Search Unity

  1. Unity 6 Preview is now available. To find out what's new, have a look at our Unity 6 Preview blog post.
    Dismiss Notice
  2. Unity is excited to announce that we will be collaborating with TheXPlace for a summer game jam from June 13 - June 19. Learn more.
    Dismiss Notice

Discussion The end of trust? Unity hacking

Discussion in 'General Discussion' started by Orion, Mar 20, 2024.

  1. Orion

    Orion

    Joined:
    Mar 31, 2008
    Posts:
    263
    For some time I've observed an unnerving trend on reddit of game developers reporting that they were hacked and blackmailed.

    The angle seems to be:
    - Someone on their / a shared Discord makes contact
    - They ask if they'd be up for testing their game
    - They link to a legit looking itch.io page with a downloadable game
    - The game carries a virus or similar mechanism to steal user data or obtain access to their computer
    - Moments later they are contacted by the hacker and blackmailed to give access to their Discord / Steam account or similar

    This exploit of trust among game developers is extremely saddening.

    This is especially problematic for indie developers, if noone dates to download games anymore that aren't thoroughly vetted by some third party.

    To me it raises questions too: Are games uploaded to Steam safe against this?
    Is this also possible with WebGL games?

    If not, how can you possibly ensure anyone trusts your games? And if that's possible, can't this be exploited as well?
     
    marcoantap likes this.
  2. neginfinity

    neginfinity

    Joined:
    Jan 27, 2013
    Posts:
    13,623
    The idea is to answer "No" at step 2 ("ask if") and live happily ever after.

    Steam games are not safe from malware, there were multiple instances where people complianed in reviews that game installs services they dislike. One example is Easy Anti-Cheat.

    Regarding game trust - if the game ever asks for elevated privileges, that's a warning flag. However even without those it can wipe out all your documents. So your only hope is signature from trusted party.
     
    Ryiah and CodeSmile like this.
  3. CodeSmile

    CodeSmile

    Joined:
    Apr 10, 2014
    Posts:
    6,486
    This form of spreading malware is called "social engineering" and the only thing one can do about this is education and raising awareness.

    It worked for past approaches to the point they became memes everyone's laughing about. Which reminds me, that cousin in Nigeria is still waiting for my $5,000 downpayment so I can get my share of his heritage amounting to over a million can you believe that???

    No.

    But they'll find new ways every so often. It's a cat an mouse game.
     
    Ryiah and DragonCoder like this.
  4. bugfinders

    bugfinders

    Joined:
    Jul 5, 2018
    Posts:
    2,006
    id like to think webgl was immune but the honest truth is, nothing is. the fact that people can/have embedded malware in pictures and so on just proves frankly nothing is safe. Back in the late 80s early 90s a computer magazine that put out a cd on the front cover got hammered when it turned out the cd have a virus on it.. People had stupidly believed read only media was safe, well, it is, in that as long as it was clean when it went on, it stays clean, but if you burn a virus on, well, its on there now..

    Everyone wants a bargin, everyone wants to feel special, so if they get a chance at an "early" copy, or to be paid for (allegedly) or, anything people will fall for it.. I fear its going to be a long time before they stop falling for it.
     
    Orion likes this.
  5. Orion

    Orion

    Joined:
    Mar 31, 2008
    Posts:
    263
    My issue is not with it happening to me (well also), but that, if everyone acts cautiously, no one will ever test someone else's game again.

    Not everyone can (or will) easily acquire a signature for their game. Especially in settings like game jams and the like.
     
  6. CodeSmile

    CodeSmile

    Joined:
    Apr 10, 2014
    Posts:
    6,486
    But that sort of attack requires opening the image in a viewer that has such a security issue.

    A far easier approach is to simply make that image a hyperlink and entice someone to click it.
     
  7. Orion

    Orion

    Joined:
    Mar 31, 2008
    Posts:
    263
    My very first computer magazine (for Apple at that) came with a floppy disk with demos. One of them was ransomware which locked up the computer for money. How no one tested that before shipping thousands of copies is beyond me.
     
    bugfinders likes this.
  8. neginfinity

    neginfinity

    Joined:
    Jan 27, 2013
    Posts:
    13,623
    Oh, they absolutely will. "This happened to someone else, and I'm different! No way it would happen to me"

    Use builds that do not require admin rights to run. Basically a game should start from extracted zip archive.
     
    Ruslank100 likes this.
  9. DragonCoder

    DragonCoder

    Joined:
    Jul 3, 2015
    Posts:
    1,743
    No matter the requested rights, Windows still gives that stupid warning regarding lack of signature.
    Everyone who plays games from itch.io at least regularly should be used to it. But a newcomer will be frightened.

    As for that scam issue, yeah it's a real thing. I received such a message from a friend who got hacked as well. It sucks big time for game devs. Probably the only solution is to regularly mention that you work on a project so it's not feeling like "suddenly I'm a game dev" when you do actually ask friends to be testers...

    Discord itself closes their eyes in front of issues like these for some reason (and they reduced some workforce recently anyways). They don't even act against easily auto-detectable spam (like a bot posting the same msgnin 10 channels within 10 seconds).
     
    Ruslank100 and Orion like this.
  10. Ryiah

    Ryiah

    Joined:
    Oct 11, 2012
    Posts:
    21,470
    Sorry, but I stopped reading here because the average person on reddit is just a karma seeking idiot. I visit reddit as it's taken over for forums for most communities but you have to be extremely doubtful of anything posted there because most people are just there farming for likes. Trends on reddit don't really mean anything.
     
  11. Orion

    Orion

    Joined:
    Mar 31, 2008
    Posts:
    263
    You can say that about pretty much any source, nowadays, though.
    But it doesn't matter. I also found a bunch of videos on it and watched in real-time as a Discord server was being taken over and the mods couldn't do anything about it. Make of that what you will.
     
  12. Ryiah

    Ryiah

    Joined:
    Oct 11, 2012
    Posts:
    21,470
    No. It's far worse for reddit than any other community. Because of how large reddit is and how many people are on it you can't figure out who has a good reputation and who doesn't. With most communities you can know most of the major people and know for example that someone has a tendency to respond a certain way to a certain topic.

    You can have that removed by purchasing an EV (Extended Validation) Code Signing signature. Once applied it will alert the user on install if the application has been compromised. You still have to verify that your code is safe and doesn't accidentally have a virus but this will safeguard it once it leaves your hands.

    Here are the companies that I've heard of but there are others too.

    https://comodosslstore.com/code-signing/comodo-ev-code-signing-certificate
    https://shop.globalsign.com/en/code-signing
     
    Last edited: Mar 20, 2024
  13. Murgilod

    Murgilod

    Joined:
    Nov 12, 2013
    Posts:
    10,258
    This isn't "new" and has been happening for over a year and a half now. Despite this, it's still possible to get testers for games. This isn't the "end of trust."
     
  14. neginfinity

    neginfinity

    Joined:
    Jan 27, 2013
    Posts:
    13,623
    I believe you're talking about a different warning.

    Windows gives gives warning for downloaded exe files and msi. The idea is not to use those, but archives. Extract the archive and run. I've never seen a warning on archive contents extracted with 7zip.

    Then there's an entirely separate issue when exe requests elevated rights to write into admin-protected folder. That one should not be ignored and is a red flag. Several steam games in fact trigger this, but it becomes less and less common.
     
  15. DragonCoder

    DragonCoder

    Joined:
    Jul 3, 2015
    Posts:
    1,743
    It's the one Ryiah refers to as well. It is explicitly regarding the certification of the publisher of an executable.
    This, albeit it looks a tad different by now. https://stackoverflow.com/questions...afe-to-run-unknown-publisher-programmatically

    Few hundred dollars each year are not that easy for an indie and not sure whether you can easily apply the same certificate to as many updates as you want...
     
    Ruslank100 and Orion like this.
  16. neginfinity

    neginfinity

    Joined:
    Jan 27, 2013
    Posts:
    13,623
    That's the third one and I've not seen it in ages.

    Note that both question and accepted answer you linked talk about admin privileges. In my opinion, your application should not request them. Ever.
     
  17. Ryiah

    Ryiah

    Joined:
    Oct 11, 2012
    Posts:
    21,470
    Microsoft automatically tracks opened executables and after enough people opt to open regardless of the warning they mark it as safe. I run into it on occasion but it requires me to be running an app that's really unusual.
     
    DragonCoder likes this.
  18. neginfinity

    neginfinity

    Joined:
    Jan 27, 2013
    Posts:
    13,623
    That's offtopic, but frankly this sort of feature is a good reason to ditch windows system.
     
  19. Spy-Master

    Spy-Master

    Joined:
    Aug 4, 2022
    Posts:
    752
    Is it? Why? And ditch it for which superior alternative?
     
  20. DragonCoder

    DragonCoder

    Joined:
    Jul 3, 2015
    Posts:
    1,743
    Yeah sure, I rather chose an OS where I gotta compile every other application myself xD

    Indeed Windows stops showing the alert after enough people have opened it, but especially when you give someone your game to test it, it'll appear :/
     
  21. neginfinity

    neginfinity

    Joined:
    Jan 27, 2013
    Posts:
    13,623
    Because you have an external 3rd party authority on your machine which decides what you're allowed to run. The message itself is problematic, because it is worded to be manipulative.

    "YOU WERE IN DANGER! But we saved you!".

    I have Linux Mint running on another PC, it's been sitting there for years and never caused me a problem. Meanwhile with each windows update I'm unsure if the OS will try to commit suicide again. I had windows break after updates multiple times.

    There are distributions other than LFS, Slackware and Gentoo.

    I want power tools. Microsoft has been busily trying to turn windows into a shiny toy. In the process they also made it less comfortable to use. Locating specific settings was easier in older versions. And now I have adverts in start menu on top, which require voodoo in order to disable them.

    Also, even if you have to compile software, it can be worth it, if the end result will faithfully work for you forever. Instead of randomly breaking, randomly creating a mess and so on.
     
    Ruslank100 likes this.
  22. Noisecrime

    Noisecrime

    Joined:
    Apr 7, 2010
    Posts:
    2,057
    Annoyingly they are rather expensive, at least relative to potential development costs and sale price. Sure if you are making a game and expect to get at least a few thousand sales its not too bad and a cost of doing business. However they are impractical for demos or free applications.

    I'm not even sure they do anything beyond a trust system? I don't think anyone actually validates your app that is signed isn't malware, so they cost a lot of money with no actual effort from the signing companies. Though I guess that explains the cost as its basically 'insurance' against bad actors, though even then I doubt any user would get a pay out for using malware that is EV signed.

    Plus 'March 2024, Microsoft changed the way MS SmartScreen interacts with EV Code Signing certificates. EV Code Signing certificates remain the highest trust certificates available, but they no longer instantly remove SmartScreen warnings.'

    The only silver lining I found when looking into this a few months back was that if you release via the Windows Store, Microsoft will automatically sign that version of the app for free. Well not exactly free as I'm sure their are other costs like a dev account for Window store, but you get the idea.
     
    Ryiah likes this.
  23. Noisecrime

    Noisecrime

    Joined:
    Apr 7, 2010
    Posts:
    2,057
    Weird as I always see the warning, and looking at the unziped files properties, they all inherit the 'blocked' property. The only way I found to avoid that was to remember to remove the 'blocked' property from the zip file before decompressing.

    Maybe 7zip does something special, its hard to remember as I usually switch between windows unzip, winrar and 7zip depending upon needs and lazyness. Otherwise I wonder if there is some windows setting that controls it?
     
  24. Ryiah

    Ryiah

    Joined:
    Oct 11, 2012
    Posts:
    21,470
    A Stack Overflow answer suggests that you have to submit your app to Microsoft but I haven't verified that.

    https://stackoverflow.com/questions...ives-warning-with-ev-code-signing-certificate
     
    Noisecrime likes this.
  25. angrypenguin

    angrypenguin

    Joined:
    Dec 29, 2011
    Posts:
    15,635
    I get a good chuckle from that warning being called stupid in a thread about how it's unsafe to run arbitrary software.

    As far as I am aware the warning can be controlled or suppressed to some degree by signing your software with an appropriate certificate. My research into this was some time ago and somewhat limited. I think that the "easy" solutions change the content of the warning and identify the software developer. To make it go away involves clearing higher hurdles, or having the executable used a lot online without negative reports, as I think @Ryiah ahready raised.

    But seriously, that warning is real and legitimate. It's annoying, but it is in no way "stupid", because these risks absolutely are real.