1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
  2. Two Factor Authentication is now available on BeyondUnreal Forums. To configure it, visit your Profile and look for the "Two Step Verification" option on the left side. We can send codes via email (may be slower) or you can set up any TOTP Authenticator app on your phone (Authy, Google Authenticator, etc) to deliver codes. It is highly recommended that you configure this to keep your account safe.

Ubisoft browser plugin DRM--uPlay (pre 2.0.4)--has backdoor

Discussion in 'Off Topic' started by rejecht, Jul 30, 2012.

  1. Big-Al

    Big-Al amateur de bière

    Joined:
    Jun 14, 2003
    Messages:
    8,494
    Likes Received:
    29
  2. FireSlash

    FireSlash Whats a FireSlash?

    Joined:
    Feb 3, 2001
    Messages:
    4,300
    Likes Received:
    0
    I feel I should probably point out that what ubisoft has installed here isn't a backdoor. The bug isn't even related to DRM beyond the fact that the addon itself is packaged with their DRM.

    It's really just a common programmer mistake on a piece of code that probably should have been reviewed a few more times before shipping.

    U-play installs a browser addon that allows them to produce clickable links to launch uplay. The idea here was probably to help aid support and integrate better with their website by allowing you to click a link that might, for example, connect you to a server, or launch a game. Similar to how the steam:// url scheme works but implemented as a browser addon instead.

    The problem is that the programmer who wrote this little bit of code forgot to scrub the input for malicious input. As a result, someone figured out how to embed other launch commands into the scheme that will fire off raw. Basically it allows a website to run program. This obviously becomes problematic when you start command chaining to produce solutions like "download this file, then run it, then i just pwnd you".

    So while you may hate Ubisoft, Uplay, or whatever for introducing this security flaw, It's kind of annoying to see people crucifying them for installing a backdoor when they didn't. It should also be pointed out that Ubi had a fix out the same day the story broke.
     
  3. Sir_Brizz

    Sir_Brizz Administrator Staff Member

    Joined:
    Feb 3, 2000
    Messages:
    25,970
    Likes Received:
    66
    Within 6 hours, actually, which is rather quick for them.
     
  4. rejecht

    rejecht Attention Micronians

    Joined:
    Jun 15, 2009
    Messages:
    511
    Likes Received:
    0
    Was it you? :>


    It wasn't a backdoor by design, but by function. "Backdoor" would probably be more correctly used in a context where we're talking about malicious software, but it's just a quickpost as a heads up. Add to that I don't own any Ubisoft titles because I don't own any Ubisoft titles. In retrospect I'd change the subject to something like "PC vs Console (Was: Ubisoft uPlay bug opens computer to interwebs)."
     
  5. FireSlash

    FireSlash Whats a FireSlash?

    Joined:
    Feb 3, 2001
    Messages:
    4,300
    Likes Received:
    0
    No, this is my claim to bug fame.
     
  6. Sir_Brizz

    Sir_Brizz Administrator Staff Member

    Joined:
    Feb 3, 2000
    Messages:
    25,970
    Likes Received:
    66
    Wait... you work for Valve on Steam?
     
  7. Capt.Toilet

    Capt.Toilet Good news everyone!

    Joined:
    Feb 16, 2004
    Messages:
    5,832
    Likes Received:
    2
    If Fireslash does then I shall say this. Brizz gets games for free so I want games for free. Free games for me = yay. Get on it.
     
  8. FireSlash

    FireSlash Whats a FireSlash?

    Joined:
    Feb 3, 2001
    Messages:
    4,300
    Likes Received:
    0
    No.
     
  9. rejecht

    rejecht Attention Micronians

    Joined:
    Jun 15, 2009
    Messages:
    511
    Likes Received:
    0
    I could hear Sir Brizz's eyes salivating all the way from Norway. :lol:


    Programming is still a multi-contextual experience. Logical glitches are simply not avoidable. Add to that, some logical glitches come with a higher public multiplication factor than others. (I still remember Service Pack 6 (SP6) for Windows NT 4.0--after a reboot, the TCP/IP stack would stop working, thus was born SP6a.)
     

Share This Page