Home Engineering Room

[Vulnerability] ALL in-game chat is unsecure, can be seen by anyone

NoNameNamerNoNameNamer ✭✭✭✭
edited April 2023 in Engineering Room
In-game notifications such as chat messages are implemented through a third-party PubSub service and all it takes to subscribe to them is a fleet's DBID or a player's DBID which are exposed everywhere in the game (on player inspection, on fleet inspection, on event leaderboards, chat messages etc.) and outside the game (e.g. by sharing your profile on Datacore). This allows anyone to read any fleet's chat channels, squadron channels and any player's private messages. Similarly, any player can send messages on any of these channels.

I don't know what other notifications get passed through this system but I have noticed FBB attacks are also published like this so one could monitor every fleet's FBB attacks.

Comments

  • Hi, I'll pass this to the dev team. Thank you for let me know.
  • DAEDAE ✭✭✭
    @NoNameNamer Just wanted to say thank you 🖖🏻. It takes a fair amount of time and extra effort to look into this stuff and then post about it. I always look forward to the next installment….😁
Sign In or Register to comment.