It could definitely be fixed on Bliz’s side.
I know nothing about how the client/service is coded underneath, however, on the surface, the problem seems to be what the SC2 client allows in its text fields and what it’s allowed to do with it. If text fields, like map names and map reviews, allow and execute a communication/data transfer protocol, then that opens the door to exploitation.
Although it may remove some QoL features, recoding the client and/or service to preventing code execution in those fields would prevent the current issue from continuing. That, or allow the code, but limit what can be executed, similarly to how these forums do.
WebDAV isn’t the issue, it’s a matter of what it’s used for just like any communication/data transfer protocol. Just about any protocol that moves data between remote sites could be exploited under right circumstances. For example, even without webdav html extensions, html alone can be exploited if security measures are compromised (or more likely, users are caught off guard).
4 Likes
That is so stupid. Get 3 others to join you and make it Class Action. Need to think big.
Appears to be happening again as I write this. I just found out about this today when I went to go play. I do have to agree that on the surface this appears to be an extremely simple fix. Why they don’t fix it baffles me. I get the effort behind testing/validating a patch, but they’ve had time to do that.
Going to submit this to a few big news sites. Blizz/Microsoft needs to get moving on this.
Hey all,
It does look like it’s started back up again. I see 4 lobbies using an exploited map.
Hopefully with it being the weekend, Bliz is paying at least some attention.
2 Likes
Leviathan, thanks for all your hard work!
wouldent blizzard have the ip or info on whoever is doing this? cause to upload a map in arcade/ the editor dont you need to atleast purchase a coop commander?
There’s no one at all of Bliz who works on SC2. Meaning there’s no team/individual to call up and have them sit down and recode the client. The only way to get anything done is to pull from other depts off their assignments, but unfortunately those assignments also have their own level of priority as well. It’s just a matter who wins the priority battle.
Having an IP wouldn’t stop this due to DHCP, VPNs, IP spoofing and any other ways to change IP.
There’s no requirement to use the Arcade. It’s completely f2p.
1 Like
PracticeX made this new map. One of the lobby names is “We’re so back, bros!” This leads me to believe the last group is responsible this time (i used the sc2arcade website to see this)
Geez, how pathetic do you have to be to do this?
2 Likes
This has been going on for several weeks now.
Activision Blizzard is incapable of applying a hotfix for this issue?
I guess sc2 isn’t bringing any revenue for them to designate a developer to spend a few hours on fixing the issue. Instead, they will let this abuse carry on and subsequently destroy the sc2 player count in the process, which will give them justification to turn off the servers and save some more money.
I have worked for AAA company and it has been done. Anyone can jump into another game if assigned to work on something, fix or test something, in this case to do what has to be done again to stop the crashes. i.e there is no ‘I do not work on this game I am not supposed to do anything’ It could be a daily task if assigned.
It’s not likely a matter of anyone refusing, or the concept of jumping depts not existing. It’s admin deciding how address it, deciding if and when to make the assignments.
There’s a group of cyber criminals that ransacked blizzard’s code for vulnerabilities in order to cause misery for Blizzard’s clients and customers via disabling their computers and forcing us to reboot, many of us losing precious work in Excel, Word or MikTeX in the process, since there is no other way to restore functionality to our computers.
Unfortunately, Blizzard thinks it’s funny and just some “internet troll,” since they already got our money for the game. So instead of of giving us the identities of the cyber criminals disabling our computers, allowing us to sue the criminal in civil court for attacking our computers, they instead turn a blind eye, which only encourages more attacks against Blizzard’s own clients.
A legal ***tstorm is coming, for both Blizzard and these cyber criminals, mark my word.
lmao seeking legal action because of of the game went down due to bad maps, yeah im sure all the lawyers will be jumping take that case.
2 Likes
no lawyer would take this “case”. There’s literally nothing in it.
2 Likes
Any legal action that might be taken is a C&D order. Basement dweller would then C&D. That’s it. No one’s going to take legal action against some money less dweeb.
3 Likes
You don’t need a lawyer, you sue pro se in a small claims court for $1. Make his life miserable.
And clients and customers do have the right to know the names of the attackers. So that’s a whole another thing, we’ll see if I get the name in the certified return receipt mail.
It appears their method has changed, as they are currently at it again but the maps being hosted are no longer showing the broken image URLs. They are listed as:
“Unknown 357838”
“Unknown 357839”
“Unknown 357841”
“Unknown 357840”
So could you explain why this guy has accounts that have published and hosted these maps 13 days ago and still isn’t banned?
I understand that you are trying your best against this but it seems like you are the only one. We have already lost multiple map makers to this that won’t come back and we are only going to lose more.
Whats to stop him from making a new free account and doing the same thing?
It doesn’t matter if you ban the author(s) the vulnerability has to be fixed, plain and simple. Its been discussed in multiple threads on various sub-forums here in detail for the past 2 weeks.