Pages: [1] 2 :: one page |
|
Author |
Thread Statistics | Show CCP posts - 1 post(s) |
Demios Primus
Konstrukteure der Zukunft The Initiative.
1
|
Posted - 2016.02.25 03:56:35 -
[1] - Quote
I don't know how long this has been possible, but disable this function please.
It used to be safe to click on anything, worst that could happen was that you saw some disgusting pictures.
Shellexec however and the ability to link pretty much anything with an URL makes it possible to spread malware through in-game links that everybody can click on. And it's way too easy to make clickbait in eve.
Fix this ASAP or tell me how to disable this myself.
Best Regards,
Demios |
Iain Cariaba
2704
|
Posted - 2016.02.25 06:04:30 -
[2] - Quote
Demios Primus wrote:...tell me how to disable this myself. Try using basic internet security methods, the first one being that you don't open **** that you don't know what it is.
EvE is hard. It's harder if you're stupid.
I couldn't have said it better.
Hello, Mr Carebear. Would you like some cheese with that whine?
|
Barrett Fruitcake
State War Academy Caldari State
55
|
Posted - 2016.02.25 08:14:51 -
[3] - Quote
I also think this command should be disabled within the IGB, or at least an option to disable it should exist.
|
Luscius Uta
Anomalous Existence Low-Class
200
|
Posted - 2016.02.25 08:52:33 -
[4] - Quote
I'm suprised that Jita local isn't full of people abusing this. I guess it's one of less-known features and CCP probably thinks it isn't a big security hole (after all, not like people can delete your boot.ini with it).
Workarounds are not bugfixes.
|
Iain Cariaba
2704
|
Posted - 2016.02.25 11:56:41 -
[5] - Quote
Luscius Uta wrote:I'm suprised that Jita local isn't full of people abusing this. I guess it's one of less-known features and CCP probably thinks it isn't a big security hole (after all, not like people can delete your boot.ini with it). Jita isn't full of people abusing this because most people that play EvE have at least enough tech saviness to keep it from effecting them. The most basic of internet security measures will keep this from ever happening to you.
EvE is hard. It's harder if you're stupid.
I couldn't have said it better.
Hello, Mr Carebear. Would you like some cheese with that whine?
|
Bumblefck
Kerensky Initiatives
10997
|
Posted - 2016.02.25 12:55:16 -
[6] - Quote
I, too, am soft in the head and compulsively click on EVERY GODDAMNED LINK IN JITA LOCAL like a fool
Got a HoleySheet1 corpse? I'll buy it for 200m!
Bumble's Space Log
|
Barrogh Habalu
Imperial Shipment Amarr Empire
1097
|
Posted - 2016.02.25 13:19:05 -
[7] - Quote
I think it was stated at one point that CCP are more eager to remove IGB altogether rather than keep updating it to close security holes and whatnot.
Future of T3 cruisers - multi-tool they aspired to be instead of sledgehammer they have become
|
Iain Cariaba
2704
|
Posted - 2016.02.25 15:37:47 -
[8] - Quote
Bumblefck wrote:I, too, am soft in the head and compulsively click on EVERY GODDAMNED LINK IN JITA LOCAL like a fool At least you admit it.
EvE is hard. It's harder if you're stupid.
I couldn't have said it better.
Hello, Mr Carebear. Would you like some cheese with that whine?
|
Frostys Virpio
KarmaFleet Goonswarm Federation
2630
|
Posted - 2016.02.25 15:41:57 -
[9] - Quote
Bumblefck wrote:I, too, am soft in the head and compulsively click on EVERY GODDAMNED LINK IN JITA LOCAL like a fool
How am I supposed to check if those links really are scams without clicking them? I could also be missing out of the cutest cat kitten picture ever if I don't click the links. Is this really what you want? You want people to miss out on the cutest kitten picture ever???? |
Serendipity Lost
Repo Industries
1862
|
Posted - 2016.02.25 16:44:42 -
[10] - Quote
Frostys Virpio wrote:Bumblefck wrote:I, too, am soft in the head and compulsively click on EVERY GODDAMNED LINK IN JITA LOCAL like a fool How am I supposed to check if those links really are scams without clicking them? I could also be missing out of the cutest cat kitten picture ever if I don't click the links. Is this really what you want? You want people to miss out on the cutest kitten picture ever????
I love kittens! |
|
Demios Primus
Konstrukteure der Zukunft The Initiative.
2
|
Posted - 2016.02.26 21:01:10 -
[11] - Quote
It's more like, how am i supposed to know this is not the relinked destination system in fleet, but a some other link doing who knows what outside of my eve client? I wasnt talking about jita at all. This is about the ability of spies to **** up your fleet when they get into fleet. |
Iain Cariaba
2709
|
Posted - 2016.02.26 21:39:42 -
[12] - Quote
Demios Primus wrote:It's more like, how am i supposed to know this is not the relinked destination system in fleet, but a some other link doing who knows what outside of my eve client? I wasnt talking about jita at all. This is about the ability of spies to **** up your fleet when they get into fleet. If you take a tiny bit of time to hover on a link before clicking on it, it tells you what the link is. I've never seen a destination posted that was so time critical that you couldn't wait for the pop-up to verify what you're clicking on.
Also, last I checked, spreading malicious code in that manner not only violates the TOS, which will get them banned, but actually violates the law in many countries. Try reporting it when you see it.
EvE is hard. It's harder if you're stupid.
I couldn't have said it better.
Hello, Mr Carebear. Would you like some cheese with that whine?
|
Demios Primus
Konstrukteure der Zukunft The Initiative.
4
|
Posted - 2016.02.26 21:52:50 -
[13] - Quote
since there are ppl ddosing voice servers, I'm not entirely sure they would stop at that, especially when it might be possible to hijack someone elses eve account afterwards.
this is a dangerous feature and it has no ingame use. surely you agree on that.
the argument "check what you click on" has been there since the beginning of the internet and even before that, yet still ppl keep getting infected.
no email provider would need to check the mail for malware if we were to live in your utopia Iain Cariaba.
the fact that this feature is unkown to most of the eve players makes it even more dangerous. |
Masao Kurata
Perkone Caldari State
415
|
Posted - 2016.03.03 14:38:54 -
[14] - Quote
As far as I can tell, there's no obvious way to exploit this. EVE only attempts to open the link if it is of the form shellexec:http:... or shellexec:https:... , making it as safe as your browser. In contrast, the IGB is obviously and demonstrably insecure, and rooting the computer of anyone who clicks an IGB link to a site hosting exploits for the out of date chrome version used is trivial.
It's possible that I'm missing something of course, but the shellexec links are handled by executing rundll32.exe url.dll,FileProtocolHandler URL . rundll entry points get everything after the function name passed to them as a single string, so executing another local command by manipulation of the URL doesn't seem to be possible, but maybe a buffer overflow could be triggered in url.dll's FileProtocolHandler or (more likely) in EVE. A brief investigation didn't reveal any such vulnerabilities, so I'm inclined to say this is vastly more secure than the IGB. |
Terminal Insanity
Pwn 'N Play SpaceMonkey's Alliance
895
|
Posted - 2016.03.03 19:59:27 -
[15] - Quote
while i enjoy making fake killmails that link to rick astley, i agree this should be disabled.
Its a large security risk, not to mention probably very annoying for people who play fullscreen, or on ****** computers, and then they have to sit there loading their webbrowser and losing their game client
"War declarations are never officially considered griefing and are not a bannable offense, and it has been repeatedly stated by the developers that the possibility for non-consensual PvP is an intended feature." - CCP
|
Lugh Crow-Slave
1643
|
Posted - 2016.03.03 20:01:29 -
[16] - Quote
Terminal Insanity wrote:while i enjoy making fake killmails that link to rick astley, i agree this should be disabled.
Its a large security risk, not to mention probably very annoying for people who play fullscreen, or on ****** computers, and then they have to sit there loading their webbrowser and losing their game client
1 why they hell are you playing full-screen borderless is your friend
2 don't click ransom links
Citadel worm hole tax
|
Iain Cariaba
2746
|
Posted - 2016.03.04 00:26:56 -
[17] - Quote
Terminal Insanity wrote:while i enjoy making fake killmails that link to rick astley, i agree this should be disabled.
Its a large security risk, not to mention probably very annoying for people who play fullscreen, or on ****** computers, and then they have to sit there loading their webbrowser and losing their game client 1. As Lugh said, Fixed Window mode is your friend. Client does not need to minimize to switch to another application.
2. Briefly hovering over a link before clicking on it will display what the link is. If someone links a killmail, it says "Kill Report" in the tool tip. If someone disguises a link as a kill report, it will show the URL in the tool tip. Basic awareness of your actions is your best defense.
EvE is hard. It's harder if you're stupid.
I couldn't have said it better.
Hello, Mr Carebear. Would you like some cheese with that whine?
|
Miss 'Assassination' Cayman
CK-0FF Bad Intention
31
|
Posted - 2016.03.05 14:32:01 -
[18] - Quote
Demios Primus wrote:this is a dangerous feature and it has no ingame use. surely you agree on that. Huge disagreement here. First of all, it isn't dangerous. Sure, it can send you to sites you don't want to go to, but if you have your normal browser set up in any reasonable way it shouldn't be a problem. It can't do anything except open an http or https link in your normal browser, so there's not much more potential for danger than opening it in the IGB. Second, it definitely does have a use. For example, links to Google forms that can't be completed in the ingame browser. It's much more convenient to have a shellexec link to open the form in a working browser than to explain to people that it doesn't work ingame and that they need to copy and paste the URL. Another example is the way my corp has a link to our TeamSpeak server in the corp channel MOTD. It's quite handy for new recruits to just click the link and ok the redirect to open it with TeamSpeak.
Really the only abuse of it I've seen is making the occasional harmless troll link. |
John FlyingTrucks
Perkone Caldari State
0
|
Posted - 2016.03.06 05:16:57 -
[19] - Quote
Miss 'Assassination' Cayman wrote:
Really the only abuse of it I've seen ...
Is just scratching the surface of the potential for this getting misused.
Read up on this: Ransom32 is the first Ransomware written in Javascript and then see if you hold the same opinion.
|
Miss 'Assassination' Cayman
CK-0FF Bad Intention
32
|
Posted - 2016.03.06 05:30:52 -
[20] - Quote
And what happens when the ingame browser is removed and all links open in an external browser? Or what if someone links something like that and tells people that it doesn't work in the ingame browser so they open it in an external browser themselves? |
|
John FlyingTrucks
Perkone Caldari State
0
|
Posted - 2016.03.06 06:00:59 -
[21] - Quote
Miss 'Assassination' Cayman wrote:And what happens when the ingame browser is removed and all links open in an external browser? Or what if someone links something like that and tells people that it doesn't work in the ingame browser so they open it in an external browser themselves?
I see your point.
The makers of Teamspeak faced the same problem. Their solution was to present a warning dialog to the user, showing them the actual URL they'd be going to, and giving them options of [ Open Link ] or [ Abort ].
|
Iain Cariaba
2761
|
Posted - 2016.03.06 06:08:55 -
[22] - Quote
John FlyingTrucks wrote:Miss 'Assassination' Cayman wrote:And what happens when the ingame browser is removed and all links open in an external browser? Or what if someone links something like that and tells people that it doesn't work in the ingame browser so they open it in an external browser themselves? I see your point. The makers of Teamspeak faced the same problem. Their solution was to present a warning dialog to the user, showing them the actual URL they'd be going to, and giving them options of [ Open Link ] or [ Abort ]. You can already see what the link you're clicking on is by hovering over it. The tooltip will display the url for web links.
EvE is hard. It's harder if you're stupid.
I couldn't have said it better.
Hello, Mr Carebear. Would you like some cheese with that whine?
|
John FlyingTrucks
Perkone Caldari State
0
|
Posted - 2016.03.06 11:22:42 -
[23] - Quote
Iain Cariaba wrote:[quote=John FlyingTrucks] You can already see what the link you're clicking on is by hovering over it. The tooltip will display the url for web links.
There is a 1 to 2 second delay on those that doesn't fit well with competitive situations.
|
Miss 'Assassination' Cayman
CK-0FF Bad Intention
35
|
Posted - 2016.03.06 16:43:24 -
[24] - Quote
John FlyingTrucks wrote:Iain Cariaba wrote:[quote=John FlyingTrucks] You can already see what the link you're clicking on is by hovering over it. The tooltip will display the url for web links. There is a 1 to 2 second delay on those that doesn't fit well with competitive situations. What are these competitive situations? The only thing I can think of is trying to grab a contract before anyone else, and that's just begging to be scammed. Also you can reduce the tooltip delay in the options. |
John FlyingTrucks
Perkone Caldari State
0
|
Posted - 2016.03.06 18:06:10 -
[25] - Quote
Miss 'Assassination' Cayman wrote:John FlyingTrucks wrote:Iain Cariaba wrote:[quote=John FlyingTrucks] You can already see what the link you're clicking on is by hovering over it. The tooltip will display the url for web links. There is a 1 to 2 second delay on those that doesn't fit well with competitive situations. What are these competitive situations? The only thing I can think of is trying to grab a contract before anyone else, and that's just begging to be scammed. Also you can reduce the tooltip delay in the options.
Yes, just so, trying to grab a contract from a known client who advertises their contracts.
Thank you for the pointer to the tooltip delay, I didn't know about that one!
|
MekaJonna
Licence To Kill Mercenary Coalition
6
|
Posted - 2016.04.06 22:51:59 -
[26] - Quote
Holy ****, just found out about this first hand. This should be removed immediately, it's massive security vulnerability. At a bare minimum there needs to be a yes or no prompt window on this command.
Iain Cariaba wrote: If you take a tiny bit of time to hover on a link before clicking on it, it tells you what the link is. I've never seen a destination posted that was so time critical that you couldn't wait for the pop-up to verify what you're clicking on.
Also, last I checked, spreading malicious code in that manner not only violates the TOS, which will get them banned, but actually violates the law in many countries. Try reporting it when you see it.
This is the stupidest thing I have ever read. Nobody waits for the tool tip to pop up before clicking ****, someone who is going to use this maliciously doesn't give a **** about being 'banned' they'd probably do it on a trial account anyway. I'm not going to go into details here, I'll be submitting a ticket about this right after I post, but leaving this feature in the game runs the risk of infecting ever eve pilot.
|
Miss 'Assassination' Cayman
CK-0FF Violence of Action.
66
|
Posted - 2016.04.06 23:20:51 -
[27] - Quote
MekaJonna wrote:Holy ****, just found out about this first hand. This should be removed immediately, it's massive security vulnerability. At a bare minimum there needs to be a yes or no prompt window on this command. Iain Cariaba wrote: If you take a tiny bit of time to hover on a link before clicking on it, it tells you what the link is. I've never seen a destination posted that was so time critical that you couldn't wait for the pop-up to verify what you're clicking on.
Also, last I checked, spreading malicious code in that manner not only violates the TOS, which will get them banned, but actually violates the law in many countries. Try reporting it when you see it.
This is the stupidest thing I have ever read. Nobody waits for the tool tip to pop up before clicking ****, someone who is going to use this maliciously doesn't give a **** about being 'banned' they'd probably do it on a trial account anyway. I'm not going to go into details here, I'll be submitting a ticket about this right after I post, but leaving this feature in the game runs the risk of infecting every eve pilot. Ok, how exactly does it run the risk of infecting every Eve pilot? First of all, just because you don't take the time to check what you're clicking on doesn't mean nobody else does. Many of us are careful and don't blindly click links. Second, not everyone has a vulnerable web browser that allows all the nasties in. Third, not everyone has a vulnerable computer that lets the web browser do malicious things. Fourth, people run Eve on different operating systems that aren't vulnerable to the same things.
Yes, there's is some little bit of added risk, but I don't believe it comes anywhere close to outweighing the usefulness of the feature.
I'm not against adding a prompt though, as long as it has an option to be turned off. They're are few things more annoying than looking at a harmless link, knowing exactly what it will do, and still having to ok it.
Also, why should we care if you file a ticket? Was that supposed to be a heads up that another useful feature is about to be thrown away like right click camera panning, pressing tab to roll up windows, or not having to render a resource-intensive station environment we don't care about? |
MekaJonna
Licence To Kill Mercenary Coalition
6
|
Posted - 2016.04.06 23:53:02 -
[28] - Quote
Miss 'Assassination' Cayman wrote: Also, why should we care if you file a ticket? Was that supposed to be a heads up that another useful feature is about to be thrown away like right click camera panning, pressing tab to roll up windows, or not having to render a resource-intensive station environment we don't care about?
As mentioned in my original post, I submitted a ticket with information on how this could infect many pilots. I was not about to put that information in the public domain. |
Aliana Heartborne
Center for Advanced Studies Gallente Federation
13
|
Posted - 2016.04.10 20:35:06 -
[29] - Quote
Add a warning for opening links (with option to turn off) and its the best feature ever. Hell most other games with url-completion/opening dont ever warn about opening links in your browser
This is a great thing, instead of having IGB die to google forms and having mac users crash constantly because of the horribleness of IGB |
Celesae
Clan Shadow Wolf Tactical Narcotics Team
32
|
Posted - 2016.04.16 08:22:52 -
[30] - Quote
Masao Kurata wrote:As far as I can tell, there's no obvious way to exploit this. EVE only attempts to open the link if it is of the form shellexec:http:... or shellexec:https:... , making it as safe as your browser. In contrast, the IGB is obviously and demonstrably insecure, and rooting the computer of anyone who clicks an IGB link to a site hosting exploits for the out of date chrome version used is trivial.
It's possible that I'm missing something of course, but the shellexec links are handled by executing rundll32.exe url.dll,FileProtocolHandler URL . rundll entry points get everything after the function name passed to them as a single string, so executing another local command by manipulation of the URL doesn't seem to be possible, but maybe a buffer overflow could be triggered in url.dll's FileProtocolHandler or (more likely) in EVE. A brief investigation didn't reveal any such vulnerabilities, so I'm inclined to say this is vastly more secure than the IGB.
No. This opens up a HUGE list of exploits and vulnerabilities.
Google "Drive by download attacks", things like the Angler Exploit Kit.
This is a huge security risk, and CCP has no business allowing user browsers to be hijacked by other users in that fashion. Yes, yes, read links before you click - but mistakes can be made. This is terrible security practice. |
|
|
|
|
Pages: [1] 2 :: one page |
First page | Previous page | Next page | Last page |