[Vulnerability] ALL in-game chat is unsecure, can be seen by anyone

NoNameNamer · April 2023

In-game notifications such as chat messages are implemented through a third-party PubSub service and all it takes to subscribe to them is a fleet's DBID or a player's DBID which are exposed everywhere in the game (on player inspection, on fleet inspection, on event leaderboards, chat messages etc.) and outside the game (e.g. by sharing your profile on Datacore). This allows anyone to read any fleet's chat channels, squadron channels and any player's private messages. Similarly, any player can send messages on any of these channels.

I don't know what other notifications get passed through this system but I have noticed FBB attacks are also published like this so one could monitor every fleet's FBB attacks.

STT Community · April 2023

Hi, I'll pass this to the dev team. Thank you for let me know.

DAE · April 2023

@NoNameNamer Just wanted to say thank you 🖖🏻. It takes a fair amount of time and extra effort to look into this stuff and then post about it. I always look forward to the next installment….😁

NoNameNamer · July 16

Any update on this issue?

Proof of concept:

STT Community · August 2

Greetings Captain,

We apologize for the delay and thank you once again for sharing this with us. We truly appreciate it, as this is an important topic that needs to be addressed.

Our team is aware of the issue and is actively working to resolve it.

Thank you,
LLAP!

[Vulnerability] ALL in-game chat is unsecure, can be seen by anyone

Comments