In previous builds some very sensitive data was exposed in javascript, and any mod can send this sensitive information to 3rd party server, but I have no idea why Uber decide to fix it this way, it's something I don't understand. Anyway I only asked them about special user authentication API which should be safe for player and easy for external services.
In itself, it wasn't, but the mechanism used to gather the information could have been used to gather more sensitive information, I believe.
I thought the mod just reads out the values from the same source the UI takes them and sends them somewhere. I doubt that is a problem to do even now? The UI after all still knows your stats. Well maybe this was about more complex stats or something, I never tried it. Or was the problem all about the recognition of who played with who?
I have no idea what problem with this mod exactly, as long as oxide246 removed it from forum. I don't think it's actually good idea to remove things only because they're broken. I only reported very basic security problem related to user authentication which isn't related to networking functions by itself, but only about how UberNet and client handle it. So we need some answer from Uber to understand why all networking moved to native code.
I didnt mess with any networking code as far as I can tell so far. Why should networking be in the gui layer anyway? Sounds weird to me.
Networking itself wasn't in GUI, but controls and session authentication data was here. Actually I think it's really good when developers do not hardcode anything, so I want to believe Uber bring it back when they done more secure authentication.
This is what I'm guessing was the security risk. Although there could have been more that I'm aware not aware of. With this information it might have been possible to hijack peoples session with data by capturing the session key. Although I'm not sure if it would have worked because I didn't try it. Actually, it would have even been possible to capture people's usernames and passwords when they logged in and post that out too. That's is pretty bad come to think of it.
Let's say: you actually don't need any special network request to leak data out from web browser and that won't be fixed. And Coherent is web browser actually, it's have tons of network functions inside. :roll: Somebody who tried to publish malicious mod can be banned for doing that. But when some modder use sensitive data for something it's not designed to be used it's bigger problem because users reduce their own security and agree for doing so.