A few days ago a long time and well known member, Shanti, has made a public awareness about the lack of security on 3DXCHAT.COM services.
It’s been a over a year now when modified DLL files hit the public access allowing members to bypass the original and official game limitations. Members with some developer skills like Nella Rochi http://3dxchattweaked.blogspot.com or Zinnia https://zinnia-3dx.blogspot.com has been publicly supplying updated versions of DLL files to all members of 3DXChat which helps them create bigger and artistic designed rooms built from couches, that completely bypass limits that the official 3DXCHAT offers.
There have been modifications for animations and avatar look, outfits, and so on. The game developers and owners did not care about that much other than placing a funny WANTED sign on their newest room.
When he saw it Brett Smith posted a topic on the 3dxchat forums http://3dxforum.com/index.php?/topic/4365-so-gizmo-whats-the-bounty asking about it but knowing that the devs never really cared much about hackers and that sign was nothing more than a joke for 2016.
And so they let Pandora’s Box open. Meaning that the owners and developers of the games have not done anything to offer more security on the game, while opening more doors for moderately skilled programmers who with some knowledge could actually take pretty much unlimited control over the game and it’s members.
Shanti’s topic fired up a heated activity making people realise that while replacing the Assembly-UnityScript.dll so easy, it may harm the harmony of the community even more, not to mention that risk of privacy and other (virus) related problems.
Her post clearly states and brings attention to the risks and that there is no limits how far hackers can go while all doors are left wide open by the owners and developers of 3DXChat
“Let’s be clear, I have always been supportive of the dll for the basic things it provided us (again that the game should be isn’t providing), but now it has reached heights that can hardly let me stand by them.”
She listed only a few of the many dangerous options a modified DLL file can do in game and to the members:
- using any player of the game as a bot from anywhere, even if they aren’t on the same map.
- having access to full list of rooms, even those set as private for friends or group, and being able to join them.
- being able to see account ID, which basically helps tie alts together inbetween accounts.
Other member, Torax pointed out to further known functions modified game files can let members do:
“this “special” dll would allow you as well to send PM’s with the tag of someone else. I remember have seen a screenshot of it and it was made pretty user friendly, simply entering the avi’s name to get all the function’s listed above.”
Shanti has called all members to be cautious about this:
“Be careful, I can already see the countless possibilities of how some people will wrongly use this new dll.”
And she also addressed the developers in her public topic:
“Stop remaining silent, this is becoming ridiculous. Save your game, protect your code, use the modders to help you upgrade the game with those needed options.”
In the 21st century online activities are main part of our lives and having offered security and protecting privacy is very important. How developers of 3DXChat have missed that is a mystery but by having members get together, calling out like Shanti did may get some changes.
Although when this article was written, few days after her posting the topic, none of the owners or developers have responded yet to the topic.
Fingers crossed. I see only two ways it can end:
- Developers will listen to the members – and common sense based on today’s online security standards -, and put the required work and money into security.
- Things will get out of hand so badly that eventually 3DXCHat will close.
All we can do is wait and see at this point.
GeorgeG posted this on the 3dxchat forums that deserves attention:
“As a professional IT security consultant, I have done my own research on the game. Not because I was looking for something, but just as a force of habbit, because I wanted to know how safe my personal information are in this game.
The first obvious thing I discovered is that payments are handled by a third party company (BMT Micro) which is a good thing because they only have access to real names, addresses, payment cards details etc. Every online company that needs to hold payment cards information and want to actually allow users to enter their VISA, Mastercard details, is required to obtain some certificateions, one of which is called PCI-DSS. Since BMT Micro is PCI-DSS certified, I am confident that they can handle and store our personal information in the most secure ways possible. 3DXChat, only holds an email for each user and their game account password (unfortunately in clear-text format as Mulan has already pointed out).
Ok, our personal information is as secure as possible. How about the game itself? How am I safe in-game? As someone else in this thread has mentioned, it is not required for any of us to publicly disclose vulnerabilities that are not fixed yet. This will only encourage people to exploit them and cause more damage than there already is. So I only want to confirm some of the previous statements that are already out in the open.
Digging into the game’s network protocol and actual game’s code, I immediately discovered some really really serious flaws that could end up in abuse. Basically, every kind of restriction that this game has, happens on the client itself – not in the server. Meaning that the server just gives out *everything* (player names, account ids, room names, avatar appearance, avatar movements, poses being used by who and where etc) and then it is up to the client to filter out all this information and display only what is needed. There is absolutely no server-side restriction to anything except for PMs. As far as I have seen, PMs are the only ones that are sent directly to relevant users and not just broadcasted to everyone for the client to filter out.
To make it as simple as possible to understand, imagine that this game is like I want to send you a picture but I’m too lazy to find it and send it to you, so I send to you my entire hard disk’s contents and tell you to ignore everything except for the picture. So it is up to you to not look into everything else but the picture. This way of implementation, sure might be great for a proof of concept first version of the game, just to get things started, but it is by no means the way that a production system should work.
You can’t be blaming people who create mods when everything is open. With this type of security (lack of it), it is pure destiny for those things to happen. And I’m actually surprised that it took so many years for those things to happen.
I also need to mention that about 18 months ago, I had mentioned to Ash all of those discoveries because I was concerned, and to my surprise he already knew of them.
My conclusion is that I believe we should all come to terms with the complete lack of security in this game because fixing it will require complete re-write of the whole game’s code and more importantly, complete re-write of the server’s code. It’s not gonna happen anytime soon. I believe we have all seen that the people in charge (which I believe is just a one-man-show) are not fans of big changes, especially when they already know of the game’s problems and flaws for years now and are not willing to fix them. The only way this game is gonna be saved is if it is sold to someone else and takes over management and development responsibly.
So, don’t take things too seriously, use a different email just for this game, don’t use passwords that you already use somewhere else and slowly come to terms that the in-game privacy that you took for granted all this time, probably does not exist and act accordingly.”