Page MenuHomeFeedback Tracker
Create Task
Maniphest T82227

Potential security exploit with new steam workshop implementation and extensions!
Assigned, WishlistPublic
Actions

Description

Ok, so basically it is possible to include extensions with addons in the workshop now. Extensions being a potential risk is nothing new. The fact that addons are automatically updated and the fact that users are not warned about extensions incuded in the addon are new. I do not think that support for extensions should be removed. I think users should have fair warning about their inclusion.

My proposed solution would be that there is a forced warning banner on the steam workshop page with a disclaimer. There also shouldn't be automatic updates for addons with extensions. There should be a prompt when those addons have updates. There should also be warnings when addons that previously didnt have extensions, add extensions.

There is the potential for someone to make a decent addon, then when it gets popular, add a malicious extension with hardly anybody noticing.

Details

Legacy ID
2390836340
Severity
None
Resolution
Open
Reproducibility
Always
Category
Steam Workshop
Steps To Reproduce

I uploaded my own mod with an extension, worked flawlessly with no warning of any sort.

Additional Information

I'm keeping this private as it is an exploit.

Event Timeline

Benargee edited Steps To Reproduce. (Show Details)Apr 21 2015, 9:20 PM
Benargee edited Additional Information. (Show Details)
Benargee set Category to Steam Workshop.
Benargee set Reproducibility to Always.
Benargee set Severity to None.
Benargee set Resolution to Open.
Benargee set Legacy ID to 2390836340.May 8 2016, 11:58 AM
Benargee edited a custom field.
BISWizard added a comment.Apr 22 2015, 9:17 AM

Hello,
we know about the issue and we're working on a solution.

© Bohemia Interactive a.s. Bohemia Interactive® is a registered trademark of Bohemia Interactive a.s. All rights reserved. · Privacy Policy · Terms and Conditions