G2A Online Shop
No ads? Support us with tips! Follow this link for more information!Support the website! Support Us!
Tukui » ElvUI » General Discussion » local devAlts = {
  1. offline
    Member

    XP: 
     

    1 / 1337
    Posted 1 year ago - #1

    http://i.imgur.com/WYVJplW.jpg
    http://www.reddit.com/r/wow/comments/2jhlzv/psa_elvui_has_a_backdoor_and_how_to_remove_it/

    There's a thread hitting reddit right now about a possible backdoor, it's probably nothing like that, but it might escalate a bit too quickly.



  2. If you wish to help support this site please disable your adblock program.


    Challenger Tholur
    offline
    Member

    XP: 
     

    13 / 1337
    Posted 1 year ago - #2

    Good question...

    Clearly this is just a passing Shit Storm.
    Sure the code shouldn't have been there at first, but that is what Elv found he needed to make the UI then so be it, it have to our knowledge only been used for debugging, and is now getting removed from the release versions.

    Don't see there is anymore to be complaining about, Elv did what i wanted him to, explain it and remove it.

  3. Challenger gorthezar
    offline
    Member

    XP: 
     

    12 / 1337
    Posted 1 year ago - #3

    would really like to see someone respond to this. I love my UI but I enjoy my account being safe more.

  4. Hero Elv
    offline
    Overlord

    XP: 
     

    1337 / 1337
    Posted 1 year ago - #4

    It is used as a development tool. Example: patch day I need to update everyone in raids ElvUI or get debug information from a user. As you can see in the code it clearly outputs in chat what is going on.

  5. Hero Elv
    offline
    Overlord

    XP: 
     

    1337 / 1337
    Posted 1 year ago - #5

    7.08 no longer contains this code anymore. I'll use a standalone addon for testing with guildies. Let me put peoples mind at ease. If you update to 7.08 it won't be possible for this to happen.

    Here is the code removed:
    http://www.tukui.org/git/?a=commitdiff&p=ElvUI&h=e110c3bb036c8d11c3ca5335348f11ad122dc11a

  6. Challenger backdoor
    offline
    Member

    XP: 
     

    5 / 1337
    Posted 1 year ago - #6

    So after you force my character to run GuildDisband() (not a protected function, btw), there's a little line in chat that tells me you did it. That makes me feel better.

    Not to mention the backdoor can also be used to make my character say things without my consent, providing you the ability to get me banned for racist spam, etc.

    This is wide open and your personal intentions don't matter. I don't know you and I can't trust you.

  7. offline
    Donor

    XP: 
     

    213 / 1337
    Posted 1 year ago - #7

    Hi,

    Elv, If I were you I would post an official statement and link it in all major forums (mmo,icy,official) - else you are going to start losing users at a big rate, and that would be a shame since your work over the years has been nothing short of amazing for many of us.

    here is the link to the mmo post:
    http://www.mmo-champion.com/threads/1611555-PSA-ElvUI-Users-quot-ElvUI-has-a-backdoor-and-how-to-remove-it-quot?p=30069536#post30069536

    again, please consider publishing something, and remember that at this point this is becoming a herd of frightened sheep, not individual people. might even have to consider removing this and apologizing for not mentioning this earlier.

    Jack.

  8. Gladiator Darth Predator
    online
    Moderator

    XP: 
     

    1337 / 1337
    Posted 1 year ago - #8

    As I said in chat:

    some shitheaded "coder" saw something and even didn't bother to understand how it works.

    But bothered to start a shitstorm and misguide people.
    Good work, mon.

    Shadow & Light | ‹Elv›: I just utilized my degree in afro engineering and fixed it
    Fan of maids and "sick freak"™
    ‹Darth Predator›: so don't even dare to think you are crazier than me
  9. Challenger backdoor
    offline
    Member

    XP: 
     

    5 / 1337
    Posted 1 year ago - #9

    It allows 3 characters to force my character to run any script or to say anything. That's a fact. Please let me know where the misunderstanding is.

  10. Hero Hydra
    offline
    Overlord

    XP: 
     

    1337 / 1337
    Posted 1 year ago - #10

    As far as I've ever known, he's only done silly things through it with friends or people that know him (or know he'll be doing it), such as affinitii/guildies/etc.

    Elv isn't a shithead. Has he done anything to you? Or are you just jumping on a bandwagon for a little dramatic fun.

    I don't suffer from insanity, I enjoy it.
  11. Challenger backdoor
    offline
    Member

    XP: 
     

    5 / 1337
    Posted 1 year ago - #11

    Hydra said:
    As far as I've ever known, he's only done silly things through it with friends or people that know him (or know he'll be doing it), such as affinitii/guildies/etc.

    Elv isn't a shithead. Has he done anything to you? Or are you just jumping on a bandwagon for a little dramatic fun.

    I already explained why his intentions don't matter. It may not be a big deal to you guys who are Elv's friends, but to the general public, it is.
    It was discovered because Elv was fucking around in an LFR with it.

  12. offline
    Member

    XP: 
     

    1 / 1337
    Posted 1 year ago - #12

    Just out of curiosity, how long had the code been in the core.lua? Why did people wait this long to find out about it and freak out?

  13. Challenger Vaiur
    offline
    Member

    XP: 
     

    14 / 1337
    Posted 1 year ago - #13

    Don't care what he's done in the past, but I do care about what he's done to every ElvUI user.

    "Has he done anything to you?"

    Yes, he has. He's opened all of his users to POTENTIAL abuse through an addon the general populace trusted to be safe. Whether or not any abuse was to come from it is irrelevant; the option to abuse it was a very real and present risk.

    It's a sad day, really. I loved ElvUI, and you might think I'm overreacting, but I'm very vested in the safety of my account. This is a potential compromise and I won't have any of it.

  14. offline
    Moderator

    XP: 
     

    1337 / 1337
    Posted 1 year ago - #14

    Vaiur said:
    Don't care what he's done in the past, but I do care about what he's done to every ElvUI user.

    Yes, he has. He's opened all of his users to POTENTIAL abuse through an addon the general populace trusted to be safe. Whether or not any abuse was to come from it is irrelevant; the option to abuse it was a very real and present risk.

    It's a sad day, really. I loved ElvUI, and you might think I'm overreacting, but I'm very vested in the safety of my account. This is a potential compromise and I won't have any of it.

    This POTENTIAL abuse is present in many different addons.

  15. Challenger TotalHamman
    offline
    Member

    XP: 
     

    119 / 1337
    Posted 1 year ago - #15

    The code has been there since at least late Cata. That is when I first discovered it and realized that the worst that could happen was silly chat pranks as Elv has never shown any indication of desiring to do anything else.

    Additionally if you think this code would ever have any chance of compromising an account, you really do not understand the limitations of Lua and how account security works to begin with.

    Current Main Toon - TehMonk
  16. Rival Alex
    offline
    VIP

    XP: 
     

    485 / 1337
    Posted 1 year ago - #16

    Drama for nothing, Elv is an honest person.

  17. Hero Hydra
    offline
    Overlord

    XP: 
     

    1337 / 1337
    Posted 1 year ago - #17

    Vaiur said:
    Don't care what he's done in the past, but I do care about what he's done to every ElvUI user.

    Yes, he has. He's opened all of his users to POTENTIAL abuse through an addon the general populace trusted to be safe. Whether or not any abuse was to come from it is irrelevant; the option to abuse it was a very real and present risk.

    It's a sad day, really. I loved ElvUI, and you might think I'm overreacting, but I'm very vested in the safety of my account. This is a potential compromise and I won't have any of it.
    My question was:
    Has he done anything to you? Or are you just jumping on a bandwagon for a little dramatic fun.

    Given your answer, you fall under the second category. account security? Seriously? People think he has access to your damn bank accounts or something now.

    SendAddOnMessage is very limited in a lot of ways, he can't just pick someone to fuck with, and do so. It doesn't work that way. On top of that, there's not a single thing he could do through it to compromise your account or its safety. Nothing at all. Another concern I've seen come up a lot is that he could "make you disband your guild", which is also false, given there's a popup prompt.

    Having concerns and questions is fine. Jumping down his throat for something that 95% of the people that I've seen talking about it don't seem to understand, is not. Wild accusations. If you're so upset with him over it, move along. We don't need your drama here over something that has existed for years now. Yes, years. And now something pops up on Reddit with no proof of anything actually happening and it's a witch hunt.
    I don't suffer from insanity, I enjoy it.
  18. offline
    Member

    XP: 
     

    2 / 1337
    Posted 1 year ago - #18

    Hydra said:

    Vaiur said:
    Don't care what he's done in the past, but I do care about what he's done to every ElvUI user.

    Yes, he has. He's opened all of his users to POTENTIAL abuse through an addon the general populace trusted to be safe. Whether or not any abuse was to come from it is irrelevant; the option to abuse it was a very real and present risk.

    It's a sad day, really. I loved ElvUI, and you might think I'm overreacting, but I'm very vested in the safety of my account. This is a potential compromise and I won't have any of it.

    My question was:
    Has he done anything to you? Or are you just jumping on a bandwagon for a little dramatic fun.

    Given your answer, you fall under the second category. account security? Seriously? People think he has access to your damn bank accounts or something now.

    SendAddOnMessage is very limited in a lot of ways, he can't just pick someone to fuck with, and do so. It doesn't work that way. On top of that, there's not a single thing he could do through it to compromise your account or its safety. Nothing at all. Another concern I've seen come up a lot is that he could "make you disband your guild", which is also false, given there's a popup prompt.

    Having concerns and questions is fine. Jumping down his throat for something that 95% of the people that I've seen talking about it don't seem to understand, is not. Wild accusations. If you're so upset with him over it, move along. We don't need your drama here over something that has existed for years now. Yes, years. And now something pops up on Reddit with no proof of anything actually happening and it's a witch hunt.

    It's just drama for dramas sake. This was basically the equivalent to being able to send custom text timers to peoples DBM's which you can still do. This piece of code was never an issue or cause for concern.

  19. offline
    Premium

    XP: 
     

    1 / 1337
    Posted 1 year ago - #19

    Whatever. I'm done.

  20. Gladiator Dandruff
    offline
    VIP

    XP: 
     

    1337 / 1337
    Posted 1 year ago - #20

    I don't actually see a way of exploiting this, save hacking Elv's account. If that was the case (Elv got hacked), this would be a bad day indeed...

    ~Advocate for Javascript in signatures
    21:23:42 ‹Sgt› its better when people torture themselves lol
    21:24:20 ‹Sgt› thinking about it, that's probably the most fucked up thing i've posted on this chat since tukz added it
  21. Gladiator Dandruff
    offline
    VIP

    XP: 
     

    1337 / 1337
    Posted 1 year ago - #21

    eaze said:

    Trying to argue that it isn't a big deal, no malicious intent, etc, doesn't work. It doesn't matter. This should never have hit public, but once it did, you need to own it and take responsibility, not attack the people who called you out on it.

    EVERY security disclosure NEEDS to come with an PoC (proof of concept) exploit. I dont know of any.... I have looked and tried. This is not a RISK, UNLESS Elv's account ever got compromised.

    ~Advocate for Javascript in signatures
    21:23:42 ‹Sgt› its better when people torture themselves lol
    21:24:20 ‹Sgt› thinking about it, that's probably the most fucked up thing i've posted on this chat since tukz added it
  22. offline
    Moderator

    XP: 
     

    1337 / 1337
    Posted 1 year ago - #22

    eaze said:
    The fact that admins and moderators here do not understand why this is a problem almost concerns me more than the fact that Elv put this in to begin with.

    Leaving backdoors in software distributed to the public is completely unacceptable, and in many places illegal. When such a thing is discovered, the ONLY reasonable thing to do is to 1) get rid of it and 2) start damage mitigation in public.

    Trying to argue that it isn't a big deal, no malicious intent, etc, doesn't work. It doesn't matter. This should never have hit public, but once it did, you need to own it and take responsibility, not attack the people who called you out on it.

    This will be the end of my subscription to TukUI, more so because of the reactions of the staff here than Elv's backdoor in itself.

    Windows has a backdoor in it yet no one bats an eye. However everyone on Reddit loses their minds.

  23. offline
    Premium

    XP: 
     

    1 / 1337
    Posted 1 year ago - #23

    Isn't DBM/BigWigs pull timer a backdoor too? (sends command to another user with the same addon)

  24. Hero Hydra
    offline
    Overlord

    XP: 
     

    1337 / 1337
    Posted 1 year ago - #24

    eaze said:
    Trying to argue that it isn't a big deal, no malicious intent, etc, doesn't work. It doesn't matter. This should never have hit public, but once it did, you need to own it and take responsibility, not attack the people who called you out on it.

    It was already addressed and handled.

    I don't suffer from insanity, I enjoy it.
  25. Gladiator Dandruff
    offline
    VIP

    XP: 
     

    1337 / 1337
    Posted 1 year ago - #25

    Spelorzi said:
    Isn't DBM/BigWigs pull timer a backdoor too? (sends command to another user with the same addon)

    Maybe... but this makes me feel like I should start examining ALL addons and pointing out their use of loadstring and addon messages.... If someone wrote an addon for you, and you install it, do you not trust them???

    ~Advocate for Javascript in signatures
    21:23:42 ‹Sgt› its better when people torture themselves lol
    21:24:20 ‹Sgt› thinking about it, that's probably the most fucked up thing i've posted on this chat since tukz added it
  26. offline
    Member

    XP: 
     

    2 / 1337
    Posted 1 year ago - #26

    Spelorzi said:
    Isn't DBM/BigWigs pull timer a backdoor too? (sends command to another user with the same addon)

    This is why I don't see the whole Elvui thing as an issue. It's basically the same as this.

  27. Gladiator BuG
    online
    Premium

    XP: 
     

    1337 / 1337
    Posted 1 year ago - #27

    haptix said:

    Spelorzi said:
    Isn't DBM/BigWigs pull timer a backdoor too? (sends command to another user with the same addon)

    This is why I don't see the whole Elvui thing as an issue. It's basically the same as this.

    it is. but internet people do like to make scenes, drama and spectacular posts :)

    this has mostlikely been found by some script kiddies on OC thinking he was an imba hacker. just move on guys, no one will steal your cookies :-P

    13:40:26 ‹Elv› I kissed a boy, and I liiiked it
    10:39:13 ‹tSgt› then give me your ass i give you mine
    13:53:27 ‹Sgt› Because i like deep things
  28. Duelist Helix
    offline
    VIP

    XP: 
     

    604 / 1337
    Posted 1 year ago - #28

    I heard Elvui is a early version of Skynet, better run and hide while there is still time.

  29. Gladiator Dandruff
    offline
    VIP

    XP: 
     

    1337 / 1337
    Posted 1 year ago - #29

    BuG said:
    [...]
    no one will steal your cookies :-P

    My session cookies or my choco choco chip cooookies?

    ~Advocate for Javascript in signatures
    21:23:42 ‹Sgt› its better when people torture themselves lol
    21:24:20 ‹Sgt› thinking about it, that's probably the most fucked up thing i've posted on this chat since tukz added it
  30. Gladiator BuG
    online
    Premium

    XP: 
     

    1337 / 1337
    Posted 1 year ago - #30

    Helix said:
    I heard Elvui is a early version of Skynet, better run and hide while there is still time.

    If you type the V letter upside down it looks like a triangle. i think elv is Illuminati. + it's 3 letters. like NSA. elv is also nsa!

    half life 3 confirmed

    13:40:26 ‹Elv› I kissed a boy, and I liiiked it
    10:39:13 ‹tSgt› then give me your ass i give you mine
    13:53:27 ‹Sgt› Because i like deep things
RSS feed for this topic

Topic Closed

This topic has been closed to new replies.