Exploit History Vol. 21: Arcgames Vanilla Software Post Leak
Today’s episode of our Exploit History is a different one, because we’re not actually talking about ingame stuff. The bug however was nonetheless directly related to the game because it allowed pretty much everyone to read postings on the Arcgames Vanilla forum software that they shouldn’t have access to. As often the cause was fairly simple as one particular API call of the Vanilla software bypassed the permission system.
Getquote Bypassed Permission System
Whenever a user uses the “Quote” function, the forum sends a request to the server to retrieve the post and put it into the reply box. That call did fully ignore permissions and was able to retrieve any discussion, comment, or user reports. We saw dumps from the forum with posts we definitely shouldn’t have access to.
The structure in which we received the data didn’t allow us to completely understand where quotes where coming from. But we’re pretty sure all private areas of the forum, including mod talk and user reports, could be accessed this way. And we can’t fully rule out private messages either, although that seems unlikely. The bug has since been fixed, and PWE never acknowledged the massive hole in the software they use. No actual user data was affected by the way, but nobody should obviously be too thrilled that all posts got exposed. The report war behind the scenes for example is nothing to be proud of…
Exploit History: Locking Auctions – Caturday – Masterwork Nodes – Permadodge – Arcane Reservoir – Full GF Runs – Attribute Enhancement – Using the old Refining System – Killing Fulminorax and Valindra From Below – Skipping Shadowfell – Resonator Exploit – Safely Killing Traven Blackdagger – Foundry Power Leveling – Castle Never Picture Frame Shortcut – Infinite Buff Stacks and One-Shotting CWs – Max Level In About One Hour – No Ward Consumpion – Gateway Scripting – Temple of the Spider Exploits – Foundry Refinement Botting
It would be interesting to see what mods were saying to each other, and some comments from devs would be quite interesting as well.
🙂
I don’t agree. Look, it’s a workplace. We say things at our workplaces that reflect our personal frustrations and organizational traumas, but they aren’t an accurate view either. The truth is always somewhere in between and real jobs always have challenges.
God forbid my clients could read all the stuff me and my colleagues say about their ideas. There is a reason for that saying about not wanting to know how the sausage is made..
And lets be honest, we, the players, tend to be an opinionated bunch that are far from shy when sharing those opinions. I would be shocked if the mods and devs don’t on occasion need to vent. And they absolutely have a right to do so free from prying eyes.