Potential Object Injection Attack Vulnerability

Developers
1

Just wanted to call this out. Not going to post how to do it, but there is a vulnerability where any user can add objects to a space rapidly. Based on the object/map size limitations, this could cause loading issues, potential map crashes, and lock users out of being able to place objects.

@npfoss @Kevin-RtR Have you all discussed this before? I had avoided digging into it, but I recently ran across some users trying to be clever and decided to get ahead of them.

2

Hey @Bill_Uncork-It,

I’m not sure if I’ve run into this particular use case, but I have definitely seen some scary attack vectors via the console that seem to be accessible in any space. Those ones require a good deal of knowledge about Gather though to perform, but it sounds like the one you found is easy enough that regular users were able to perform it. Was it possible in any space regardless of user permissions? I’m assuming so, since you said any user can add objects. The fact that they can do so rapidly sounds even worse. If it doesn’t even require console knowledge, then I haven’t run into it yet. Hopefully @npfoss can take a look and patch it out soon. In the meantime, would it be possible to block via the API?

Thanks!
Kevin

3

This one in particular does require “some” knowledge of the API and console, but as it can be done with one command, and by accident trying to do something else, I decided to bring it up.

There is not a great API solution, but there is a space settings change that will disable the issue. Unfortunately, it also disables a feature a lot of people like, and that Gather promotes regularly (being vague on purpose, I can DM you specifics)

4

Ah ok, then this sounds a lot like something I’ve run into too. I have a bit of a fix using the API, but it’s a pretty big pain to implement. Let’s discuss offline to see if we can package up the details to provide better for Nate and Gather, especially if we both found the same vulnerability. @npfoss, what would be the most helpful information for @Bill_Uncork-It and me to provide in order to support getting something like this patched up? Thanks!

5

hey yeah thanks for reporting this, and sorry for the slow response
want to untangle two things

  1. people being able to build without permission – you aren’t saying this, right? just that if you leave globalBuild or something on, then it’s easier for any guest to DoS a space?
  2. it’s kinda easy to DoS a space by spamming actions
    • this should not be possible to do accidentally in the normal course of using Gather
    • this should not be possible even on purpose without the console for an untrusted guest (i.e. not mod/builder/owner)
    • it is unfortunately not that hard with use of the console. there are some basic protections in place that help overall (like rate limits etc), but it’s definitely still possible if you have a sense for what operations are expensive. This has been a known, open TODO for a while but hasn’t actually ever caused problems as far as I know, so it keeps not being the top priority

Does that seem right? /Have you found cases that break that understanding of how things are now?

6

  1. I am saying this. I could, right now, go into any space I had a URL for, with or without Global Build, and drop in objects of my choosing (provided one specific setting is enabled). At a very rapid rate, too. Without knowing what the space data size limits are, I cannot predict how easy it would be to overload a space, but knowing the size is limited, it is definitely possible (even just filling a space with a million blank tiles).

  2. This appears to be protected by rate limiting/user permissions. Some actions are definitely less optimal than others, but the impact is not very visible unless someone really knows what they are doing.

7
  1. thanks for the DM
  2. ok cool, I’ll leave it at that for now then. but let me know if you see people exploiting it
8

Do I understand correctly that this will not be fixed and that we should report if we notice that people are exploiting it?

9

I believe he is saying that they are not going to try and establish a way of limiting console actions. The other thing will hopefully get fixed.

10

Looking forward to hear clearification from @npfoss .
.

11

I’m not going to do anything extra right now to prevent DoSing via console, unless we see signs of it being a problem. (We’ve already had basic protections in place for a long time and it seems like that’s been enough so far)

What we will fix asap is any instance where people can do stuff via console that they shouldn’t be allowed to (but this should be impossible)

12

Can you please describe in more detail what will no longer be possible via console in the future? I want to know if one of our scripts doesn’t work anymore after that.

13

I don’t currently plan to remove anything. I just mean if there happened to be a command like game.kickEveryone_UNSAFE() that you could run without being a mod, then I’d fix that asap (by requiring you to be a mod for it to work)

2 Likes
14

Hi @npfoss , just a kind reminder that this Vulnerability is still there and that there are even people on social media Brag about it proudly and joke about GT while spamming big conferences with objects.

15

Yep we saw https://twitter.com/zack_overflow/status/1619398878327107585 – a fix is going out today

1 Like
16

Thank you :hugs: very much