Author Topic: Ubisoft UPlay DRM Security Hole  (Read 6760 times)

Offline KingIsaacLinksr

  • Master Member
  • *****
  • Posts: 1,332
  • A Paladin Without A Crusade...
Ubisoft UPlay DRM Security Hole
« on: July 30, 2012, 11:41:42 am »
http://torrentfreak.com/ubisoft-drm-lets-in-remote-attackers-google-engineer-reports-120730/

One more reason I will never use DRM if I have the choice. This is just inexcusable to have to worry about gaming. From losing connection with the almighty server to now getting my computer hacked. Truly, this is worth it to keep those evil pirates out of the games. >=|
Casual reviewer with a sense of justice.
Visit the Arcen Mantis to help: https://www.arcengames.com/mantisbt/
A Paladin's Blog. Long form videogame reviews focusing on mechanics and narrative analyzing. Plus other stuff. www.kingisaaclinksr.com

Offline keith.lamothe

  • Arcen Games Staff
  • Arcen Staff
  • Zenith Council Member Mark III
  • *****
  • Posts: 19,505
Re: Ubisoft UPlay DRM Security Hole
« Reply #1 on: July 30, 2012, 11:46:24 am »
Oh good grief, and I was really enjoying Anno 2070 (picked it up during the summer sale).

Ah well, time to set up my firewall to block uplay's traffic and just play Anno in offline mode, because it's already activated.
Have ideas or bug reports for one of our games? Mantis for Suggestions and Bug Reports. Thanks for helping to make our games better!

Offline Aklyon

  • Core Member
  • *****
  • Posts: 2,089
Re: Ubisoft UPlay DRM Security Hole
« Reply #2 on: July 30, 2012, 11:54:02 am »
Ubisoft: So Bad at DRM, they managed to make their security anti-security :P

Offline keith.lamothe

  • Arcen Games Staff
  • Arcen Staff
  • Zenith Council Member Mark III
  • *****
  • Posts: 19,505
Re: Ubisoft UPlay DRM Security Hole
« Reply #3 on: July 30, 2012, 11:57:46 am »
Ubisoft: So Bad at DRM, they managed to make their security anti-security :P
They're definitely not the first ones to make that particular mistake.  DRM software has a relatively high rate of providing holes for hackers, for some reason.
Have ideas or bug reports for one of our games? Mantis for Suggestions and Bug Reports. Thanks for helping to make our games better!

Offline KingIsaacLinksr

  • Master Member
  • *****
  • Posts: 1,332
  • A Paladin Without A Crusade...
Re: Ubisoft UPlay DRM Security Hole
« Reply #4 on: July 30, 2012, 11:57:59 am »
http://www.rockpapershotgun.com/2012/07/30/psa-possible-security-risk-in-some-ubisoft-pc-games/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+RockPaperShotgun+%28Rock%2C+Paper%2C+Shotgun%29

More in-depth article, plus updates. It..."seems" to be patched, but Ubisoft isn't commenting on the matter so be warned.


Ofc, they may never comment on it. They wouldn't want to admit they just opened the door to people's computer without warning.
Casual reviewer with a sense of justice.
Visit the Arcen Mantis to help: https://www.arcengames.com/mantisbt/
A Paladin's Blog. Long form videogame reviews focusing on mechanics and narrative analyzing. Plus other stuff. www.kingisaaclinksr.com

Offline keith.lamothe

  • Arcen Games Staff
  • Arcen Staff
  • Zenith Council Member Mark III
  • *****
  • Posts: 19,505
Re: Ubisoft UPlay DRM Security Hole
« Reply #5 on: July 30, 2012, 12:31:38 pm »
Thanks for the RPS link; ninja browser plugins have been ninja'd ;)
Have ideas or bug reports for one of our games? Mantis for Suggestions and Bug Reports. Thanks for helping to make our games better!

Offline Aklyon

  • Core Member
  • *****
  • Posts: 2,089
Re: Ubisoft UPlay DRM Security Hole
« Reply #6 on: July 30, 2012, 12:32:59 pm »
But who ninjas the nija-ing ninjas? :)

Offline KingIsaacLinksr

  • Master Member
  • *****
  • Posts: 1,332
  • A Paladin Without A Crusade...
Re: Ubisoft UPlay DRM Security Hole
« Reply #7 on: July 30, 2012, 12:42:07 pm »
Further Update: Ubisoft acknowledges the problem and believes the patch they just pushed out should address the problem. Why Ubisoft needs a browser plugin is unknown at this time. No apology is forthcoming either.

http://www.rockpapershotgun.com/2012/07/30/ubisoft-respond-to-uplay-security-drama/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+RockPaperShotgun+%28Rock%2C+Paper%2C+Shotgun%29
Casual reviewer with a sense of justice.
Visit the Arcen Mantis to help: https://www.arcengames.com/mantisbt/
A Paladin's Blog. Long form videogame reviews focusing on mechanics and narrative analyzing. Plus other stuff. www.kingisaaclinksr.com

Offline Volatar

  • Hero Member Mark III
  • *****
  • Posts: 1,055
  • Patient as a rock
Re: Ubisoft UPlay DRM Security Hole
« Reply #8 on: July 30, 2012, 02:10:05 pm »
I just made sure the browser plugins were gone. I am rather upset that they were installed at all without me knowing.

Offline keith.lamothe

  • Arcen Games Staff
  • Arcen Staff
  • Zenith Council Member Mark III
  • *****
  • Posts: 19,505
Re: Ubisoft UPlay DRM Security Hole
« Reply #9 on: July 30, 2012, 02:18:41 pm »
I just made sure the browser plugins were gone. I am rather upset that they were installed at all without me knowing.
Yea, I'm partly unhappy with Ubi for doing it, and partly unhappy with firefox/chrome for allowing it to happen without asking me first or at least notifying me "hey, there's a plugin here that wasn't there last time".

Are there any controls in firefox and/or chrome to require ask-for-confirmation or at least notification of a plugin install?

Not that it's primarily their fault for some other company not having the courtesy to ask, but a more general solution would appeal to me.
Have ideas or bug reports for one of our games? Mantis for Suggestions and Bug Reports. Thanks for helping to make our games better!

Offline TechSY730

  • Core Member Mark V
  • *****
  • Posts: 4,570
Re: Ubisoft UPlay DRM Security Hole
« Reply #10 on: July 30, 2012, 02:21:28 pm »
I just made sure the browser plugins were gone. I am rather upset that they were installed at all without me knowing.
Yea, I'm partly unhappy with Ubi for doing it, and partly unhappy with firefox/chrome for allowing it to happen without asking me first or at least notifying me "hey, there's a plugin here that wasn't there last time".

Are there any controls in firefox and/or chrome to require ask-for-confirmation or at least notification of a plugin install?

Not that it's primarily their fault for some other company not having the courtesy to ask, but a more general solution would appeal to me.

In more recent versions, Firefox will compare the state of the plugins folders at the start of each launch compared to what they should be based off of their internal list of registered plugins. If any new plugins were added outside of its knowledge, it will, by default, disable them, and tell you what is new in the plugins folder and ask you if you want to enable them.

Not sure about Chrome.

Offline BobTheJanitor

  • Master Member Mark II
  • *****
  • Posts: 1,689
Re: Ubisoft UPlay DRM Security Hole
« Reply #11 on: July 30, 2012, 03:26:18 pm »
Can't check if I have it or not, since I'm at work right now, but I do find it awfully odd that something could install in firefox without my say-so. If I want to install an addon it asks me if I'm sure two or three times and makes me watch a button count down before actually letting me do it. How in the world can something install in the background with no input?

Offline TechSY730

  • Core Member Mark V
  • *****
  • Posts: 4,570
Re: Ubisoft UPlay DRM Security Hole
« Reply #12 on: July 30, 2012, 03:32:01 pm »
Can't check if I have it or not, since I'm at work right now, but I do find it awfully odd that something could install in firefox without my say-so. If I want to install an addon it asks me if I'm sure two or three times and makes me watch a button count down before actually letting me do it. How in the world can something install in the background with no input?

In Firefox, it is because they use a plugins folder, that is an ordinary file system folder. Although this is convenient, it is also impossible ensure exclusive control (as it is a folder, anything can write to it using well known APIs outside of Firefox).
That's why they implemented the "change detection" and conditional loading of stuff in that folder, and stuff installed outside of Firefox now gets disabled by default. I think they added that in, I think, Firefox 11. (Surprised it took them that long to do it though)

Offline Volatar

  • Hero Member Mark III
  • *****
  • Posts: 1,055
  • Patient as a rock
Re: Ubisoft UPlay DRM Security Hole
« Reply #13 on: July 30, 2012, 03:38:29 pm »
In more recent versions, Firefox will compare the state of the plugins folders at the start of each launch compared to what they should be based off of their internal list of registered plugins. If any new plugins were added outside of its knowledge, it will, by default, disable them, and tell you what is new in the plugins folder and ask you if you want to enable them.

Not sure about Chrome.

I am on a new Windows install so there is no contamination.

I installed one UPlay game. Assassin's Creed Brotherhood, last week.

I went to disable the addons today when I found out about them.

Firefox (running the latest version, even though I almost never use it) had the addon installed. I was never informed of this by Ubisoft or Firefox.

Chrome did not have the addon installed.

Offline TechSY730

  • Core Member Mark V
  • *****
  • Posts: 4,570
Re: Ubisoft UPlay DRM Security Hole
« Reply #14 on: July 30, 2012, 03:46:33 pm »
In more recent versions, Firefox will compare the state of the plugins folders at the start of each launch compared to what they should be based off of their internal list of registered plugins. If any new plugins were added outside of its knowledge, it will, by default, disable them, and tell you what is new in the plugins folder and ask you if you want to enable them.

Not sure about Chrome.

I am on a new Windows install so there is no contamination.

I installed one UPlay game. Assassin's Creed Brotherhood, last week.

I went to disable the addons today when I found out about them.

Firefox (running the latest version, even though I almost never use it) had the addon installed. I was never informed of this by Ubisoft or Firefox.

Chrome did not have the addon installed.

That's strange. Either there is a hole in Firefox's plugins changed externally detection logic, or Ubisoft is poking around Firefox's registered plugin repository directly. Either way, that seems very strange.

If you feel up to it, you may want to report this in Firefox's bug system, and have them see if there is an oversight or something in the logic.