I discovered Earth 2 a couple days ago because of a Josh Strife Hayes video, and I can't stop watching these. I've binge-watched pretty much any content I can get on this, because the whole thing never fails to get more baffling the more I hear about it. Thanks for the work that you and others have put into this; I'm hoping these are helping people who don't realize what Earth 2 is. Also, Earth 2 will be the reason I actually read Terms & Services going forward. My goodness.
Same. I've been all over in my professional life (COO, Co-owner, shitty peon in other corporations, unemployed, entrepreneur, partner etc), and these kinds of stories are fascinating. It's unreal how much of a telegraphed scam this project had been
To be honest putting static quotation marks around user input does not help because a attacker can just put a single quote symbol before the exploit text and nullify the protection. The proper way to fix things like that is to escape any special symbols in user input.
And that is a work of what? 30 seconds when not using an IDE. I literally had to htmlspecialchar 19 times today. This bug is wild, especially since Callum claims that they also execute unsanitized input as sql, meaning there are sql injection breaches all over the place.
I'm pretty sure when you do the quotes it keeps it as text, rather than executing it. a " in text is still just text, like 'text' and "text" are the same, and you can do ' " ' or " ' " if storing as a string for ' and ". my point is, no callum is correct.
I don't remember if they said in what the earth2 website is coded and my webdev knowledge is rusty but iirc there's a command that does sanitize any input string for you. Anyway, it's a problem that is as massive security-wise as it is easy to fix. It's literally web-dev 101.
@@kyonhaku909 There is a fringe case where this kind of sanitization is faulty. Imagine the following input: hello ' +alert()+' you sanitized wrong And if they now use a ' to sanitize, the alert will execute just fine, because their result after "sanitization will look like: 'hello'+alert()+' you sanitized wrong' Simillarly if they use both quotes to escape in hopes of catching it an attacker turns it into turns it into: hello'"+alert()+"' fded up again
I actually cant believe this was/is a thing, anybody who knows anything about cyber security or taken an SYO course knows that you never run text as script, for the exact reason you stated here. At least in my SYO book, they mentioned this was a thing, but saying that it almost never happens anymore because of the devastation it can cause to any database, that each text field is repeatedly checked to make sure its text only, just to make sure that this bug doesnt get overlooked.
Man, if it is that easy to execute a script... It's just a matter of time before someone abuses that to hell and intercepts all the login credentials and payments from anyone who passes by the wrong page. Being able to run JS from the main domain is just hitting the motherlode.
@@Max128ping Not sure how this case works exactly behind the scenes, but the result he gets when showing it off looks like banning tags () and escaping " with \" would do the trick.
I feel so sorry for the drone community... It looks like a really good game concept and half done already. All that community dedication and time washed down the drain... So painful.
Don’t forget the money… I’m amazed that people can even sell a studio that works on a crowd funded game without telling their public investors aka backers even if their share is a lot less? WTF. Crowdfunding really needs some more clear rules.
@@worldpeace1822 Yeeeees, scamming people does needs rules. >.o Some idiot once said something about honest people needing no rules and dishonest people always finding a way to exploit em. Could just... Not give money to people on the internet fnr?
@@Tsuchimursu unfortunately so, like most *actual* MMOs that are still functioning from years ago... Also, tangent: profile pic from Rosario + Vampire, right?
I was contacted by a P2E game NFT that wanted to talk about most of the game via voice chat. I almost instant deny these for the same issue you just had with Earth 2. It is a lot harder to backup voice chat for every voice chat one ever does rather than saving a screenshot. I don't trust a single word that isn't laid out in text.
Legendary shit lord. How you going to roll into someone else’s server and say that community is toxic when they were around for a minute, rightly upset, when you stand to gain money from that merger. I used to think him just a petty little man with grand delusions. Now I think of a greedy little manipulator.
@@thelegionisnotamused8929 dude how did you see him being a creepy wapey stalker to that girl who turned him down once and think "yeah hes just a idiot totally not a malcious bastardo"
So not only can they not do anything right in their tile selling nonsense but they have actively destroyed an actual game for a community for the sake of trying to pretend they are doing something
I have NEVER..NEVER... found anything you say or do to be unbelievable! I can't say that about almost everyone else I've come into contact with on UA-cam. Besides you, Josh Strife Hayes (hope I spelled your middle name right), KiraTv and a few others. So glad you guys are out here looking for the little guy. Thank You.
One thing: you need more than just putting in quotes to fix the RCE/XSS issues, because the user can add in their own quotes to un-escape it. The actual solution is to sanitize user input; granted, I believe JavaScript has functions to do that, so it’s still trivial to fix, and it’s basically web design 101, so they still have no excuse for neglecting it.
I am pretty sure with XSS you can create a listing for property with malicious code which when seen by users on the page can trigger code that send their auth/session headers to your email or whatever, after which you can use them to make requests on behalf of that user as if you're are them, i.e. sell properties for low value transfer them or whatever you can do in the app really.
@Lassi Kinnunen 81 Yeah hopefully it's localized to your personal profile page in that case it would just be a a code injection, but if that same action is possible on any shared page then it would be XSS since that code can execute on other users pages. But even if it's just profile thing you can still dump a lot of data from the server like client/secret keys and potentially just upload your own shell onto the server and depending on how the server is setup it might be a root user shell.
@@visiblymoist4404 Since Callum said you can do it in listings too, i believe any textbox can run code basically. Which is very very dangerous. tbh i kinda wanna see someone fuck their system up, just to see them crying. Or maybe that is what they want and then they can claim "it was a bug that destroyed E2, not our incompetence", and then ditch the project
It would be far easier if the description length is not limited. Write a script to get user session, forge an url with the user session to sell you all his tiles for 1$ and redirect on document load. And if that url can't be forged, make it an popup for that user with javascript macroing its way through the selling process. This is wild, you could insert a finely crafted script that strips everyone who visits your page of his tiles. Or heck, make it more sophisticated, if the user has more than 400 tiles, just nab one of them, the chance of him noticing is so slim, you could run this for months.
@@fatalityin1 You can upload your js script on a remote server/cdn and it could be dynamically loaded on the page, so you won't even have the length limit.
Easy, just redirect them to the rick roll video. Maybe you could even play it as a sound as soon as someone just opens your profile, but my knowledge on that part is not sufficient
Just when you thought the Earth 2 "devs" couldn't get any shadier. It's obvious they're exploiting that part of the profile, why else would they leave it virtually untouched? Also, I do not blame the people on the Drone Discord for being as mad as they are, I'd be too if a game I liked was basically killed by being acquired by a scummy company.
They have a long way to go before they get to the metaverse if they can't prevent a simple code injection exploit. Oh man, it's so infuriating being a developer myself and see fellow "colleagues" perform this badly.
Not having any programming skill I don’t think I fully understood the significance of this issue until around the eighth minute and I’m astonished. Either the mods on their end are abusing it, or they’re totally incompetent using copy/pasting. Reminds me of a job I had years ago that occasionally needed to apply a calculation to the samples analysed. I was new, and the equation was within some sort of spreadsheet. My boss told me to just put the numbers in and it’ll do the calculation. But I wasn’t ever to actually save the file because if it was changed, nobody knew how to fix it. Only my predecessor knew how. Lol I got out of there ASAP. Total shambles.
Amusingly, there is a feature in SharePoint that allows you to feed parameters to an Excel model to calculate. They could have put their Excel file in it, then made the input fields parameters and SharePoint would provide a form to fill out the values and the file would never be saved. That said, they should be able to save the file and understand it. It is soooo easy to mess that up, so making your business depend on a person NOT DOING something they are usually SUPPOSED to do is recipe for disaster. I'm glad you got out. :)
Gotta love the biggest E2 fanboy going "They are just toxic people", the fuck you talking about? THEY PAID FOR THAT GAME, and didn't get it, instead see it being sold to some highly questionable guy and that's it. Gjee you think they are angry? These fanboy's, gods I really hope it's a massive scam and them losing out so much money, perhaps then they wake up.
The dream world devs are gonna eventually put out like a proper and amazing game, meanwhile the earth 2 devs are gonna be like "Hey, buy the washington monument for $4 please"
I completely disagree with dreamworld. That game was built on lies and the foundation is broken. It has zero direction or reason to play other than to see the famous dreamworld rehabilitation story. Chronicles of elyria had a far more specific plan in mind despite being a scam. It’s great that dream world is trying to make their game playable, but lets not confuse playable with anything close to fun or desirable. That being said, at least dreamworld is playable.
As a webdev I agree that this is trivial to fix. We do sanitation of user inputs as a reflex, altho it's usually handled by the library you use. Honestly it's almost impressive for them to have this kind of bug.
Holy crap. Drone looks so damn cool and right up my alley and I never knew about it - I can't decide if I'm disappointed about it or not. A shame I can't (refuse) to play it, but it would equally suck to enjoy something and have it pulled away by this scam company.
Yeah, I’m so glad I didn’t buy it when I heard about it a while ago, you might like terratech or from the depths, not the same but they both have a building system and enfolding
Drone got promoted a lot years ago by youtubers looking for somewhere to go after Robocraft went to shit, but it never lived up to it's promises. And now the worst possible company has bought them out. The very niche genre of "multiplayer block-based vehicular arena combat" is never going to see the heights it did during old Robocraft I guess. It's a graveyard of failed projects at this point. (yes, FTD and Terratech are also block-based vehicle combat games, but they don't have the same arena combat or competitive multiplayer that RC or Drone did so they aren't a perfect replacement)
@@sarrakitty to me RC failed when they scrapped the proper ranked battles. Up to that point I could stomach the changes they made, but that was the last nail.
@@sarrakitty The craziest thing about Robocraft, is that people still played and loved the game. Even after the updates stopped coming, it still has people who still loved the game so much to the point that some of them are bringing back robocraft 2015! too bad drone wont have the same fate, it has doomed itself the moment they were sold to E2.
This whole situation is absolutely wild. The most disgusting part is that someone with that big of a project was stupid enough to work with the known scammers that are Earth2 and it's staff.
This is amazing that they did this. My fear has always been that E2 would crash and burn, but the failure would be blamed on the UA-cam creators that exposed it. This video shows that their entire team is made up of AWFUL DEVS, and even poorer businessmen. They wouldn’t be making these decisions if the had any talent whatsoever.👏👏👏👏
"Just add quotation marks around the text." Yeah, no, but given how naive this implementation looks (I don't want an account to actually verify this), don't you think you could just escape by adding a quotation mark to your input text? But more interesting: Can this be used to inject HTML code for *other* people viewing your profile? Because then it gets really nasty.
The code that will modify the text people type in forms before outputting to add quotation marks around it will also replace actual quotation marks typed into that form with " which will display a " in your browser without having the ability to close the quotation marks and escape. And yes, it works on literally everybody. Their browser will run whatever code you put into that form if they view your profile, your browser assumes everything it sees is code and runs it as such unless it's specifically told "This isn't code, don't run this" (ie by containing it in quotation marks) so you could potentially do all sorts of nefarious things to people by exploiting that.
As a primarily C# developer, I was under the impression that most modern languages and libraries strip potential XSS input by default. Either I'm wrong about that or the devs are even using their drag and drop tools incorrectly. EDIT: I should clarify. C# libraries such as Web API will throw an error if a user attempts to pass in potentially malicious xss input. It won't necessarily escape it automatically.
nope. you have to sanitize your inputs yourself. by default they are simply raw inputs. back in the day sites used to do injection type things themselves back when the net was the wild west.
@@drew21t Every api worth its salt does this for you. You shouldn't be reinventing the wheel when writing inputs. It's not a hello world static website. and what do you mean "back in the day sites used to do injection type things themselves"??? literally word soup that means nothing so you can pretend like you know what your talking about.
Not by default, no. But most include simple reusable built-in functions for encoding input strings correctly. Speaking as a WebAPI developer myself, please don't rely on it to throw an error without you manually sanitising the inputs yourself. What you're relying on there is actually IIS spotting something malicious in the request. It's bad practice to rely on vendor defaults, and that approach wouldn't fly in any kind of PCI-DSS compliant workplace, for example.
when earth2 was announced i did like a 5 min research on their team names, all were like investors and people who deal with money, i understood immediately it was a scam
If it's in for more than a month, that's a feature. Excited to find out what it is. If they hid the game breaking exploit for 7months it probably benefitted them.
That has to be one of the final nails Callum jesus man you're my knight with a white keyboard. Keep up the good fight. A lot of people are at risk on Earth 2. Thank you for highlighting it man.
Actually, you can't fix the bug by adding quotation marks. This is a common mistake programmers make, yet it does not prevent html insertion. And the fact that they tried to fix it by filtering for tags show, how shitty their programmers are. There are built-in functions in the programming languages I am aware of, which are the one and only way to prevent html insertion (and there are other functions for SQL insertion).
I seriously don't understand what the designers of HTML and SQL were thinking. How was it so easy to run arbitrary code in the first place? To be fair I've never used either language much but you'd think it would be a bit harder than just the end user typing code into a text box. (This is probably like asking C/C++ devs "Why do you keep having buffer overflows" so forgive me if it is)
@@williamdrum9899 It is not HTML or SQL as languages. The problem is the web framework used that passes essentially all manually given text to the server and/or the database. "Escaping" helps but that needs specific functions for that purpose rather than parsing the string by yourself.
I was stoked by DRONE since 2016 because robocraft is dying. Came to play it in 2019/2020 It has many cool features i knew from robocraft also a map creator. The control was hard and the balance is kinda non existent but it's what I expect from an early access. Was hoping to get into it when it's more polished. Turns out it's dead on arrival...
- "You can run HTML, Javascript, SQL in that box" - proceed to talk only about javascript and html Dud, an SQL injection is way worst than "break" the front end. Because you can obtain all the data of the database, change it or delete the entire database regardless on how many front end exists. You brick the entire server for everyone.
If they can't secure their front end from such a trivial error, do you think they can secure their backend? I would not be surprised if there was a way to do sql injection on their server.
He is aware, but it takes one dude with a bit of knowledge and you got more than a non-functioning website. I think he doesnt want to be responsible for it. But tbh someone should fuck them up for exploiting their own system, at least i would love to see their discord after someone fucked up their system. Callum cant do it as a content creator, but one random dude on the internet can do it without getting "detected"
to be honest, as much as i want to see the end of E2; at the same time, they shouldn't be made into martyr. but yeah, im sure if shit starts to hit the fan, Shane is not against making the whole site die and then blaming bad actors.
if it's a wordpress site, you can change most things in like a theme template. they 100% have the ability. Now, know-how is a different story. (speaking as a professional WP theme developer)
I have to pay the BBC nearly 200 quid a year, yet they haven't managed to come up with something this entertaining and gripping in nearly thirty years. At the same time I can't wait for this story to reach it's conclusion, I don't want it to end. 😂
Wow this is a big security issue, imagine using a delete table command in SQL you would have screwed up the database and they would need to restore from backup
Quotation marks or even a regex replace. (I typed example pseudocode but UA-cam is smart enough to ban the commnent just for having what Josh calls 'pointy brackets')
shocking they have this... but please dont make out you fix cross site with "just adding a quote".. you don't fix it like that at all - and if you did, you can STILL exploit it very easily. You fix it with something like inout filtering / output encoding / headers etc. Also, that isn't the database you're seeing. its most likely a JSON object returned from their api / controllers. I appreciate you're explaining for those who may not know, but don't give out false info when doing so, as it just confuses the matter more (and to a lesser extent, gives you less credit to those who do know about it technically).
He probably violated his NDA when he said that E2 was in control of Drone right after he left the team (before the announcements,) so I'd imagine E2 could take him to court, at least.
Cross-side scripting my first big Java project had me learn that only with PreparedStatements should ANYTHING be posted to a database. Anything retrieved from a database can just gotten with a Statement. IDK if Earth 2 is using Java or what for their back-end but that's literally all that's needed (that or abstract that issue anyway with something like Hibernate)
Prepared statements prevent sql injection, not xss, since prepared statements define the datatype of the variable fed into the database and string is string to the db, wether it is a script or a simple sentence. To prevent xss you would have to escape special chars. It is some time since I last used java, but the command escapeHtml() should do the job to escape javascript and html.
Cross Site, not Cross Server ;) On a more serious note, in case they manage to fix it for unicode as well, there's a couple more ways you can have the db decode the string itself, pretty sure you know them already. I once did a PoC where i self injected a script via browser plugin on my online banking site and was easily able to completely separate the data on the ui side. From the crash JSON there are multiple Payment Service Provider APIs referenced, no idea how they are handled and implemented, but ... yeah. If they still refuse to properly fix their stuff, PSPs can get very passive aggressive.
The best idea would be to use it to send the current users cookies to the exploiters server, why brick or list things for sale when you can just simply log into their account directly and do as you wish
How will those clowns convert the drone map into a replica of earth 1to1? I feel for the Drone community, why did Nathaniel even sell his baby to those crooks?
One thing worth noting with XSS bugs is that they can be exploited not only to exploit Earth2 marketplace, but much more importantly, they can be used to steal authentication tokens and cookies for other services, like facebook, google and your internet banking. Remember all of those sites where you dont have to login? You just go on that site and you are already logged on? That happens becase your browser carries a special kind of cookie, that authorizes you to be logged in on that site under your profile (notice that when you clear cookies, this cookie gets delted and you have to login on those sites again). This bug you talk about here can be exploited to steal these cookies and it can be explited to commit identity theft. Something much, much worse than absuing some silly earth2 marketplace.
While the bug wasn't well known: Oh yeah we've known about this for a while While it's public: well this Is news to us! We never knew! Pretty much... pathetic.
This is like watching a train crash in slow motion. It strangely entertaining and i really dislike train crashes as my profession is a train driver lol
Shane abusing Earth2 like Bobby Kotick & a blow up doll.
if only Bobby Kotick used blow up dolls instead of real people....
@@lady_sofine1193 He can't get a power trip from sending death threats to a blow-up doll, though.
Except Bobby would probably clean up his doll every once in a while unlike Shane.
Wel thats a mental image I can never unsee 😜
@@drakkenmensch no he would get some junior dev to do it :D
Callum: "Is it a feature or a bug?"
Shane: "Well that all depends who's exploiting it, now doesn't it?"
Surprise mechanics maybe?
For my friends: Everything
For my enemies: The Law
"Exploiting" the DEVs: bug
Exploiting the player: feature. 🫠
I discovered Earth 2 a couple days ago because of a Josh Strife Hayes video, and I can't stop watching these. I've binge-watched pretty much any content I can get on this, because the whole thing never fails to get more baffling the more I hear about it. Thanks for the work that you and others have put into this; I'm hoping these are helping people who don't realize what Earth 2 is.
Also, Earth 2 will be the reason I actually read Terms & Services going forward. My goodness.
For my part, I’ve been watching at a distance for a few months now. Entertaining.
Same. I've been all over in my professional life (COO, Co-owner, shitty peon in other corporations, unemployed, entrepreneur, partner etc), and these kinds of stories are fascinating.
It's unreal how much of a telegraphed scam this project had been
To be honest putting static quotation marks around user input does not help because a attacker can just put a single quote symbol before the exploit text and nullify the protection. The proper way to fix things like that is to escape any special symbols in user input.
Ya, would think that Callum knows this, not sure why he said that
And that is a work of what? 30 seconds when not using an IDE. I literally had to htmlspecialchar 19 times today. This bug is wild, especially since Callum claims that they also execute unsanitized input as sql, meaning there are sql injection breaches all over the place.
I'm pretty sure when you do the quotes it keeps it as text, rather than executing it. a " in text is still just text, like 'text' and "text" are the same, and you can do ' " ' or " ' " if storing as a string for ' and ". my point is, no callum is correct.
I don't remember if they said in what the earth2 website is coded and my webdev knowledge is rusty but iirc there's a command that does sanitize any input string for you. Anyway, it's a problem that is as massive security-wise as it is easy to fix. It's literally web-dev 101.
@@kyonhaku909 There is a fringe case where this kind of sanitization is faulty.
Imagine the following input:
hello ' +alert()+' you sanitized wrong
And if they now use a ' to sanitize, the alert will execute just fine, because their result after "sanitization will look like:
'hello'+alert()+' you sanitized wrong'
Simillarly if they use both quotes to escape in hopes of catching it an attacker turns it into turns it into:
hello'"+alert()+"' fded up again
I feel bad for the community of the game that was bought. Imagine supporting a niche game for 5 years and then it gets destroyed by some scammers
And then you are called toxic ontop of that for voicing your frustration by the E2 blinded fanboys.
First time i've seen a game getting downright annexed.
Yes it's the end of the world.
Shane does seem to be a bit of a scammer.
If you supported this for five years and never took a second to see what else was out there, well, be grateful for the valuable lesson you learned.
I love how Earth 2 has glitches without even being a game yet
this tbh.
Not just any glitch either- they have fucking _arbitrary code execution._
(Is that what ACE is I don't actually know)
@@firstnamelastname7244 😂 most underrated comment I've read in months
@@firstnamelastname7244 Yes, that’s ACE.
I actually cant believe this was/is a thing, anybody who knows anything about cyber security or taken an SYO course knows that you never run text as script, for the exact reason you stated here. At least in my SYO book, they mentioned this was a thing, but saying that it almost never happens anymore because of the devastation it can cause to any database, that each text field is repeatedly checked to make sure its text only, just to make sure that this bug doesnt get overlooked.
Man, if it is that easy to execute a script... It's just a matter of time before someone abuses that to hell and intercepts all the login credentials and payments from anyone who passes by the wrong page. Being able to run JS from the main domain is just hitting the motherlode.
How do you circumvent this?
Because putting 2 " wouldn't work since they can add " and the system might think the string ended
@@Max128ping Not sure how this case works exactly behind the scenes, but the result he gets when showing it off looks like banning tags () and escaping " with \" would do the trick.
XSS and SQL injects are so 2012. Can't even believe these guys developing this didn't know the absolute basics of fucking web development, LOL.
@@Niosus you just potentially gave a lot of people ideas, kek.
I feel so sorry for the drone community... It looks like a really good game concept and half done already. All that community dedication and time washed down the drain... So painful.
apparently it was abandoned for nearly a year, the devs working on earth2 under nda the same time
@@CharIie83 yes, abandoned because earth2 ate them up.
Not that it was going forwards at a crazy fast pace before that...
Don’t forget the money… I’m amazed that people can even sell a studio that works on a crowd funded game without telling their public investors aka backers even if their share is a lot less? WTF.
Crowdfunding really needs some more clear rules.
@@worldpeace1822 Yeeeees, scamming people does needs rules.
>.o
Some idiot once said something about honest people needing no rules and dishonest people always finding a way to exploit em. Could just... Not give money to people on the internet fnr?
@@Tsuchimursu unfortunately so, like most *actual* MMOs that are still functioning from years ago...
Also, tangent: profile pic from Rosario + Vampire, right?
I was contacted by a P2E game NFT that wanted to talk about most of the game via voice chat. I almost instant deny these for the same issue you just had with Earth 2. It is a lot harder to backup voice chat for every voice chat one ever does rather than saving a screenshot. I don't trust a single word that isn't laid out in text.
I live in Minnesota so I could just record it lol. It would make it harder to skim through though.
Callum is incorrect. You cant do literally anything with the exploit. You couldn't make Earth 2 a playable game for example. ;)
Can one open a link to the E2 discord bot in 160 characters?
GOT 'HEM
I'm sure you can put snake on the page
That is probably true, but they can do the next best thing, embed a Doom Port!
You could inject the entire leaked code of Cyberpunk 2077. So I guess you are still correct.
Arya Realty Really Is A Legend At This Point...
Legendary shit lord. How you going to roll into someone else’s server and say that community is toxic when they were around for a minute, rightly upset, when you stand to gain money from that merger. I used to think him just a petty little man with grand delusions. Now I think of a greedy little manipulator.
@@thelegionisnotamused8929 dude how did you see him being a creepy wapey stalker to that girl who turned him down once and think "yeah hes just a idiot totally not a malcious bastardo"
Arya Realty and Finance, Not Financial Advice Not a Financial Advisor
Arya knew about the buy, hence he’s account is so big
So not only can they not do anything right in their tile selling nonsense but they have actively destroyed an actual game for a community for the sake of trying to pretend they are doing something
I have NEVER..NEVER... found anything you say or do to be unbelievable!
I can't say that about almost everyone else I've come into contact with on UA-cam.
Besides you, Josh Strife Hayes (hope I spelled your middle name right), KiraTv and a few others.
So glad you guys are out here looking for the little guy. Thank You.
Omg
I can feel Josh's shock.
When he says "NoOoo."
I legit imagine being like 😱.
Just utterly shocked like thinking "Whaaaaaat?"
One thing: you need more than just putting in quotes to fix the RCE/XSS issues, because the user can add in their own quotes to un-escape it. The actual solution is to sanitize user input; granted, I believe JavaScript has functions to do that, so it’s still trivial to fix, and it’s basically web design 101, so they still have no excuse for neglecting it.
I am pretty sure with XSS you can create a listing for property with malicious code which when seen by users on the page can trigger code that send their auth/session headers to your email or whatever, after which you can use them to make requests on behalf of that user as if you're are them, i.e. sell properties for low value transfer them or whatever you can do in the app really.
@Lassi Kinnunen 81 Yeah hopefully it's localized to your personal profile page in that case it would just be a a code injection, but if that same action is possible on any shared page then it would be XSS since that code can execute on other users pages. But even if it's just profile thing you can still dump a lot of data from the server like client/secret keys and potentially just upload your own shell onto the server and depending on how the server is setup it might be a root user shell.
@@visiblymoist4404 Since Callum said you can do it in listings too, i believe any textbox can run code basically. Which is very very dangerous. tbh i kinda wanna see someone fuck their system up, just to see them crying. Or maybe that is what they want and then they can claim "it was a bug that destroyed E2, not our incompetence", and then ditch the project
It would be far easier if the description length is not limited. Write a script to get user session, forge an url with the user session to sell you all his tiles for 1$ and redirect on document load. And if that url can't be forged, make it an popup for that user with javascript macroing its way through the selling process. This is wild, you could insert a finely crafted script that strips everyone who visits your page of his tiles.
Or heck, make it more sophisticated, if the user has more than 400 tiles, just nab one of them, the chance of him noticing is so slim, you could run this for months.
@@fatalityin1.... Assuming the project stays already for that long and you manage to cash out to benefit from it all
@@fatalityin1 You can upload your js script on a remote server/cdn and it could be dynamically loaded on the page, so you won't even have the length limit.
I only needed to know 1 thing...And it is the fact that I can "Rick Roll" people with this.
Easy, just redirect them to the rick roll video.
Maybe you could even play it as a sound as soon as someone just opens your profile, but my knowledge on that part is not sufficient
I honestly expected to see a private key in that JSON object lmao
That's WebDev 101 lol, I had the pleasure of learning from a teacher who loved to fiddle with your code and input fields
Keep on hodling your tiles Cullum, Earth2 to the Moon2!
Can an exploit be game-breaking if there is no game to be exploited?
Well it wasn't a game in the video sense, but there is a game here in the monetary sense. So kinda?
Just when you thought the Earth 2 "devs" couldn't get any shadier. It's obvious they're exploiting that part of the profile, why else would they leave it virtually untouched?
Also, I do not blame the people on the Drone Discord for being as mad as they are, I'd be too if a game I liked was basically killed by being acquired by a scummy company.
They have a long way to go before they get to the metaverse if they can't prevent a simple code injection exploit. Oh man, it's so infuriating being a developer myself and see fellow "colleagues" perform this badly.
Not having any programming skill I don’t think I fully understood the significance of this issue until around the eighth minute and I’m astonished.
Either the mods on their end are abusing it, or they’re totally incompetent using copy/pasting. Reminds me of a job I had years ago that occasionally needed to apply a calculation to the samples analysed. I was new, and the equation was within some sort of spreadsheet. My boss told me to just put the numbers in and it’ll do the calculation.
But I wasn’t ever to actually save the file because if it was changed, nobody knew how to fix it. Only my predecessor knew how. Lol I got out of there ASAP. Total shambles.
Amusingly, there is a feature in SharePoint that allows you to feed parameters to an Excel model to calculate. They could have put their Excel file in it, then made the input fields parameters and SharePoint would provide a form to fill out the values and the file would never be saved.
That said, they should be able to save the file and understand it. It is soooo easy to mess that up, so making your business depend on a person NOT DOING something they are usually SUPPOSED to do is recipe for disaster. I'm glad you got out. :)
Considering what E2 is, they're abusing it, no doubt.
Good stuff Callum. Hilarious that they tell you how long they've know about it then play dumb.
"Hey, selling your kids into sex-slavery generates money. Do you not like money? I don't get it..."
This joke of a man is just ridiculous...
Gotta love the biggest E2 fanboy going "They are just toxic people", the fuck you talking about? THEY PAID FOR THAT GAME, and didn't get it, instead see it being sold to some highly questionable guy and that's it. Gjee you think they are angry? These fanboy's, gods I really hope it's a massive scam and them losing out so much money, perhaps then they wake up.
And they won’t even be refunded
The dream world devs are gonna eventually put out like a proper and amazing game, meanwhile the earth 2 devs are gonna be like "Hey, buy the washington monument for $4 please"
I completely disagree with dreamworld. That game was built on lies and the foundation is broken. It has zero direction or reason to play other than to see the famous dreamworld rehabilitation story. Chronicles of elyria had a far more specific plan in mind despite being a scam. It’s great that dream world is trying to make their game playable, but lets not confuse playable with anything close to fun or desirable. That being said, at least dreamworld is playable.
combing the use of copium and hopium can have unexpected results.
Alright cool, I'll buy it.
Hey wait, why am I being charged $4,000!? XD
@@Bznsin Niiice
Callum & Kira Earth2 videos on the same evening. What a great friday🤘🏼
Sleigh bells ring Arya listening 🎶
As a webdev I agree that this is trivial to fix. We do sanitation of user inputs as a reflex, altho it's usually handled by the library you use. Honestly it's almost impressive for them to have this kind of bug.
Holy crap. Drone looks so damn cool and right up my alley and I never knew about it - I can't decide if I'm disappointed about it or not. A shame I can't (refuse) to play it, but it would equally suck to enjoy something and have it pulled away by this scam company.
Yeah I was thinking the same. I want to try it, but it's too late now. Lol
Yeah, I’m so glad I didn’t buy it when I heard about it a while ago, you might like terratech or from the depths, not the same but they both have a building system and enfolding
Drone got promoted a lot years ago by youtubers looking for somewhere to go after Robocraft went to shit, but it never lived up to it's promises. And now the worst possible company has bought them out. The very niche genre of "multiplayer block-based vehicular arena combat" is never going to see the heights it did during old Robocraft I guess. It's a graveyard of failed projects at this point.
(yes, FTD and Terratech are also block-based vehicle combat games, but they don't have the same arena combat or competitive multiplayer that RC or Drone did so they aren't a perfect replacement)
@@sarrakitty to me RC failed when they scrapped the proper ranked battles. Up to that point I could stomach the changes they made, but that was the last nail.
@@sarrakitty The craziest thing about Robocraft, is that people still played and loved the game. Even after the updates stopped coming, it still has people who still loved the game so much to the point that some of them are bringing back robocraft 2015! too bad drone wont have the same fate, it has doomed itself the moment they were sold to E2.
I feel like Shane will end up with a lot of lawsuits, this "game" just gets worse and worse
Validating user input is one of the most basics things.
This is a typical thing with the generation of copy past IT'ers.
This whole situation is absolutely wild. The most disgusting part is that someone with that big of a project was stupid enough to work with the known scammers that are Earth2 and it's staff.
Don't forget Tanner Rozankovic. He's the one with the worst background, imho.
It wasn't stupidity, it was greed
Tanner is no longer a part of the E2 team...
@@ttmventures mind if I ask for proof?
@@kutayumutdincer4272 Sure, give me an e-mail and I'll send you a screenshot of Shane updating the community regarding Tanner
I laughed so hard at the "Welcome to earth 1" twitter... That was amazing! 😂
This is amazing that they did this. My fear has always been that E2 would crash and burn, but the failure would be blamed on the UA-cam creators that exposed it. This video shows that their entire team is made up of AWFUL DEVS, and even poorer businessmen. They wouldn’t be making these decisions if the had any talent whatsoever.👏👏👏👏
You'd think with all the money they made, they'd hire someone better
If people haven't figured out to stay away from Earth 2 at this point, anything that happens to them or their assets is on them.
"Just add quotation marks around the text." Yeah, no, but given how naive this implementation looks (I don't want an account to actually verify this), don't you think you could just escape by adding a quotation mark to your input text? But more interesting: Can this be used to inject HTML code for *other* people viewing your profile? Because then it gets really nasty.
Yes. You could do anything. They are VERY lucky a bad actor has not abused this. (probably has)
The code that will modify the text people type in forms before outputting to add quotation marks around it will also replace actual quotation marks typed into that form with " which will display a " in your browser without having the ability to close the quotation marks and escape.
And yes, it works on literally everybody. Their browser will run whatever code you put into that form if they view your profile, your browser assumes everything it sees is code and runs it as such unless it's specifically told "This isn't code, don't run this" (ie by containing it in quotation marks) so you could potentially do all sorts of nefarious things to people by exploiting that.
As a primarily C# developer, I was under the impression that most modern languages and libraries strip potential XSS input by default.
Either I'm wrong about that or the devs are even using their drag and drop tools incorrectly.
EDIT: I should clarify. C# libraries such as Web API will throw an error if a user attempts to pass in potentially malicious xss input. It won't necessarily escape it automatically.
nope. you have to sanitize your inputs yourself. by default they are simply raw inputs. back in the day sites used to do injection type things themselves back when the net was the wild west.
They do, at least Vue and React both escape input unless they are marked as "v-html" or the React equivalent of it
@@drew21t Every api worth its salt does this for you. You shouldn't be reinventing the wheel when writing inputs. It's not a hello world static website. and what do you mean "back in the day sites used to do injection type things themselves"??? literally word soup that means nothing so you can pretend like you know what your talking about.
Not by default, no. But most include simple reusable built-in functions for encoding input strings correctly. Speaking as a WebAPI developer myself, please don't rely on it to throw an error without you manually sanitising the inputs yourself. What you're relying on there is actually IIS spotting something malicious in the request. It's bad practice to rely on vendor defaults, and that approach wouldn't fly in any kind of PCI-DSS compliant workplace, for example.
Earth 2 is going downhill faster than ever right now, nice video Callum!
Sucks that the Drone devs got f***ed like that.
when earth2 was announced i did like a 5 min research on their team names, all were like investors and people who deal with money, i understood immediately it was a scam
If it's in for more than a month, that's a feature. Excited to find out what it is. If they hid the game breaking exploit for 7months it probably benefitted them.
It's the rug pull
Tanner is that guy you knew in high school that definitely has a girlfriend, that goes to another school, and no he can't tell you her name.
Ahhh nice! The /script directive ends the script before the page has fully rendered and so bricks the account. Very nice find.
How does that brick the account
@@williamdrum9899 by not allowing the account page to fully render.
Probably the most code that has been written in Earth2 in months.
That has to be one of the final nails Callum jesus man you're my knight with a white keyboard. Keep up the good fight. A lot of people are at risk on Earth 2. Thank you for highlighting it man.
The Virgin Earth 2 and Chad Dreamworld
Can I make it so that if someone tries to buy a tile, it redirects them to a playlist of all your videos talking about how Earth 2 is a massive scam?
Actually, you can't fix the bug by adding quotation marks. This is a common mistake programmers make, yet it does not prevent html insertion. And the fact that they tried to fix it by filtering for tags show, how shitty their programmers are.
There are built-in functions in the programming languages I am aware of, which are the one and only way to prevent html insertion (and there are other functions for SQL insertion).
I seriously don't understand what the designers of HTML and SQL were thinking. How was it so easy to run arbitrary code in the first place? To be fair I've never used either language much but you'd think it would be a bit harder than just the end user typing code into a text box. (This is probably like asking C/C++ devs "Why do you keep having buffer overflows" so forgive me if it is)
@@williamdrum9899 It is not HTML or SQL as languages. The problem is the web framework used that passes essentially all manually given text to the server and/or the database. "Escaping" helps but that needs specific functions for that purpose rather than parsing the string by yourself.
@@Gnipahell1r I'm not sure I understand why the default behavior would be to run the text as code though.
Thanks for this video. Nice to have some light shown on the real situations!
I was stoked by DRONE since 2016 because robocraft is dying. Came to play it in 2019/2020 It has many cool features i knew from robocraft also a map creator. The control was hard and the balance is kinda non existent but it's what I expect from an early access.
Was hoping to get into it when it's more polished. Turns out it's dead on arrival...
It somehow ended up in a worse situation than robocraft.
- "You can run HTML, Javascript, SQL in that box"
- proceed to talk only about javascript and html
Dud, an SQL injection is way worst than "break" the front end. Because you can obtain all the data of the database, change it or delete the entire database regardless on how many front end exists. You brick the entire server for everyone.
If they can't secure their front end from such a trivial error, do you think they can secure their backend? I would not be surprised if there was a way to do sql injection on their server.
He is aware, but it takes one dude with a bit of knowledge and you got more than a non-functioning website. I think he doesnt want to be responsible for it.
But tbh someone should fuck them up for exploiting their own system, at least i would love to see their discord after someone fucked up their system.
Callum cant do it as a content creator, but one random dude on the internet can do it without getting "detected"
yeah i know haha, i dont want to go in to details on currently active issues until they've had chance to check specifics
It's the keys to the site essentially.
to be honest, as much as i want to see the end of E2; at the same time, they shouldn't be made into martyr. but yeah, im sure if shit starts to hit the fan, Shane is not against making the whole site die and then blaming bad actors.
"I'll just show you this very quickly..." *The Matrix Resurgence ad loads*
if it's a wordpress site, you can change most things in like a theme template. they 100% have the ability. Now, know-how is a different story. (speaking as a professional WP theme developer)
Can hardly call it a game breaking exploit when it's not even a game
A wordpress breaking exploit then?
My thoughts exactly. The title's misleading lol.
@@The_Red_Scare I mean... the truth is more baffling than the clickbait, he said "game breaking", but it's about people's economy...
lol (?)
I'd just like to point out, I'm a mechanic by trade, never once worked in tech and even I know how to fix this bug properly.
I was about to say I can't believe E2 would forget to sanitise user inputs but I absolutely can believe it.
“Glad to be of service welcome to earth 1”
Good gold I hit the ground that’s godly
Sanitizing inputs is something I was taught in my high school intro to programming class
Is this the fyre festival of the meta verse?
But the real question is: Can you run Doom on the profile?
Ooooooooooooooooo snap!
No way just noticed your tiles are in Cannock, that's where i'm from XD
Small world, keep up the good content!
I have to pay the BBC nearly 200 quid a year, yet they haven't managed to come up with something this entertaining and gripping in nearly thirty years.
At the same time I can't wait for this story to reach it's conclusion, I don't want it to end. 😂
Black Books is pretty great
'You like money?' Arya what the hell maaan it's all falling apart
"you don't like money" is earth 2's version of "don't you guys have phones?"
Leave it to scammers to have a game-breaking bug before you even have a game
Wow this is a big security issue, imagine using a delete table command in SQL you would have screwed up the database and they would need to restore from backup
drop table land
This happens, when you manage stuff in the frontend, that normally belongs to the backend...
Imagine being so incompetent that you have game-breaking exploits when you don't even have a game.
Rat and ransomware droppers incoming. Dude's so next level, that he's reached quantum superposition.
Arya "The Lolcow" Realty doesn't understand. Color me surprised.
Quotation marks or even a regex replace. (I typed example pseudocode but UA-cam is smart enough to ban the commnent just for having what Josh calls 'pointy brackets')
THKS ...EPIC ... big props from Portugal
Love from Canada, Callum. Keep calling out all of the bullshit! Regardless of it being Earth 2 related or not.
shocking they have this... but please dont make out you fix cross site with "just adding a quote".. you don't fix it like that at all - and if you did, you can STILL exploit it very easily. You fix it with something like inout filtering / output encoding / headers etc.
Also, that isn't the database you're seeing. its most likely a JSON object returned from their api / controllers. I appreciate you're explaining for those who may not know, but don't give out false info when doing so, as it just confuses the matter more (and to a lesser extent, gives you less credit to those who do know about it technically).
How is it 2021 and people still aren't sanitizing input fields?
I wonder if Nathaniel can even take them up to court. Like, there's probably some contract that makes him unable to. .-.
He probably violated his NDA when he said that E2 was in control of Drone right after he left the team (before the announcements,) so I'd imagine E2 could take him to court, at least.
@@threecreepio 😬
Looks like Earth 2 expanded on New World's chat tricks.
I call it being cutting edge in terms of innovative features!
Isn't that the "Core Aegis"-thingy from the scamer boy in the top right corner of the profile page at 18:37 ?
yes haha, thats my lands flag ;)
Gotta love your tiles on a grid! 🤣
Callum really do be the best comedy gold miner I know ⛏
Preventing JavaScript injection via input box is like the bare bones minimum when developing websites.
Holy shit those were some turns I genuinely didn't see coming lmao
Cross-side scripting my first big Java project had me learn that only with PreparedStatements should ANYTHING be posted to a database. Anything retrieved from a database can just gotten with a Statement. IDK if Earth 2 is using Java or what for their back-end but that's literally all that's needed (that or abstract that issue anyway with something like Hibernate)
Prepared statements prevent sql injection, not xss, since prepared statements define the datatype of the variable fed into the database and string is string to the db, wether it is a script or a simple sentence. To prevent xss you would have to escape special chars. It is some time since I last used java, but the command escapeHtml() should do the job to escape javascript and html.
I feel really bad for all the people that are about to get the rug pulled from under them.
But Wait! It gets worse. Call now ...
Cross Site, not Cross Server ;)
On a more serious note, in case they manage to fix it for unicode as well, there's a couple more ways you can have the db decode the string itself, pretty sure you know them already.
I once did a PoC where i self injected a script via browser plugin on my online banking site and was easily able to completely separate the data on the ui side. From the crash JSON there are multiple Payment Service Provider APIs referenced, no idea how they are handled and implemented, but ... yeah. If they still refuse to properly fix their stuff, PSPs can get very passive aggressive.
Imagine creating one of the allegedly biggest projects with a novelty teechnology (NFT) and use fucking wordpress for the website...
I mean it's fine if it's programmed well but clearly it was not
The best idea would be to use it to send the current users cookies to the exploiters server, why brick or list things for sale when you can just simply log into their account directly and do as you wish
Tanner got fired, he wasn't playing a big part shane said, he was still in the test phase haha
How will those clowns convert the drone map into a replica of earth 1to1?
I feel for the Drone community, why did Nathaniel even sell his baby to those crooks?
The more E2 falls apart the deeper in denial their "players" go.
If those tiles are Cannock Staffordshire I probably live in the neighbouring tiles 😂 haha
The git who banned you might have been the one who was using exploits...it's a little suspicious when you think on it a little.
One thing worth noting with XSS bugs is that they can be exploited not only to exploit Earth2 marketplace, but much more importantly, they can be used to steal authentication tokens and cookies for other services, like facebook, google and your internet banking.
Remember all of those sites where you dont have to login? You just go on that site and you are already logged on? That happens becase your browser carries a special kind of cookie, that authorizes you to be logged in on that site under your profile (notice that when you clear cookies, this cookie gets delted and you have to login on those sites again). This bug you talk about here can be exploited to steal these cookies and it can be explited to commit identity theft. Something much, much worse than absuing some silly earth2 marketplace.
alright, how long untill we see the first people who will program the game doom in there?
I'm tempted to make an account just for the fun of breaking the site, but I don't care enough to take the time...
While the bug wasn't well known: Oh yeah we've known about this for a while
While it's public: well this Is news to us! We never knew!
Pretty much... pathetic.
This is like watching a train crash in slow motion. It strangely entertaining and i really dislike train crashes as my profession is a train driver lol