These forums have been archived and are now read-only.

The new forums are live and can be found at https://forums.eveonline.com/

Player Features and Ideas Discussion

 
  • Topic is locked indefinitely.
12Next page
 

disable shellexec in IGB

Author
Demios Primus
Brutor Tribe
Minmatar Republic
#1 - 2016-02-25 03:56:35 UTC
I don't know how long this has been possible, but disable this function please.

It used to be safe to click on anything, worst that could happen was that you saw some disgusting pictures.

Shellexec however and the ability to link pretty much anything with an URL makes it possible to spread malware through in-game links that everybody can click on. And it's way too easy to make clickbait in eve.

Fix this ASAP or tell me how to disable this myself.

Best Regards,

Demios
Iain Cariaba
#2 - 2016-02-25 06:04:30 UTC
Demios Primus wrote:
...tell me how to disable this myself.

Try using basic internet security methods, the first one being that you don't open **** that you don't know what it is.
Barrett Fruitcake
Doomheim
#3 - 2016-02-25 08:14:51 UTC
I also think this command should be disabled within the IGB, or at least an option to disable it should exist.

Luscius Uta
#4 - 2016-02-25 08:52:33 UTC
I'm suprised that Jita local isn't full of people abusing this. I guess it's one of less-known features and CCP probably thinks it isn't a big security hole (after all, not like people can delete your boot.ini with it).

Workarounds are not bugfixes.

Iain Cariaba
#5 - 2016-02-25 11:56:41 UTC
Luscius Uta wrote:
I'm suprised that Jita local isn't full of people abusing this. I guess it's one of less-known features and CCP probably thinks it isn't a big security hole (after all, not like people can delete your boot.ini with it).

Jita isn't full of people abusing this because most people that play EvE have at least enough tech saviness to keep it from effecting them. The most basic of internet security measures will keep this from ever happening to you.
Bumblefck
Kerensky Initiatives
#6 - 2016-02-25 12:55:16 UTC
I, too, am soft in the head and compulsively click on EVERY GODDAMNED LINK IN JITA LOCAL like a fool

Perfection is a dish best served like wasabi .

Bumble's Space Log

Barrogh Habalu
Imperial Shipment
Amarr Empire
#7 - 2016-02-25 13:19:05 UTC
I think it was stated at one point that CCP are more eager to remove IGB altogether rather than keep updating it to close security holes and whatnot.
Iain Cariaba
#8 - 2016-02-25 15:37:47 UTC
Bumblefck wrote:
I, too, am soft in the head and compulsively click on EVERY GODDAMNED LINK IN JITA LOCAL like a fool

At least you admit it. P
Frostys Virpio
KarmaFleet
Goonswarm Federation
#9 - 2016-02-25 15:41:57 UTC
Bumblefck wrote:
I, too, am soft in the head and compulsively click on EVERY GODDAMNED LINK IN JITA LOCAL like a fool


How am I supposed to check if those links really are scams without clicking them? I could also be missing out of the cutest cat kitten picture ever if I don't click the links. Is this really what you want? You want people to miss out on the cutest kitten picture ever????
Serendipity Lost
Repo Industries
#10 - 2016-02-25 16:44:42 UTC
Frostys Virpio wrote:
Bumblefck wrote:
I, too, am soft in the head and compulsively click on EVERY GODDAMNED LINK IN JITA LOCAL like a fool


How am I supposed to check if those links really are scams without clicking them? I could also be missing out of the cutest cat kitten picture ever if I don't click the links. Is this really what you want? You want people to miss out on the cutest kitten picture ever????



I love kittens!
Demios Primus
Brutor Tribe
Minmatar Republic
#11 - 2016-02-26 21:01:10 UTC
It's more like, how am i supposed to know this is not the relinked destination system in fleet, but a some other link doing who knows what outside of my eve client?
I wasnt talking about jita at all. This is about the ability of spies to **** up your fleet when they get into fleet.
Iain Cariaba
#12 - 2016-02-26 21:39:42 UTC
Demios Primus wrote:
It's more like, how am i supposed to know this is not the relinked destination system in fleet, but a some other link doing who knows what outside of my eve client?
I wasnt talking about jita at all. This is about the ability of spies to **** up your fleet when they get into fleet.

If you take a tiny bit of time to hover on a link before clicking on it, it tells you what the link is. I've never seen a destination posted that was so time critical that you couldn't wait for the pop-up to verify what you're clicking on.

Also, last I checked, spreading malicious code in that manner not only violates the TOS, which will get them banned, but actually violates the law in many countries. Try reporting it when you see it.
Demios Primus
Brutor Tribe
Minmatar Republic
#13 - 2016-02-26 21:52:50 UTC
since there are ppl ddosing voice servers, I'm not entirely sure they would stop at that, especially when it might be possible to hijack someone elses eve account afterwards.

this is a dangerous feature and it has no ingame use. surely you agree on that.

the argument "check what you click on" has been there since the beginning of the internet and even before that, yet still ppl keep getting infected.

no email provider would need to check the mail for malware if we were to live in your utopia Iain Cariaba.

the fact that this feature is unkown to most of the eve players makes it even more dangerous.
Masao Kurata
Perkone
Caldari State
#14 - 2016-03-03 14:38:54 UTC
As far as I can tell, there's no obvious way to exploit this. EVE only attempts to open the link if it is of the form shellexec:http:... or shellexec:https:... , making it as safe as your browser. In contrast, the IGB is obviously and demonstrably insecure, and rooting the computer of anyone who clicks an IGB link to a site hosting exploits for the out of date chrome version used is trivial.

It's possible that I'm missing something of course, but the shellexec links are handled by executing rundll32.exe url.dll,FileProtocolHandler URL . rundll entry points get everything after the function name passed to them as a single string, so executing another local command by manipulation of the URL doesn't seem to be possible, but maybe a buffer overflow could be triggered in url.dll's FileProtocolHandler or (more likely) in EVE. A brief investigation didn't reveal any such vulnerabilities, so I'm inclined to say this is vastly more secure than the IGB.
Terminal Insanity
KarmaFleet
Goonswarm Federation
#15 - 2016-03-03 19:59:27 UTC
while i enjoy making fake killmails that link to rick astley, i agree this should be disabled.

Its a large security risk, not to mention probably very annoying for people who play fullscreen, or on ****** computers, and then they have to sit there loading their webbrowser and losing their game client

"War declarations are never officially considered griefing and are not a bannable offense, and it has been repeatedly stated by the developers that the possibility for non-consensual PvP is an intended feature." - CCP

Lugh Crow-Slave
#16 - 2016-03-03 20:01:29 UTC
Terminal Insanity wrote:
while i enjoy making fake killmails that link to rick astley, i agree this should be disabled.

Its a large security risk, not to mention probably very annoying for people who play fullscreen, or on ****** computers, and then they have to sit there loading their webbrowser and losing their game client


1 why they hell are you playing full-screen borderless is your friend

2 don't click ransom links
Iain Cariaba
#17 - 2016-03-04 00:26:56 UTC
Terminal Insanity wrote:
while i enjoy making fake killmails that link to rick astley, i agree this should be disabled.

Its a large security risk, not to mention probably very annoying for people who play fullscreen, or on ****** computers, and then they have to sit there loading their webbrowser and losing their game client

1. As Lugh said, Fixed Window mode is your friend. Client does not need to minimize to switch to another application.

2. Briefly hovering over a link before clicking on it will display what the link is. If someone links a killmail, it says "Kill Report" in the tool tip. If someone disguises a link as a kill report, it will show the URL in the tool tip. Basic awareness of your actions is your best defense.
Miss 'Assassination' Cayman
CK-0FF
My Other Laboratory is a Distillery
#18 - 2016-03-05 14:32:01 UTC
Demios Primus wrote:
this is a dangerous feature and it has no ingame use. surely you agree on that.

Huge disagreement here. First of all, it isn't dangerous. Sure, it can send you to sites you don't want to go to, but if you have your normal browser set up in any reasonable way it shouldn't be a problem. It can't do anything except open an http or https link in your normal browser, so there's not much more potential for danger than opening it in the IGB.
Second, it definitely does have a use. For example, links to Google forms that can't be completed in the ingame browser. It's much more convenient to have a shellexec link to open the form in a working browser than to explain to people that it doesn't work ingame and that they need to copy and paste the URL. Another example is the way my corp has a link to our TeamSpeak server in the corp channel MOTD. It's quite handy for new recruits to just click the link and ok the redirect to open it with TeamSpeak.

Really the only abuse of it I've seen is making the occasional harmless troll link.
John FlyingTrucks
Perkone
Caldari State
#19 - 2016-03-06 05:16:57 UTC
Miss 'Assassination' Cayman wrote:


Really the only abuse of it I've seen ...


Is just scratching the surface of the potential for this getting misused.

Read up on this: Ransom32 is the first Ransomware written in Javascript and then see if you hold the same opinion.





Miss 'Assassination' Cayman
CK-0FF
My Other Laboratory is a Distillery
#20 - 2016-03-06 05:30:52 UTC
John FlyingTrucks wrote:
Miss 'Assassination' Cayman wrote:


Really the only abuse of it I've seen ...


Is just scratching the surface of the potential for this getting misused.

Read up on this: Ransom32 is the first Ransomware written in Javascript and then see if you hold the same opinion.






And what happens when the ingame browser is removed and all links open in an external browser? Or what if someone links something like that and tells people that it doesn't work in the ingame browser so they open it in an external browser themselves?
12Next page