PDA

View Full Version : Ubisoft Uplay exploit



ProletariatPleb
07-30-2012, 12:06 PM
Plenty of articles covering it now it seems. Basically, a rootkit.

Original Report:
http://news.ycombinator.com/item?id=4311264


Articles:

http://www.dsogaming.com/news/ubisofts-uplay-drm-installs-a-web-browser-plug-in-that-can-be-exploited/
http://www.xboxgamezone.co.uk/2012/07/30/possible-security-flaw-found-in-ubisofts-uplay-pc-service/

GLHS
07-30-2012, 12:11 PM
Plenty of articles covering it now it seems.

Original Report:
http://news.ycombinator.com/item?id=4311264


Articles:

http://www.dsogaming.com/news/ubisofts-uplay-drm-installs-a-web-browser-plug-in-that-can-be-exploited/
http://www.xboxgamezone.co.uk/2012/07/30/possible-security-flaw-found-in-ubisofts-uplay-pc-service/

Well I only play on my PS3 anyway, so I'm safe regardless. This is pretty scary for PC users though.

TheHumanTowel
07-30-2012, 12:19 PM
Woah that's a very big problem. The Ubisoft vs PC players war rages on. How could something like that even get in there? Was it only recently added or has it always been there?

SixKeys
07-30-2012, 01:20 PM
Thanks a lot for the info, I disabled it. This is outrageous. Ubi needs to fix this ASAP and inform PC users officially. How about a sticky thread, forum mods?

pacmanate
07-30-2012, 01:24 PM
OOooo that's not good. But Ubisoft didn't do it on purpose.

YRTEP
07-30-2012, 02:38 PM
Ooh, bad news. :nonchalance:

Ubisoft needs to fix that immediately and give an official statement! :mad:

AnthonyA85
07-30-2012, 02:45 PM
This is news to me, i've never noticed any browser plugins on my pc, i'll have to look through it and disable/delete them.

They must have slipped it in along with the Uplay client update they released last week.

ProletariatPleb
07-30-2012, 02:53 PM
This is news to me, i've never noticed any browser plugins on my pc, i'll have to look through it and disable/delete them.

They must have slipped it in along with the Uplay client update they released last week.
Yeah.

D.I.D.
07-30-2012, 03:53 PM
OOooo that's not good. But Ubisoft didn't do it on purpose.

People have a right to be just as angry as if they had done it deliberately, just as PS users were furious with Sony for their poorly implemented security. I can't think of a good reason for UPlay to have needed to install plugins in my browsers in any case, and arguably UPlay shouldn't even exist.

reddragonhrcro
07-30-2012, 04:07 PM
Oh shi... i have Conviction on PC!

rileypoole1234
07-30-2012, 04:07 PM
Wow. That's definitely interesting.

ProletariatPleb
07-30-2012, 04:21 PM
Oh shi... i have Conviction on PC!
All you have to do is disable their browser plugin.

Turul.
07-30-2012, 04:29 PM
cant figure out how to disable. on google chrome. please help!

D.I.D.
07-30-2012, 04:30 PM
The supposed necessity of these systems is just wrong anyway.

In the last six months, I've bought Driver: San Francisco (excellent game by the way, sorely underrated), Prince of Persia, Prince of Persia: Forgotten Sands and Splinter Cell: Conviction. I've been buying Ubisoft's games for about a decade before that.

If I wanted to get them for free, I could do so in seconds. UPlay isn't stopping me from doing that; my willingness to pay for the games is.

Rather like the unskippable law enforcement warnings on commercial Blu-Ray films, Ubisoft is throwing inconveniences in my way which are intended for pirates but the pirates will never see them. A pirate is never going to get thrown out of their game mid-firefight in SC: Conviction because of some flicker in their wifi connection, or find themselves unable to play their games because Ubisoft's servers are down.

They're actually creating demand for piracy. Every time one of these incidents occurs, a customer somewhere says "screw it" and heads for The Bay.

ProletariatPleb
07-30-2012, 04:31 PM
cant figure out how to disable. on google chrome. please help!
Type "about: plugins" (without the quotes and without the space between : and plugins) in your browser, scroll to the very bottom and look for a plugin called "Uplay PC" and click disable.

BTOG46
07-30-2012, 04:56 PM
' uPlay update 2.0.4: 'Fix addressing browser plugin. Plugin now only able to open uPlay application.'

D.I.D.
07-30-2012, 05:08 PM
' uPlay update 2.0.4: 'Fix addressing browser plugin. Plugin now only able to open uPlay application.'

I don't recall being asked for my permission to install these plugins. Am I wrong? Perhaps I clicked through something due to installation auto-pilot.

What has now been changed which makes the plugins trustworthy?

HaSoOoN-MHD
07-30-2012, 05:17 PM
You know, when you treat your PC fanbase REALLY bad, then have a backdoor that controls their computers, I think you kinda are doing it wrong, Ubisoft.
So, this is fixed? or not yet?

D.I.D.
07-30-2012, 05:21 PM
You know, when you treat your PC fanbase REALLY bad, then have a backdoor that controls their computers, I think you kinda are doing it wrong, Ubisoft.
So, this is fixed? or not yet?

It seems that now we're supposed to consider the problem "fixed" because only Ubisoft can use this backdoor to bring absolutely any usage data (or, conceivably, remotely trigger any action they wish) from our computers, while we will have no idea what they did.

We paid for the software, Ubisoft. This is not stopping piracy.

Mr_Shade
07-30-2012, 06:58 PM
http://forums.ubi.com/showthread.php/699940-Uplay-PC-Patch-2-0-4-Security-fix

Official statement and thread about the issue.

kudos17
07-30-2012, 10:08 PM
Ubi is REALLY not doing themselves any favors in the views of PC gamers with this incident.

I mean, wow... a program that installs a plug-in WITHOUT ANY NOTICE TO THE USER, which in turn is apparently exploitable.

This is really, really not good Ubi. Lucky for me I don't own any of the affected series on the PC. Glad it seems relatively fixed for those who do.

MT4K
07-30-2012, 10:35 PM
If people are still worried about this even with the latest patch fixing the issue. They can probably just keep the plugins disabled. I'm not sure what they are meant to be for, but i doubt it will stop anybody from playing any of their games by having them disabled :P.

SixKeys
07-31-2012, 01:19 AM
http://forums.ubi.com/showthread.php/699940-Uplay-PC-Patch-2-0-4-Security-fix

Official statement and thread about the issue.

Thanks for the update Mr_Shade, much appreciated.

D.I.D.
07-31-2012, 02:04 AM
http://forums.ubi.com/showthread.php/699940-Uplay-PC-Patch-2-0-4-Security-fix

Official statement and thread about the issue.

With no apology, or ability to reply.

It'd be nice if they said "sorry". I also don't see why a silent install which allows those kinds of behaviours is any different from a rootkit.

Ubisoft make great games, and (aside from the occasional downed MP server, which every company faces) I can't recall a single complaint about the company which didn't relate to some aspect of its awful DRM. I understand that investors want to believe the property is being protected as well as possible, but this one issue has damaged the brand severely so many times.

We don't know how much money was spent to implement UPlay, and nobody will ever know how much it's cost the company in lost sales, but if there has to be online DRM why not pay Valve to use Steam for PC disc sales and download sales? Valve's own games require it for physical formats too, and of course it's had its problems in the past in the games press, but the vast majority of customers always forgave those issues. I think that's partly because people trust Valve to an unusual degree, but also because Steam actually has some benefits for the consumer. Ubisoft will never be able to achieve that forgiveness by itself because UPlay does nothing useful for the buyer.