, roughly in-order of difficulty/hassle:
1. Do nothing. The GMs have been very prompt in restoring any lost gold from this. If ZOS had issues responding it'd be more of a concern, but if something does happen it won't cause you to lose anything.
2. Keep the bulk of your gold in your bank. It can't be mailed from there.
3. Wait a few days before installing any addon update.
4. Search for the string "SendMail" in addons. If you see it, wait a few days and/or post to see if it's valid. Some addons do need to use it.

We'll see if there are any systematic changes -- ZOS might add a gold send confirmation (or prevent addons sending mail, which would be unfortunate...). Also, it might be possible to create an addon that adds a confirmation dialog to any sent mail with gold attached or something along the lines of this bugfix to prevent all gold mailing.

rkuhnjr 12/04/14 01:23 PM

Quote:

Originally Posted by Cairenn (Post 13637)
[Edit] The new author has responded and stated that it was in there for testing purposes only, and that he has returned all the money he received. In the nature of giving people the benefit of the doubt and a second chance - if anyone who was bitten by this 'test' could let me know if they have actually received the money back by the author (not a GM), I'd appreciate it. Thanks

Only thing he was testing was to see if he could get away with it :mad:

merlight 12/04/14 06:42 PM

Quote:

Originally Posted by Sasky (Post 13649)
Also, it might be possible to create an addon that adds a confirmation dialog to any sent mail with gold attached...

The real challenge for such add-on would be ensuring that a malicious add-on can't disable its function.

Sasky 12/04/14 08:04 PM

Quote:

Originally Posted by merlight (Post 13660)
The real challenge for such add-on would be ensuring that a malicious add-on can't disable its function.

For an addon showing a dialog, it'd actually come down to load order for whether it's possible. If the malicious addon loads first and stores a clean version of the hooked function, it doesn't work. If the prevent addon loads first, it's good. It can keep the real SendMail() stored away privately, keep all functions private, and randomize the name of the control shown.

For zeroing gold, not sure. You might be able to hook something the add function to prevent gold being added, tie into an event to zero immediately after, etc.

From a more practical standpoint, ZOS is looking at this thread for feedback about how to block this. Since ZOS obviously gets to load code first, it's definitely possible.

farangkao 12/09/14 04:41 PM

Just an Idea, until ZOS fixes this ,we could write an Addon that is preventing this,
by redefing the Function used to send automatic mail.

So anyone who installed that Addon will not have to worry about it.

It may however break some useful auto-mailer addons if installed (are there such addons?).

But then if an Addon author is using that function in his code, it should be detected if possible
directly by ESOUI.com, because if someone is using functions like that he might also try other tricks not yet known by the community.

mattmillus 12/12/14 01:40 PM

Writing an addon to prevent this is technologically impossible. Addon load order is not guaranteed, and there is no manifest option to force a load before all other addons.

Sasky 12/13/14 01:02 AM

Quote:

Originally Posted by mattmillus (Post 17811)
Writing an addon to prevent this is technologically impossible. Addon load order is not guaranteed, and there is no manifest option to force a load before all other addons.

Yeah, it's not even possible to guarantee that your addon's loaded. Consider that you can automatically disable addons from code (see http://www.esoui.com/downloads/info4...nProfiles.html for one example). So a malicious addon could just disable your addon if it's there, which would preempt any attempts to guard the send or attach functions.

Simply put, it's something that ZOS needs to do, because they can have private functions that addons can't touch.

Sasky 01/12/15 01:31 PM

1.5.8 patch notes:
Quote:

UI
Mail
  • You will now receive a confirmation box when sending mail that includes an attached item or gold.


Baertram 01/12/15 02:18 PM

I hope the mail return bots still work with this "confirmation box" :)

Garkin 01/13/15 07:07 AM

Quote:

Originally Posted by Sasky (Post 18226)
1.5.8 patch notes:

There is a new event:
EVENT_CONFIRM_SEND_MAIL (to, subject, body, numAttachments, attachedMoney)

And new private function:
ConfirmSendMail(to, subject, body)

Raeyan 01/15/15 02:43 PM

Yeah dude needs to get beat with a banstick fahreelz
 
Quote:

Originally Posted by rkuhnjr (Post 13650)
Only thing he was testing was to see if he could get away with it :mad:

As a programmer, yeah I can verify that even without seeing the code. The fact that it mailed ALL your gold means he was detecting the exact amount of gold you had and then sending that amount. If a developer wanted to test a mailing feature like that, you'd use a constant value of 1 for the gold amount, not a check to see how much gold you had and send ALL your gold. Sending 1 gold makes it so you don't have to reset by mailing it back to yourself each time you "test" the functionality in game.

ZoS should ban him and you guys should probably do the same. I'm sure he's not going to be stupid enough to try a stunt like this again, but it's the principle of it. You don't get to try to rip off tons of people and keep on playing. That being said, I'd love to find the addon zip file somewhere so I could see the bit of code he stuck in there. $20 says it doesn't even remotely look "accidental" and by that I mean it's probably right smack dab in the middle of a function in which it's completely out of context.

Wykkyd 01/16/15 06:31 AM

There's no justifiable reason for Atlas to be sending gold to the author, even as a test.

BornDownUnder 01/16/15 07:29 PM

Quote:

Originally Posted by Raeyan (Post 18269)
ZoS should ban him and you guys should probably do the same. I'm sure he's not going to be stupid enough to try a stunt like this again, but it's the principle of it.

I full agree, there should be no place at all for people like that in any community, in the real world it is called fraud. There should be no difference in stance at all in any format just because this happened in a game.

Out of curiosity, what was the decision made and actions taken as a result of this incident?

Cerulean2013 01/16/15 07:46 PM

I know people are complaining to this forum that he should be banned, but has anyone reported him to Zenimax?

If not people who were effected should report them.


All times are GMT -6. The time now is 04:24 AM.

vBulletin © 2024, Jelsoft Enterprises Ltd
© 2014 - 2022 MMOUI