Is 3DXCHAT unsafe?

A few days ago a long time and well known member, Shanti, has made a public awareness about the lack of security on 3DXCHAT.COM services.

http://3dxforum.com/index.php?/topic/4725-warning/

It’s been a over a year now when modified DLL files hit the public access allowing members to bypass the original and official game limitations. Members with some developer skills like Nella Rochi http://3dxchattweaked.blogspot.com or Zinnia https://zinnia-3dx.blogspot.com has been publicly supplying updated versions of DLL files to all members of 3DXChat which helps them create bigger and artistic designed rooms built from couches, that completely bypass limits that the official 3DXCHAT offers.

There have been modifications for animations and avatar look, outfits, and so on. The game developers and owners did not care about that much other than placing a funny WANTED sign on their newest room.

When he saw it Brett Smith posted a topic on the 3dxchat forums http://3dxforum.com/index.php?/topic/4365-so-gizmo-whats-the-bounty asking about it but knowing that the devs never really cared much about hackers and that sign was nothing more than a joke for 2016.

And so they let Pandora’s Box open. Meaning that the owners and developers of the games have not done anything to offer more security on the game, while opening more doors for moderately skilled programmers who with some knowledge could actually take pretty much unlimited control over the game and it’s members.

Shanti’s topic fired up a heated activity making people realise that while replacing the Assembly-UnityScript.dll so easy, it may harm the harmony of the community even more, not to mention that risk of privacy and other (virus) related problems.

Her post clearly states and brings attention to the risks and that there is no limits how far hackers can go while all doors are left wide open by the owners and developers of 3DXChat

“Let’s be clear, I have always been supportive of the dll for the basic things it provided us (again that the game should be isn’t providing), but now it has reached heights that can hardly let me stand by them.”

She listed only a few of the many dangerous options a modified DLL file can do in game and to the members:

  • using any player of the game as a bot from anywhere, even if they aren’t on the same map.
  • having access to full list of rooms, even those set as private for friends or group, and being able to join them.
  • being able to see account ID, which basically helps tie alts together inbetween accounts.

Other member, Torax pointed out to further known functions modified game files can let members do:

“this “special” dll would allow you as well to send PM’s with the tag of someone else. I remember have seen a screenshot of it and it was made pretty user friendly, simply entering the avi’s name to get all the function’s listed above.”

Shanti has called all members to be cautious about this:

“Be careful, I can already see the countless possibilities of how some people will wrongly use this new dll.”

And she also addressed the developers in her public topic:

“Stop remaining silent, this is becoming ridiculous. Save your game, protect your code, use the modders to help you upgrade the game with those needed options.”

In the 21st century online activities are main part of our lives and having offered security and protecting privacy is very important. How developers of 3DXChat have missed that is a mystery but by having members get together, calling out like Shanti did may get some changes.

Although when this article was written, few days after her posting the topic, none of the owners or developers have responded yet to the topic.

Fingers crossed. I see only two ways it can end:

  1. Developers will listen to the members – and common sense based on today’s online security standards -, and put the required work and money into security.
    or…
  2. Things will get out of hand so badly that eventually 3DXCHat will close.

All we can do is wait and see at this point.

UPDATE

GeorgeG posted this on the 3dxchat forums that deserves attention:

“As a professional IT security consultant, I have done my own research on the game. Not because I was looking for something, but just as a force of habbit, because I wanted to know how safe my personal information are in this game.

The first obvious thing I discovered is that payments are handled by a third party company (BMT Micro) which is a good thing because they only have access to real names, addresses, payment cards details etc. Every online company that needs to hold payment cards information and want to actually allow users to enter their VISA, Mastercard details, is required to obtain some certificateions, one of which is called PCI-DSS. Since BMT Micro is PCI-DSS certified, I am confident that they can handle and store our personal information in the most secure ways possible. 3DXChat, only holds an email for each user and their game account password (unfortunately in clear-text format as Mulan has already pointed out).

Ok, our personal information is as secure as possible. How about the game itself? How am I safe in-game? As someone else in this thread has mentioned, it is not required for any of us to publicly disclose vulnerabilities that are not fixed yet. This will only encourage people to exploit them and cause more damage than there already is. So I only want to confirm some of the previous statements that are already out in the open.

Digging into the game’s network protocol and actual game’s code, I immediately discovered some really really serious flaws that could end up in abuse. Basically, every kind of restriction that this game has, happens on the client itself – not in the server. Meaning that the server just gives out *everything* (player names, account ids, room names, avatar appearance, avatar movements, poses being used by who and where etc) and then it is up to the client to filter out all this information and display only what is needed. There is absolutely no server-side restriction to anything except for PMs. As far as I have seen, PMs are the only ones that are sent directly to relevant users and not just broadcasted to everyone for the client to filter out.

To make it as simple as possible to understand, imagine that this game is like I want to send you a picture but I’m too lazy to find it and send it to you, so I send to you my entire hard disk’s contents and tell you to ignore everything except for the picture. So it is up to you to not look into everything else but the picture. This way of implementation, sure might be great for a proof of concept first version of the game, just to get things started, but it is by no means the way that a production system should work.

You can’t be blaming people who create mods when everything is open. With this type of security (lack of it), it is pure destiny for those things to happen. And I’m actually surprised that it took so many years for those things to happen.

I also need to mention that about 18 months ago, I had mentioned to Ash all of those discoveries because I was concerned, and to my surprise he already knew of them.

My conclusion is that I believe we should all come to terms with the complete lack of security in this game because fixing it will require complete re-write of the whole game’s code and more importantly, complete re-write of the server’s code. It’s not gonna happen anytime soon. I believe we have all seen that the people in charge (which I believe is just a one-man-show) are not fans of big changes, especially when they already know of the game’s problems and flaws for years now and are not willing to fix them. The only way this game is gonna be saved is if it is sold to someone else and takes over management and development responsibly.

So, don’t take things too seriously, use a different email just for this game, don’t use passwords that you already use somewhere else and slowly come to terms that the in-game privacy that you took for granted all this time, probably does not exist and act accordingly.”

Layla K

 

Real Life

Layla was born in October 1989.

She has a beautiful dark skin and slim figure. To keep in shape she goes to gym 3 times  a week and she has a weekly dance rehearsal for he part-time job.

She loves dancing and listening to music. Loves reggae and her favourite is Wellette Seyon. Other favourite songs: Free your mind (En Vogue) and Everything at once (Lenka).

Her favourite colour is pink but she loves any vivid colour.

Living he virtual life to experience sexy stuff that’s too dangerous to do real life, but she always keeps in mind that behind an avatar, there’s a human being with desires and fantasies too. She does respect that and her only wish is to full-fill that other person’s fantasies as much as she can.

 

Interview

JBH: How did you end up doing porn and why you like doing it ?

I always fantasised about how it would be, doing porn movies with one or more of those gorgeous looking guys with awesome six-packs and big hard cocks.

This is a dream chance to find out :)

JBH: What is your favourite sex pose and why ?

Guess I’m an old fashioned girl, love missionary when a guy spreads and hold my legs. I love a guy that knows what he wants and takes it…

JBH: What was the wildest sex thing you ever done (virtual) ?

I’m rather timid in rl, so I think I’m not the wild one in here either, but one day, jumping to the yacht there was those two young guys that invited me…

Being horny as hell that morning, I accepted and we did a threesome in public and it was soooooo exciting !

JBH: What is your wildest dream you really want to do someday ?

Mmmmmm… Ive seen a porn movie that was really awesome, I’m not sure we can do it in here (yet), but the idea of a foursome makes my pussy start to tingle already :) Or taking part in an ancient roman orgy would be cool too.

JBH: When you are playing with yourself in RL during virtual sex what do you use ?

I use my fingers only, using  a vibrator would slow down my typing too much.

I find that what you say in chat during sex adds much more to the excitement than the visual aspect only, although 3DX graphics are so cool !

Saying that, you know I’m not fan of cold invites and silent fuckers that scroll through every possible pose :)

JBH: What important message would you like to send to your fans through your movies ?

First of all, I would like to thank them for being my fans and if there’s one thing you should always remember, it’s this: You are beautiful ! You deserve someone beautiful too !

From there on, I’d say: have fun, as much as you can !

If you want to meet Layla, CLICK HERE!

Sandra M

Real Life info

She was born on 15.03.1979. in a small town in the EX-YU. Now she lives and work in Austria.
She is married very young and have two children.

The idea of sex with strangers was constantly on her mind. She is very addicted to sex. Her favorite porn actor is Joss Lescaf.

JB Heat Interview about her virtual life and porn.
JBH: How did you end up doing porn and why you like doing it?

I’ve always been attracted to the idea of being a porn actress. Now I’ts too late for me to become a RL porn star. But 3dxchat has  given me the opportunity to become a Virtual actress. I started with an old friend. We recorded two wonderful movies. Now I’m in the best production company . I hope that we will shoot many good movies.

JBH: What is your favorite sex pose and why?

With good a lover all positions are good. I love doggy, love MFM , when I hold two dicks in my hands. Love cum in my mouth and on my tits ..

JBH: What was the wildest sex thing you ever done (virtual)?

Oh..I’ve done lots a wild things here. Sex in public places, gangbangs…. When I need a good fuck, I  find several young guys. But sometimes I like to make happy some of my elderly friends. I was here with the guys from 18 years old to the 69 old gentleman .

JBH: What is your wildest dream you really want to do someday?

I dream about sex with Joss Lescaf :)

JBH: When you are playing with yourself in RL during virtual sex what do you use?

I have two dildos. One is 21cm black. Amazing. And of course I use my pretty fingers.

JBH: What important message would you like to send to your fans through your movies?

I want to enjoy it while I make movies, and i hope my fans will  enjoy watching them.

 

If you want to meet Sandra, CLICK HERE!