‘Coding Error’ Caused Uplay Exploit

By Alec Meer on July 31st, 2012 at 2:00 pm.

STARING EYE

I doubt we’ll be hearing too much more about yesterday’s Uplay drama, given the security hole appears to have been safely plugged before any malevolent souls could take advantage of it. Ubisoft have passed further comment on the issue as they saw it, however, claiming an exploit that allowed a vast amount of access to Uplay users’ PCs was the result of a “coding error” and that their online infrastructure/shop/DRM did not include a rootkit.

“The Uplay application has never included a rootkit,” a spokeshuman told Kotaku. “The issue was from a browser plug-in that Uplay PC utilizes which suffered from a coding error that allowed unintended access to systems usually used by Ubisoft PC game developers to make their games.”

Why was the browser plugin there, on top of Uplay itself? Why are we not made aware of it and given the choice to refuse it when Uplay is installed?

Added Ubisoft, “The browser plugin that we used to launch the application through Uplay was able to take command line arguments that developers used to launch their games while they’re being made. This weakness could allow the application to specify any executable to run, rather than just a game. This means it was possible to launch another program on the machine.”

Why did such a severe error slip through? If a company is going to make such great efforts to include online functionality, shouldn’t the protection of their customers be of at least as much importance as the protection of their copyrighted products? I know programming errors are essentially inevitable, but this was a huge thing to miss. And it wouldn’t have been there at all if there wasn’t a silently-installed browser plugin.

While there’s still no sign of an apology for leaving so many of their customers vulnerable to attack as a result of this sloppiness, Ubisoft point out that they fixed the patch quickly – apparently a working build was in testing some 90 minutes after they heard about the exploit, and went live around eight hours later. That is pretty quick, but I don’t grasp why they didn’t warn their customers to disable Uplay in the meantime. Hackers can work fast too, y’know?

Kotaku also claim, in the medium of reported speech, that Ubisoft said the exploit ‘was not tied to’ its notorious DRM. Hmm. That’s probably true – it’s part of the whole Uplay infrastructure (i.e. DLC sales, achievements, social networky stuff) rather than the DRM specifically. But again, why was the browser plugin needed at all, in addition to the Uplay app? I will send an e-card to the first person that can convincingly explain this to me.

, , .

52 Comments »

  1. Torn says:

    Pretty inexcusable.

    ‘Penenetration Tests’ and security / code audits are standard in serious software houses… it’s clear Ubisoft did nothing of the sort.

    Why companies don’t pay the proper attention to security in this day and age is beyond me.

    • wu wei says:

      Because they don’t care. This isn’t going to really cost Ubisoft in any way, unfortunately.

      • Tacroy says:

        What we really need is some government agency with the power to levy fines for ridiculous security missteps like this one. I mean, in the USA, the FCC can fine a tv station nearly half a million dollars for an “indecency violation”, while something that actually matters like a giant, intentional security flaw doesn’t even get a slap on the wrist.

        • Enikuo says:

          Just an FYI, that fine was overturned. The last 1/4 of the “Legal actions” section explains it being overturned.

    • Beartastic says:

      Are you serious? Yes, these tests are standard in some software houses. And they fail extremely regularly.

      Ubisoft has made a mistake and they acknowledged it and patched it immediately. Even a full company-wide software audit might have missed this.

      Compare and contrast this with RapidShare who tag themselves as “secure data logistics” but still send out user passwords over email and have ignored suggestions that they stop doing it.

      Shit sucks and often continues to suck until it gets pointed out. I guarantee you that this is not the only time a game has installed a rootkit – it’s just one of the times someone found it.

      • Torn says:

        Are you serious? Yes, these tests are standard in some software houses. And they fail extremely regularly.

        Yes, I am serious. If those tests fail, then the product doesn’t pass and shouldn’t get shipped until the security holes are fixed and the whole thing is re-tested.

        Ubisoft should have security testing / penetration testing procedures in place, which would have picked something this obvious up straight away. They clearly don’t.

        I’m not sure why you’re bringing up Rapidshare here – yes, passwords in plain text are bad. So is shipping code that lets websites execute arbitrary commands. Just because other sites take don’t take security seriously isn’t an excuse.

        • Premium User Badge

          FriendlyFire says:

          Fail as in fail to detect a problem. If a test existed to catch all possible bugs, you can bet companies would use it.

          • Enikuo says:

            This isn’t a convergence of code interactions causing a “bug” – the plugin was designed to allow remote access. So, there should have been a test created for the feature that included acceptance criteria requiring access to be restricted. You don’t need magic QA tests to catch everything. Specific testing is done for specific features. This mistake was just sloppy work.

            *Edited for wordiness.

          • Premium User Badge

            Devan says:

            Nobody’s perfect, but this kind of issue is unacceptable and I would call it negligence. Here’s why: The potential security concerns introduced by this plugin would be obvious at design time, as well as during implementation and not just in testing.

            There are two possible courses that could have lead to this flaw: Either security features were simply never implemented for the plugin or they were but they just didn’t work right. If they were never implemented then that’s negligence on the part of the designer and/or programmer in charge or the plugin. If they were implemented then just like every other feature they need to be part of a test plan that gets run before shipping. Whether they weren’t part of the test plan or if they were but QA simply didn’t test it properly, someone was negligent and didn’t do his job.

            As a software engineer in the games industry I know how often “coding errors” happen; that’s why there’s procedures in place to prevent serious issues from going undetected. Entertainment software gets a lot of slack because bugs won’t cause life-or-death issues (unlike, say, military or airport software). But user security and privacy are very serious concerns as well and saying “coding error” or “QA didn’t catch it” is simply no excuse.

      • Baines says:

        Ubisoft arguably hasn’t acknowledged their mistake.

        They’ve described it as fixing a “flaw,” where other people and companies would describe it more like fixing an exploit that allowed others to run malicious code on your PC without your permission. (Just look at the text for any Windows update. Microsoft doesn’t mind using the word “malicious”.) Ubisoft has downplayed the degree of issue that was present, and also avoids drawing attention to what they themselves were able to do to a person’s PC (and which they gave themselves the ability to do without letting end users know).

      • jalf says:

        Something like this could be caught in 5 minutes by anyone doing a quick code review. It is not something that can excusably “slip past”.

        It is goddamn security 101 (which explains why Ubisoft failed to handle it: very few games companies give a hoot about security. It’s just not in their vocabulary, it’s not something they think about, and not something they worry about. At all).

        But really, yes, there are a lot of incompetent programmers out there, who do ridicously bad and stupid things because of their incompetence, and because they can get away with it.

        That is no excuse for something like this.

        Where I work, we would have done one very simple test, which would have caught it:

        My boss would have asked the guy who implemented it: “so, have you thought about how this can be abused?”

        Sure, we’d probably have caught it in later, more serious, testing later as well. But really, all it’d have taken is that someone went “oh, we’re writing a browser plugin which lets us remotely launch applications on the user’s PC? Convince me that this can’t be abused.”

        This is not a bug. It’s not someone making a mistake so that the program does something it was not supposed to.

        With something like this, you could ask the programmer who wrote it, “so, would this let me start any arbitrary program on your PC?”, and he’d have said “yes”, without even needing to look at the code. Because he wrote it to do precisely that. Its capability to start any arbitrary program on your PC is not a bug, not a mistake, it is exactly how the software was designed. He probably didn’t do it with malicious intent, and he clearly didn’t think about the consequences of this design. But he designed it to do exactly this, and it functioned exactly as intended.

        This is not a bug. It is sheer stupidity and incompetence.

      • psyk says:

        “Compare and contrast this with RapidShare who tag themselves as “secure data logistics” but still send out user passwords over email and have ignored suggestions that they stop doing it.”

        Whoa swerving a bit off topic there ;)

    • Kaira- says:

      Consumer software and security don’t go hand in hand. Unfortunately.

    • randomgamer342 says:

      It’s because it’s not a “coding error” as much as it is “coding retardation”

      From the sound of it, it’s not really a exploit, they just didn’t bother adding checks to see if someone misused the plugin. That’s the kind of thing any programmer should know to do.

      They didn’t do security checks like the ones you mention because they didn’t bother doing anything more for the plugin than “if something tells uplay to launch this, launch this”

      The fact that someone didn’t find out earlier is amazing.

      The people i’ve seen defending ubi have a serious case of Stockholm Syndrome and don’t really understand what a “coding error” is

    • Rob Lang says:

      As a business to business software provider, we get Pen tested 4 or 5 times a month by 3rd parties hired by our clients to ensure that we are secure. Our system complains like it’s a DDOS attack but it does make sure that with every release we’ve not introduced new vulnerabilities.

      If our clients didn’t do it, we would. We would lose all our business if we were negligent. Fortunately, security is pretty easy for us to do because we have a mature web stack, we’re not trying to install anything anywhere. I imagine the complexity of installed apps is far greater – which would make Pen tests all the more important.

      Finally, you don’t release development tools. Level builders aren’t really Dev tools (although they are powerful), Dev tools tend to be powerful apps you use to help you work with the software during its creation and testing. Never let those out.

    • Insurgence says:

      You will probably find that Ubisoft and a lot of game companies do not do serious security tests if they do any at all. In many cases meeting the deadline will trump fixing security flaws, while at the same time doing a security test on games and finding a flaw acknowledges the existence of said flaw. Better to play dumb than to actually find something worth fixing.

      As for the reason for the plugin, I bet it was so that the CEO to send nude picks of himself to customers that got enough achievement points.

  2. Cinnamon says:

    I say it was a management error for making deciding that they need to make software that silently takes so much control over their user’s system. I’m just glad that I remembered not to buy any Ubi games in the steam sales even though some were tempting.

    • Optimaximal says:

      It doesn’t explicitly ‘take over’ anything. It just ‘allowed arbitrary execution of code’, which translates as ‘potentially let someone else execute something’.

      It’s a big security hole that they’ve acknowledged and (attempted to) patch. Move on.

      • LintMan says:

        It’s a big security hole that was added to people’s systems without their knowledge or consent, and apparently not even necessary to play the game. And the fix arrived without any sort of apology or promise to do better. Putting out a quick fix doesn’t make any of that “right”.

        They deserve all the crap they’re getting and more.

      • jalf says:

        Oh, so it’s okay to sell a product with huge, gaping flaws which doesn’t live up to even the most rudimentary requirements, *as long as you acknowledge it once it blows up in your face*? That’s nice.

        I’ll brb, I’m going to go build a few cars where the brakes don’t work and the engine spontaneously catches fire. After all, it’s no problem until they get people killed. And then I just have to acknowledge that it was “an error”, and that I’ll attempt to fix it.

        It’s a big security hole which can only occur if you are:

        1. incompetent, and
        2. do not give a fuck about your users, and
        3. do not care the least about the quality of your product.

        Really, all three conditions have to be fulfilled for a flaw like this to even exist.

        And you say that it’s ok, as long as they “acknowledge it”?

        No… No, not really.

    • Cinnamon says:

      I said that it silently takes control that it doesn’t need not that it “takes over” their systems. I will “move on” when Ubisoft makes it really clear that they are a company that cares about their PC customers.

  3. aliksy says:

    My made up guess is that the plug in exists because they believe users are too stupid/inexperienced to do things like “Launch the game” or “Run it with this command line argument”. But that’s not based on anything in particular.

    • Torn says:

      The browser plugin was there, surely, to be able to launch uplay games directly from the browser. They just made it more open than it needed to be.

      Why they didn’t just go with a “uplay://” browser protocol like the Steam one (https://developer.valvesoftware.com/wiki/Steam_browser_protocol) is beyond me.

    • wererogue says:

      It seems to me like it’s the same mentality where Skype make a plugin that lets you click phone numbers, or like the Steam protocol, as mentioned elsewhere. Just… done badly. And then herp derp released with debug features enabled.

  4. Premium User Badge

    Mungrul says:

    The point still stands however that Uplay is installing a browser plugin without asking the user if it’s okay to do so.
    Even if they’ve fixed the hole, software is still being installed without the user’s permission.

    • The First Door says:

      That is more or less the point. I had no idea that Ubisoft has installed any browser plug ins and I’m sure I’m not in the minority. The press statements are being very careful to utterly ignore the main point and try to answer a different question to the one being asked.

      I say we send Paxman after them. “Did you threaten to install a browser plug in?”

    • Cooper says:

      This remains the most slaient point.

      I would have already uninstalled (or not installed to begin with) this non-vital plugin had I been aware of it…

  5. D3xter says:

    I think it’s worth noting that their Update apparently only works right if people update while their Browsers are turned off, if they leave their Browsers on during the updating process the exploit supposedly still works.

  6. CameO73 says:

    Really? This is the explanation we’re getting? A “weakness” that nobody thought could be problematic?

    I’m sorry, but this was a huge oversight. As mentioned before, they silently installed a plugin that allowed any website to run any program they wanted.

    The purpose of this plugin is still unclear to me. And their fix is a bit iffy … it now only allows websites to run UPlay. Why I would want to have the ability to start UPlay through my browser is still unclear. That’s why I’m keeping that plugin disabled.

  7. Milky1985 says:

    Somethings still not right there

    “The issue was from a browser plug-in that Uplay PC utilizes which suffered from a coding error that allowed unintended access to systems usually used by Ubisoft PC game developers to make their games.”

    As alec said, why the hell is it there? Where did we give you permission to install it (anyone checked the EULA?). Theres no reason for it. But theres a second thing there, why would develoeprs need to use a browser to access things on their own pc, when they can just as well do it though, i don’t know, the keyboard and mouse attached to the pc?

    “Added Ubisoft, “The browser plugin that we used to launch the application through Uplay was able to take command line arguments that developers used to launch their games while they’re being made. This weakness could allow the application to specify any executable to run, rather than just a game. This means it was possible to launch another program on the machine.””

    Again why did developers need this? Shurly they will ahve in house tools that emulate this without it needing to be in the system itself. But also how have you patched it, does it still have the ability to launch programs on the machine, if so its still a secerity hole, it just needs another exploit to be useful (one that i dunno, lets you copy something to the location of the assassins creed 2 exe file :P)

    Only reason i can see for the plugin being there is for launching games from a site the same way BF3 does it (which was an awful idea then and still is now), but afaik ubisoft don’t do this.

    • HothMonster says:

      The Terms of Use, Legal Info and Privacy Policy links are all down on the uplay site, have been since at least yesterday because I too would like to know if I agreed to this.

    • LintMan says:

      Yes, exactly. Their explanation is all about how the developers needed this stuff for development. So why the hell is it being installed as part of the customer release? Why did they patch it instead of just removing it?

      For those not famliar with software development: programmers frequently need to put special code in their software and make special tools to help them create and debug their software. But it is trivially easy for developers to make sure that development-specific stuff is excluded from the released software the customer receives.

  8. rocketman71 says:

    Nope. It was a ‘brain error’.

    Edit: and STILL no apology. That’s class.

    • dE says:

      Well, an apology could be ùnderstood as an admission of guilt. Which it kinda is. Alas, I’ll let your imagination run wild with what lawyers could do with a public admission of guilt.

  9. DodgyG33za says:

    “before any malevolent souls could take advantage of it”

    And you know this how exactly? Anyone installing Malware through this exploit may well be using one with a new signature, so it won’t show up yet.

    Ubisoft won’t be getting any more of my hard earned. Nor will anyone else that doesn’t support my electronic delivery channel of choice and insists that I sign up for their their ridiculous gaming accounts.

    • Vorphalack says:

      I was willing to cut Ubi a small break after they put a functional offline mode into Heroes 6, but I think this mess evaporated all the good will I had reserved for them. No more Ubi games.

  10. Optimaximal says:

    I guess the other question to ask is does EA explicitly state how Battlefield 3′s Web-based Battlelog works? Is that a browser plugin (and is it sold as such) or is it a file handler?

    I don’t want to defend the company, but Ubisoft are setting Uplay 2 up as a web-based app launcher alongside the software version, allowing you to launch games directly from their website, which has a similar social aspect as http://www.xbox.com. It doesn’t work directly with the Steam versions, hence why the application still exists.

    It’s a bad security error (and yes, a ‘sorry’ would help) but hounding them, demanding to know why there’s a browser plugin when it’s pretty obvious why is just flogging the dead horse.

    • jalf says:

      If you are not qualified to make a “web-based app launcher”, then you have no business building a web-based app launcher, and *especially* no business installing it on your customers’ PC’s.

      This is a horse that deserves to be flogged, because of how grossly irresponsible it is.

      This is one horse I never want to see rise again.

      I guess the other question to ask is does EA explicitly state how Battlefield 3′s Web-based Battlelog works? Is that a browser plugin (and is it sold as such) or is it a file handler?

      Why, exactly, is that “the other question to ask”? Shouldn’t “the other question to ask” be whether BF3′s Battlelog allows something similar?

      Unless you have evidence to the contrary, EA has nothing to do with this, and trying to somehow, absurdly, deflect blame onto them, or imply that “what Ubisoft did is nothing special, I bet others do it too” is the worst kind of bullshit.

      If you don’t want to defend the company, then don’t. They fucked up, and they deserve to be criticised for it. Oh, and they’re grown-ups, they don’t need you to protect them.

      If you can show us that EA or xbox.com or any other games company has similar vulnerablities, *then* it’s interesting. But really, saying “I wonder if EA does the same” is just bullshit, trying to make EA look bad, and deflect attention from those who *actually* fucked up.

  11. Vinraith says:

    I’d still like to know why Uplay installed plugins to my browser without consent or notification.

    • LionsPhil says:

      without consent or notification

      Read the EULA in full, did you? ;)

      I mean, ethically, sure. Wouldn’t be surprised if pedantically the bastards did hide wording which indirectly addresses it in there.

      • Vinraith says:

        Yup, I’m talking ethically here. Hiding it in a 30-page long deliberately opaque legalese document doesn’t count, IMO. You ask me before installing browser plugins or you’re no better than malware.

  12. Enikuo says:

    Given their dismissive explanation and lack of apology I don’t think they can’t be trusted. They’re sloppy, their software is a security risk, and they simply don’t care.

  13. Desmolas says:

    I don’t understand. If their Uplay browser plugin was a development tool then why in the actual hells is it of any consequence to the consumer? I could have personally patched and shipped said patch in 5 minutes flat. The patch would have consisted of uninstalling the damn thing altogether.

    But no, now I have to go through all my browsers and disable the plugin manually for each because I cant trust Ubisofts competency.

  14. Premium User Badge

    sonofsanta says:

    But why was the browser plugin needed at all, in addition to the Uplay app? I will send an e-card to the first person that can convincingly explain this to me.

    Because companies always want as much power, control and information as they think they can get away with taking just in case they think it might prove useful later. Don’t think of it as “why do they need this?” because they’re thinking of it as “why shouldn’t we have this?”

    (the answer, of course, is attack vectors, but obviously that’s not a concern to them)

    • Premium User Badge

      Devan says:

      That’s a pretty solid explanation actually. I think Alec owes someone an e-card :)

  15. Premium User Badge

    jrodman says:

    Their statement about what the plugin was for doesn’t even make any sense. How would it ever be useful at all?

  16. AlexV says:

    It’s not a coding error. A coding error is when it doesn’t do what it’s supposed to, because you screwed up the coding.

    This plugin *was* doing what it was supposed to, namely allowing web pages to launch executables (intended for the use of Ubi pages to launch UPlay games), it’s just that what it was supposed to do is gobsmackingly jaw-droppingly stupid. This is a *design* error, not a coding error. It was designed to do something stupid, and does that perfectly well: the code is sound.

    In analogy, it’s not the equivalent of some typos or bad editing, it’s a fundamentally bad bit of software that is foisted on you without your knowledge or consent.

    • LintMan says:

      Definitely seems like a major design failure to me (ie: it didn’t even occur to them that this might be a security hole), rather than a coding bug.

  17. SkittleDiddler says:

    Ubisoft would be best off just getting rid of the plugin entirely. They’re obviously not going to do that because they are run by idiots with horrible business sense.

  18. captain nemo says:

    Ubisoft NEVER apologise