PSA: Flaw Identified In Voidwatch Addon (Ban Risk)

cells



interlinked

It was confirmed the use case is normal during the look into the issue, the person who reported the issue is also not likely the one who modified the file, though couldn't really say who did modify the file.


This is why the flaw was reported it now. To inform the community of the flaw and not SE then the flaw will be exploited.

To inform only SE and not the community then more people might be banned.

It is also not know how wide spread the use of the given variant for voidwatch.lua is or how SE will react the the report. If the issue has only come up as a result of the patch and no consistent exploitation is evident then there may be no bans, we just dont know.



It seemed this was the reaction the community expects, If the windower team is informed of an exploitable flaw in the game the flaw should be reported. This is the first time its happened for the current team and that is what ended up being done with the information.

^^^
This, I can't believe ya'll. Are you that obtuse that you can't see? I mean the Windower team are the same people who don't really get ***for making the game better with things they bring to the table (additions QOL etc), what do most people here bring, just a lot of bitching, self-entitlement and crying. Man grow the *** up already.

It would be great to know what some of the code was or a identifiable portion so people can check to know if people have that in their file. Think SE is going to be nice to those people and say, well you didn't know so we will let you slide this time?

Incoming ban hammer round 3? What we up to for rounds this week?

The underlying behavior that allows the flaw to became an exploit was reported to SE, yes was actually reported.

Dude... delete your file and download the one in OP if you want to continue using this add-on. What problem do you have with this logic?

holy ***...

WTF good does it do to people that already have a file that do not know if that code is even in there? They may have it in there and not even know. Yes they can get the new one but if they used the modified one what the hell good will that do?

Seriously spengler stop talking about ***you don't know

Any code that differs from the one linked in the OP is likely bad, aside from just having values in the tables at the top of the file commented out.

The solution is to discard the old one regardless of whether you know which one it is. It's not hard.

Indeed:

hmm newsflash: windower on it's own is a bannable offense, although an unlikely one, everyone who has used it ever knows the risks, grow up.

It's clear you thought about how they could have done it better for about as long as it took you to think of that extremely weird and stupid insult.

They could have done a lot better job with how/when/what information was given.

They have no obligation to. Grow up.

The team welcomes constructive criticism this is the first time this has happened. if you have example of how you would have liked it handled I encourage you to share it.

sauce?

It's hard to do better than "<X> version of a piece of software has a glitch that could get you *** over, use <Y> instead, and any further details than that go to the authorities", from the perspective of someone who does computer security for part of their job. ;P Y'all just need to get over yourselves.

Props to the Windower team for the PSA; it's an unsupported addon so they easily could have said nothing and let tons of people screw themselves.

Literally nobody cares about bots that automate chest-popping except for pearl-clutching aunties who like to pretend they're not using GearSwap. SE doesn't, any more than they care about Windower itself. But something that sounds like it has the potential for some kind of severe, /unintentional/ bannable exploit is the kind of thing users ought to be made aware of ASAP.

that depends on the results, if SE goes ban happy on everyone who used a bad version before this thread was created ... tell us you told SE, but don't actually tell SE.
If SE doesn't get ban happy for using a non-sanitized version before this thread, keep up the good work.

I do not give a damn for me cause I don't use it. I do have a ancient copy on my system but with the exception of some wording location it is the same.

I mention this because no information was provided like code was changed around such and such a timeframe or section of code is such and such so if people have that they understand they probably screwed but causing a panic without anything identifiable for the person is kinda wrong.

A simple if you have this partial line of code in your vw lua I got bad news for ya. Obviously it has already been reported so if anyone uses it after that they are a complete dumbass and deserve to be banned.

Whether you know if your version is risky (well, riskier than just the normal version) doesn't help you; all that matters is what you do in the future with it, which they supplied sufficient information for.

Here's the thing though, the original was modified BECAUSE the cell/glow logic was flawed. It got modified to work properly.

Unless it's something else that was modified, this is why you can't be this vague.

Now I highly doubt that simply switching two numbers or REMOVING a line of code caused it, but nothing would surprise me.

Honestly a community PSA that said hey shits bugged, could lead to easier/more noticeable detection and bans, use this instead, we are investigating the issue and will report to SE when finished. Let the word get around without describing it explicitly as an exploit with potential upside, then after the ***storm calms down announce an end to said investigation (obviously can already found, potentially recreated and verified) report it to SE to allow for a better time window for the community to adjust what they have and give less of an excuse to the ignorant and stupid for continually using busted ***.

Granted this will probably only be rolling temp bans ala sphere botting or quetz so who really cares. But you can make the difference between putting people in the cross-hairs and helping the community.

Also follow up after (if any) SE action takes place to verify it's been fixed and what was the cause would be much appreciated.

is the modded one the the one with heavy metal pouches being declared important items? idk

I always thought SE cared a lot about Windower. Thats why they added to vanilla; Windower, Tparty, Timestamp, Yarnball, Spellcast

Doing that would both let the exploit fester for longer (opening up more people who are willing to take the risk to abuse it), give more chance for more people to get accidentally banned if SE figures it out first, and give them a higher chance of being retaliated against by SE because they knew about it but didn't immediately tell SE.

Who will be left in 2020?

This is what you get for doing Voidwatch in 2019

You're what we call a projector, attacking others immediately with insults then telling saying "grow up". I knew there were going to be trolls, but not bad ones like this. But you're right! They had no obligation since they don't support the addon they are in no way shape or form liable for backlash for the exploit aside from advertising it, which just happened. So a better way to handle it would be not at all for one instance.

But an even better way?


Don't mention there's an exploit with an upside, this will cause 10x the amount of bans then there ever would have been if they said nothing. You can't/won't stop people from figuring out the upside of the exploit when they -know- it's there. You can even just say there's a code of line added that's not intended which will lead to a potential ban if that lua is used, here's a non-dirty lua.