Search Unity

  1. Megacity Metro Demo now available. Download now.
    Dismiss Notice
  2. Unity support for visionOS is now available. Learn more in our blog post.
    Dismiss Notice

Official Hub 3.1.0 node-ipc incident

Discussion in 'Announcements' started by LeonhardP, Mar 18, 2022.

  1. LeonhardP

    LeonhardP

    Unity Technologies

    Joined:
    Jul 4, 2016
    Posts:
    3,132
    Dear all,

    This week's release of Unity Hub 3.1.0 included an update to a compromised version of the node-ipc library, an open source package that is used by the Hub. This resulted in the generation of an empty .txt file on the desktop of users who upgraded to Hub 3.1.0. Our initial investigation did not reveal any further additions of unwanted code or other unexpected behavior. While there do appear to be recent changes to the node-ipc library that include malicious code, those were not included in our Hub 3.1.0 update. Although we have eliminated the root cause that led to this incident, we are committed to improving our internal QA processes to prevent future problems in Unity Hub. A hotfix was released four hours after the incident was discovered with Hub 3.1.1 and we plan to update you on the status of our audit as soon as possible. The security and any perceived vulnerabilities in Unity software remain our top concern.
     
    Last edited by a moderator: Mar 18, 2022
    ROBYER1, NotaNaN, AcidArrow and 16 others like this.
  2. rz_0lento

    rz_0lento

    Joined:
    Oct 8, 2013
    Posts:
    2,361
    @LeonhardP Why is this announced on forums only? Surely there should be some note that can reach all Hub users, not all users read this forum announcements actively. I can imagine people freaking out if they saw that TXT and didn't know where it came from.
     
    Last edited: Mar 19, 2022
  3. mohamedelzayatmop

    mohamedelzayatmop

    Joined:
    Aug 28, 2020
    Posts:
    2
    I don't know how is this not malicious? Or am I looking at the wrong place?
    Edit 1:
    I meant, it's overriding people's files with heart emojis.
    Edit 2 :
    Apparently I'm still quite nervous and reread the paragraph, just noticed that the latest code changes with the emojis feature didn't make it to the HUB ...
     
    Last edited: Mar 18, 2022
  4. mischa2k

    mischa2k

    Joined:
    Sep 4, 2015
    Posts:
    4,347
    Are there any considerations to make Hub a little more user friendly here, perhaps even open source it considering this news?

    There seem to be issues on a daily basis at the moment.
    • Force expiry of licenses in Taiwan because it's considered China(?) [0]
      • Including restricting offline usage for > 3 days (according to support)
    • Super slow startup, sometimes the screen stays all gray [1]
      • Which seems to require a complete machine restart.
    • Sometimes crashes after leaving it running for more than a day. [2]
    • UI is extremely unresponsive. About 1 second latency on apple silicon.
    • Sometimes logs you out of the Hub, needing to restart.
    • Unity installs / downloads sometimes fail for weird reasons.
    • Security breaches as mentioned above.
    • Editor sometimes can't connect to package manager / Asset Store tools because being logged out. Requiring Editor & Hub restart.
    • Unity.Licensing.Client sometimes keeps running after closing the Hub [3]
    Hub would be super useful if it leaned more towards helping the user, instead of restricting the user :)

    [0]
    2022-03-19_13-13-09@2x.png

    [1]
    2022-03-19_12-49-53@2x.png
    [2]


    [3]
    2022-03-19_13-17-45@2x.png
     
    Last edited: Mar 19, 2022
  5. YWainczak

    YWainczak

    Joined:
    Oct 1, 2014
    Posts:
    2
    When can we expect the results of the audit? Having it done would sure ease a lot of minds, including my own.
     
    ROBYER1 likes this.
  6. MCoburn

    MCoburn

    Joined:
    Feb 27, 2014
    Posts:
    71
    It's a shame that a developer of a node module decides to include a destructive payload that could potentially cripple not only indie developers but professional studios too.

    On the point of the idea of the open source Unity Hub:

    An open source version of the Unity Hub would probably go a long way, even if some of the features were disabled/removed that would require access to black-box/closed source functions (ie internal Unity APIs that are off-limits). It would also allow developers to fix bugs that the Hub may exhibit and/or patch security threats, which then Unity Tech themselves could merge into their own closed-source version.
     
    vriog likes this.
  7. rz_0lento

    rz_0lento

    Joined:
    Oct 8, 2013
    Posts:
    2,361
    Bigger issue on the Hub is that we as users don't have control over it's updates, right now Hub 3 automatically downloads and installs Hub updates that go live next time we open Hub. It's a big security threat that's very real, considering that node-ipc change actually slipped through them.

    There's no real trust here that something worse couldn't happen soon since we all know how slowly Unity operates and reacts for bigger changes and at the same time Hub keeps installing things on it's own to our computers.

    Afaik the nope-ipc library update that contained malicious code was quite recent change for that library and it propagated from that library change to hub release on our computers at speed that I would have not assumed being possible. This suggests Hub final releases don't get very extensive testing period at Unity's end.
     
  8. MCoburn

    MCoburn

    Joined:
    Feb 27, 2014
    Posts:
    71
    This.

    This is one example of why "newer is not always better" - sure, I can understand Unity Tech's desire to keep people up to date with the Unity Hub, but this behaviour should definitely be opt-in. Automatically (Silently in some cases) updating things can lead to screw ups, and like this one, if the payload was worse than it is already, the Unity Hub could have done some serious damage.

    Hopefully Unity Tech has learnt a lesson from this issue, and will incorporate measures to avoid similar ones in the future. The end developer should have the power to say "No, I will update when I want to" and avoid issues like these.
     
    chadfranklin47, SpockBauru and Arkade like this.
  9. rz_0lento

    rz_0lento

    Joined:
    Oct 8, 2013
    Posts:
    2,361
    SpockBauru likes this.
  10. D-XII

    D-XII

    Joined:
    Jul 11, 2019
    Posts:
    5
    I freaked out when I saw a text file FROM-AMERICA-WITH-LOVE.txt on my desktop. I thought I had malware so I scanned my PC but came up with nothing. I had updated the hub before that and didn't notice it then, didn't think it would have come from something like Unity. That's crazy.
     
  11. rz_0lento

    rz_0lento

    Joined:
    Oct 8, 2013
    Posts:
    2,361
    Also think of the following for a moment:
    - Unity does really poor job at communicating this security threat
    - People get pissed off about this and block future Hub updates
    - Unity can't silently patch out future discovered security threats anymore since people have blocked the updates.

    Instead, in ideal situation Unity Hub would inform users there's an update available and clearly indicate what it fixes so people can make educated decisions whether they need to update or not. Only exception to this could be if there's a clear security issue with currently deployed version but even then I feel it should be left up to user to decide if they want to update, just pop up a message box explaining why it's urgent etc.
     
  12. Lethn

    Lethn

    Joined:
    May 18, 2015
    Posts:
    1,583
    Being open and honest about this is the best way to deal with it, I had to get told about this before I even realised it was a thing because I've been busy with RL stuff. The Unity staff have kind of dropped the ball on this and I know it took people by surprise but you really need to make sure people know what's going on when so many are using your software, the staff aren't usually this bad with communication and patches.
     
  13. Noisecrime

    Noisecrime

    Joined:
    Apr 7, 2010
    Posts:
    2,051
    Well this just goes from bad to worse - having been aware of this issue over the last few days and making various posts in the threads about it, this morning I discover to my horror that the Unity Hub has auto-downloaded the 3.1.1 update and will AUTOMATICALLY install it the next time its restarted!

    This is annoying on many levels, not least as I had wondered about how the Hub updated as I could find no user settings to opt-in or out beyond the production vs beta channels. I guess I know the answer now, Unity doesn't believe in giving its customers the option ( beyond registry hacks? which is also too late for me now ). Instead they just automatically download and install and provide probably the most effective security threat to my PC that I've seen in decades!

    What really pisses me off about this is that this update is either an amazing coincidence or Unity have decided to push this out to everyone to try and cover any existing issues or threats ( known or not ) within third party code used by the hub. Perhaps trying to reach people who may have updated to 3.1.0 and not know there is an issue, though there really should have been an additional announcement as to the reason for doing this.

    Firstly if this was a coincidence, what the HELL is Unity doing allowing auto-updates to the Hub whilst they are supposedly meant to be performing a full audit of all third party code? The auto-update should have been disabled immediately the initial event occurred and should not have been re-instated ( for everyone ) before providing the necessary reassurances and documentation to customers that the Hub is guaranteed to be safe.

    If its the latter then again what the HELL is Unity doing allowing auto-updates to the Hub whilst they are supposedly meant to be performing a full audit of all third party code? I simply don't believe they were able to perform such an audit in two days or less!


    In the end all of this frustration goes back to the same two issues

    - Why didn't Unity provide user setting to opt-in or out of auto-updates for the Hub?
    - Lack of transparency and dialog with the community/customers.


    For example there may be a very good reason to force users with older hub versions ( e.g. 3.0.1 ) to 3.1.1 but without any information from Unity as to why I really dislike being pushed to the most current version when a serious threat was found in the previous version ( 3.1.0) and little time to audit the current version for any other issues.


    Seriously considering uninstalling the Hub, but at this point I'm not sure if thats even possible anymore? I know with it installed launching any editor will simply open the Hub and with the 3.0.1 release licensing completely breaks any time my machine goes to sleep and I have to go through the hub to get any editor to sign into my Unity account.
     
    Last edited: Mar 19, 2022
  14. SpockBauru

    SpockBauru

    Joined:
    Apr 12, 2021
    Posts:
    23
    Can't talk about the Taiwan bug since I'm (almost) in the other side of the world, but I had every single bug reported here, plus the bug that prevents to make new projects with Unity 2019.1, which is marked as fixed but IS NOT FIXED AT ALL!
    https://issuetracker.unity3d.com/is...reating-a-new-project-with-2d-or-3d-templates

    Also I dislike the new dark theme.

    Please, make the updates optional!
     
    mischa2k likes this.
  15. Lethn

    Lethn

    Joined:
    May 18, 2015
    Posts:
    1,583
    This also proves what many people feared when auto-updates were first introduced as mandatory across various software and even with Windows. All it's going to take is for one rogue employee with access to the servers and they'll very easily be able to cause a catostrophe. Will this blatant security flaw make companies rethink their attitude towards auto-updates in general? I have my doubts precisely because sometimes people seem to have a duck and cover attitude towards justifiable outrage.

    At this rate, I'm going to end up being forced to Linux and I'll be better off re-writing the code I have so far for Godot if companies won't honestly address this problem because there's no way in hell I'm leaving my own PC and really my life's work exposed to such a blatant security flaw. It's a shame, because I really like using Unity and I like the general workflow in spite of everything, but what other option is there?
     
    Moonjump and oAzuehT like this.
  16. BaKsPlayer

    BaKsPlayer

    Joined:
    Dec 15, 2019
    Posts:
    1
    I'm completely confused, can I upgrade Unity Hub to version 3.1.1 now, or will the integrity of my data be compromised?
     
  17. Lethn

    Lethn

    Joined:
    May 18, 2015
    Posts:
    1,583
    It's still up in the air right now, I'd hold off, they do seem to have caught it but this is precisely why communication is important even if it's just "We've stopped it from infecting our side of things so there's nothing to worry about".
     
  18. Mauri

    Mauri

    Joined:
    Dec 9, 2010
    Posts:
    2,663
    The code that replaced stuff with heart emojis did not land in that Hub version. The one that just creates an empty .txt file onto your desktop did. While it's a nuisance, it's harmless.

    They fixed this issue in
    3.1.1
    , so yes, you should update to be safe.
     
    Last edited: Mar 19, 2022
  19. Lethn

    Lethn

    Joined:
    May 18, 2015
    Posts:
    1,583
    Against my better judgement I ran Unity hub and it installed the update automatically, haven't spotted anything nefarious as of yet, the Unity staff absolutely need to let you have the option to disable updates. If you did this then somebody trying to tamper with the code wouldn't be a problem, I really don't see how this could be contoversial to implement unless the Unity staff themselves are up to something. You let people have their own version of unity installed without forcing them to update, so why can't Unity hub operate the same way at peoples' own risk? We know software and how to deal with it, just put up a pop up message stating that and be done with it.
     
    Moonjump likes this.
  20. hecker_de

    hecker_de

    Joined:
    Mar 28, 2021
    Posts:
    19
    I can see how Unity want users of the Hub to be current with it since it's the gateway to login to your account and the licensing system for the Editor (even though the login process itself is what I consider rather convoluted and questionable, when it makes a request to some API through the web browser).
    Nonetheless it would be better to prompt the user about it, much the same as the editor informs about new updates being released.

    As for automatic updates, well at least I don't have *that* issue for I'm running on Ubuntu and updates go through its packaging system (although there is still something called "unattended updates" which can run to install important security upgrades without waiting until I authorize it. which is what leads to the dreaded Firefox tabs that happily tell me that I can't open a link for there was an update in the background and I need to restart Firefox first. The least this does is severely interrupt whatever I was currently doing. I hate that!)

    (With the Unity Hub unlike with Firefox, at least the interactions are usually short and not very often. Just clicking on a project to open it in the Editor, or create a new project. Sometimes installing new Unity versions (or removing outdated ones), and selecting a different version of the editor to use for a project in order to update it...)
     
  21. Moonjump

    Moonjump

    Joined:
    Apr 15, 2010
    Posts:
    2,572
    As someone who has been complaining on the forums about forced updates, I am not surprised by this. And it will happen again and again until it is changed.

    Game developers do not update software near the end of a project unless there is an important fix. Unity breaks this totally with the Hub.
     
    SpockBauru and Lethn like this.
  22. Lethn

    Lethn

    Joined:
    May 18, 2015
    Posts:
    1,583
    I think we do need to put pressure on them over this issue, I can't see myself using Unity in the future for new projects if they're insistent on it, literally all they need to do is make the updates optional and then it will be fine.
     
  23. Deleted User

    Deleted User

    Guest

    Good job Unity ! As always .... late.
     
  24. M-Woods

    M-Woods

    Joined:
    Oct 9, 2012
    Posts:
    7
    I went to build a new version of my unity project on my mac yesterday (Monday). When I opened the Unity hub I noticed that there was an update, which I ran. When I tried to build my project, Unity Hub started asking for all sorts of permissions including photos and contacts. I had upgraded from Big Sur to Monterey last week, so I thought maybe this was something that Apple is now requiring apps to request permission for, but I clicked deny on them. There was no reason the hub should need them…. but then I couldn’t get my project to build. It kept hanging most of the way through. Finally I went into my security preferences and gave the hub the permissions it wanted. I trusted Unity. This time when I started the build, it was again taking a long time. I happened to have my unity projects folder open, and I noticed that things were disappearing from it. Panicking, I force quit the build and restarted my machine. A good half of my hard drive was wiped out. Fortunately, I had things backed up using Apple’s time machine. I was able to reinstall the operating system and restore from Friday’s backup. A friend pointed me to this small forum post. The problem is much worse than what is described here, and I had the issue Monday not Friday. There needs to be a big red warning on Unity’s site right now. Please let me know if there is any more information that I can provide, and when it is safe to use Unity again.
     
    Lethn likes this.
  25. M-Woods

    M-Woods

    Joined:
    Oct 9, 2012
    Posts:
    7
    An update to my incident.
    I have been in touch with Unity support and they are fairly confident that things are fixed.
    No one else has reported as bad a problem as I had.
    After a double back up of my important data, I downloaded and installed Unity Hub 3.1.1 via the website rather than the built-in updater.
    I then downloaded version 2021.2.16f1 of the editor via the hub, and attempted to build the project.
    The project built with no problems this time.
    Unity hub did not ask for any special permissions, and I encountered no other suspicious activity.
    I’m cautiously optimistic.
     
    DragonCoder, Obscure_Coyote and Lethn like this.
  26. Peter77

    Peter77

    QA Jesus

    Joined:
    Jun 12, 2013
    Posts:
    6,589
  27. Noisecrime

    Noisecrime

    Joined:
    Apr 7, 2010
    Posts:
    2,051
    Funnily enough it appears, for me at least, that Unity's auto-update is also 'broken'.

    I posted a few days ago about noticing that the Hub wants to upgrade from 3.0.1 to 3.1.1 on my machine. There is a notification at the top of the hub app stating that it will install after 'restarting' whilst giving you the option to 'Restart Now' or 'Dismiss'.

    Well I was in no hurry to update, not unless Unity come back and state their audit found potential issues with older versions of the hub, so I've just left the Hub open. Yesterday however I had to restart my machine, which I did without explicitly closing the Hub ( I rarely restart or shutdown but use sleep instead ) and was quite surprised afterwards to find that the Hub had not auto-updated, and still had the notification at the top of the app.

    I can only assume the Hub considered it an unexpected shutdown or something and didn't set up the flag to start the automatic updated, or maybe the update happens when you close the hub and restarting the machine prevented that.

    Anyway, since it still hadn't updated I performed the steps outlined here to prevent auto-updates and deleted the already downloaded updated installer. So in theory I'll be locked into Hub 3.0.1 until I restore auto-update functionality.


    I have to say though after almost a week since this thread was started I'm disappointed not to have heard anything more from Unity, in terms of progress on auditing third party code in the hub. I don't expect them to have had performed a full audit, but I would have expected some report on progress and findings.

    Further more I was really hoping that Unity would make a commitment to strip out as much third party code as possible, as that seems to be the only guaranteed way to prevent similar threats in the future.
     
    Last edited: Mar 24, 2022
  28. theylovegames

    theylovegames

    Joined:
    Aug 18, 2012
    Posts:
    176
    A moderator might have deleted my bug report post on the HUB not remembering the project version with Unity 3.5.7. It's only related because it's a HUB issue. I know it's an old paid version, but deleting posts just closes bugs without fixing them. Supporting old versions is important for those of us who making plugins and need to support all versions of Unity.
     
    Last edited: Mar 25, 2022
  29. Mauri

    Mauri

    Joined:
    Dec 9, 2010
    Posts:
    2,663
    @theylovegames Your post (as well as mine, which was a reply to you) got deleted because it has nothing to do with the security issue in this thread. I'd suggest you create a separate thread in the Unity Hub forum section instead.
     
  30. ROBYER1

    ROBYER1

    Joined:
    Oct 9, 2015
    Posts:
    1,450
    We got no email about this, IT staff are a bit miffed, myself included.
     
  31. Noisecrime

    Noisecrime

    Joined:
    Apr 7, 2010
    Posts:
    2,051
    So its been two weeks and not a peep from Unity?

    I didn't expect them to be able audit everything immediately, but I certainly felt by now we'd have been given a few updates on progress and any discoveries they made. What is going on?
     
    Lethn and dm_bond like this.
  32. Lethn

    Lethn

    Joined:
    May 18, 2015
    Posts:
    1,583
    Yeah I really don't want to see them slink away from this issue and it's a classic example of why auto-update is such a bad idea, all they need to do is at least make it optional and then people will be happy, it really isn't that much to ask.
     
  33. Hurri04

    Hurri04

    Joined:
    Nov 27, 2017
    Posts:
    59
    Really hoping this doesn't turn into a "security by obscurity" situation where this gets swept under the carpet or forgotten about, to "fix" "perceived" vulnerabilities that seem to be the top concern...
     
    Lethn likes this.
  34. LeonhardP

    LeonhardP

    Unity Technologies

    Joined:
    Jul 4, 2016
    Posts:
    3,132
    Hi everybody,

    Our team has completed its audit of the dependencies for the Hub, successfully identified the cause of the writing file to a user’s desktop, and has removed and resolved this issue. All other dependency changes have also been reviewed and cleared. We take these matters seriously and have been monitoring this thread and related discussions closely. We will review and take your feedback as it relates to existing functionality for the Hub. We thank you for your candor and suggestions as we continuously look for ways to improve our offerings to creators.
     
    Lethn and Noisecrime like this.
  35. Noisecrime

    Noisecrime

    Joined:
    Apr 7, 2010
    Posts:
    2,051
    Glad to hear nothing else was found, however I really hope this isn't all that happens.

    Going forward I would personally welcome seeing say a blog post addressing this and how Unity plan to minimise risk in the future, with very specific level of details about plans etc. For example if this were me, I would probably have seriously considered reducing reliance on third party code where possible, planning to replace modules over time with in-house code etc. Obviously as we don't know the extent of Unity's use of third party code I have no idea if that would be practical, but its the type of thing I'd like to hear about, in terms of how Unity is going to manage this going forward. A single paragraph post in the thread doesn't really seem to cut it - IMHO.

    Whilst it may not be your area, I was disappointed to see my post about the PackageManager and packages not getting any traction ( Safety and Security around Package Manager ). There is clearly a risk using third party packages, so much so that Unity had written their own blogpost about 'Dependency Confusion' attacks and the package manager a year or two back. However the attack that the Hub faced illustrates a different avenue of attack and I feel there are areas in package Manager that could and should probably be 'reinforced' security wise. If this is involving different team to Hub, then I feel you should be in communication anyway to share experience and knowledge around security issues.
     
  36. Lethn

    Lethn

    Joined:
    May 18, 2015
    Posts:
    1,583
    I'm glad that Unity have at least acknowledged the problem but this sort of thing should have been posted site wide as a warning the second it was discovered and it makes the unity staff look unprofessional when they don't at least respond quickly to such an issue and give everyone a heads up. I didn't even originally discover the node issue on the unity site and first heard about it on an alt-tech one instead and had to double check the forums.

    Auto-updates have always been a bad idea, if it won't be someone nefarious it could end up being some disgruntled employee or other bad actor that can potentially wreck peoples' PCs at the push of a button. Companies need to acknowledge this and take it seriously instead of constantly trying to push auto-updating onto unwitting users. If we can't even have such a basic security feature as standard then there really is no point in me using the engine for further projects anymore. Which is annoying, because I do actually like Unity as software.

    Edit: The simple fact is, this could have cost my life's work ( No exaggeration ) if I wasn't ultra-sensible about backing up so I can only imagine how pissed off other people who had actually got their hard drives wiped feel. Unity can't just shrug and go "Oh well we caught it so better luck next time", no, this is a blatant security breach that I am not having on my PC if I can help it. This could have cost a lot of people their data potentially if we weren't all paranoid to begin with.
     
    Last edited: Apr 8, 2022
    NotaNaN, M-Woods, xeleh and 1 other person like this.
  37. ArtuomGameStudio

    ArtuomGameStudio

    Joined:
    Dec 12, 2018
    Posts:
    1
    After that, images stopped showing on my Win10 lock screen. Also, after restart, the power saving mode is now always reset. And after locking and unlocking screen, keyboard layout is reset.
     
  38. Lethn

    Lethn

    Joined:
    May 18, 2015
    Posts:
    1,583
    Heading into may now and still little to no proper site wide acknowledgement from staff on this issue. I made my decision after awhile of the silence but I figured I'd post just to let people know why I'm no longer really contributing to the forums like I used to. Will be switching to Godot as my main engine now.
     
    Last edited: Jun 9, 2022