Hub 3.1.0 node-ipc incident

Dear all,

This week's release of Unity Hub 3.1.0 included an update to a compromised version of the node-ipc library, an open source package that is used by the Hub. This resulted in the generation of an empty .txt file on the desktop of users who upgraded to Hub 3.1.0. Our initial investigation did not reveal any further additions of unwanted code or other unexpected behavior. While there do appear to be recent changes to the node-ipc library that include malicious code, those were not included in our Hub 3.1.0 update. Although we have eliminated the root cause that led to this incident, we are committed to improving our internal QA processes to prevent future problems in Unity Hub. A hotfix was released four hours after the incident was discovered with Hub 3.1.1 and we plan to update you on the status of our audit as soon as possible. The security and any perceived vulnerabilities in Unity software remain our top concern.

19 Likes

@LeonhardP Why is this announced on forums only? Surely there should be some note that can reach all Hub users, not all users read this forum announcements actively. I can imagine people freaking out if they saw that TXT and didn't know where it came from.

5 Likes

I don't know how is this not malicious? Or am I looking at the wrong place?
Edit 1:
I meant, it's overriding people's files with heart emojis.
Edit 2 :
Apparently I'm still quite nervous and reread the paragraph, just noticed that the latest code changes with the emojis feature didn't make it to the HUB ...

2 Likes

Are there any considerations to make Hub a little more user friendly here, perhaps even open source it considering this news?

There seem to be issues on a daily basis at the moment.

  • Force expiry of licenses in Taiwan because it's considered China(?) [0]

  • Including restricting offline usage for > 3 days (according to support)

  • Super slow startup, sometimes the screen stays all gray [1]

  • Which seems to require a complete machine restart.

  • Sometimes crashes after leaving it running for more than a day. [2]

  • UI is extremely unresponsive. About 1 second latency on apple silicon.

  • Sometimes logs you out of the Hub, needing to restart.

  • Unity installs / downloads sometimes fail for weird reasons.

  • Security breaches as mentioned above.

  • Editor sometimes can't connect to package manager / Asset Store tools because being logged out. Requiring Editor & Hub restart.

  • Unity.Licensing.Client sometimes keeps running after closing the Hub [3]

Hub would be super useful if it leaned more towards helping the user, instead of restricting the user :)

[0]
7976454--1023675--2022-03-19_13-13-09@2x.png

[1]
7976454--1023669--2022-03-19_12-49-53@2x.jpg
[2]

[3]
7976454--1023678--2022-03-19_13-17-45@2x.png

4 Likes

When can we expect the results of the audit? Having it done would sure ease a lot of minds, including my own.

1 Like

It's a shame that a developer of a node module decides to include a destructive payload that could potentially cripple not only indie developers but professional studios too.

On the point of the idea of the open source Unity Hub:

An open source version of the Unity Hub would probably go a long way, even if some of the features were disabled/removed that would require access to black-box/closed source functions (ie internal Unity APIs that are off-limits). It would also allow developers to fix bugs that the Hub may exhibit and/or patch security threats, which then Unity Tech themselves could merge into their own closed-source version.

1 Like

Bigger issue on the Hub is that we as users don't have control over it's updates, right now Hub 3 automatically downloads and installs Hub updates that go live next time we open Hub. It's a big security threat that's very real, considering that node-ipc change actually slipped through them.

There's no real trust here that something worse couldn't happen soon since we all know how slowly Unity operates and reacts for bigger changes and at the same time Hub keeps installing things on it's own to our computers.

Afaik the nope-ipc library update that contained malicious code was quite recent change for that library and it propagated from that library change to hub release on our computers at speed that I would have not assumed being possible. This suggests Hub final releases don't get very extensive testing period at Unity's end.

11 Likes

[quote=“rz_0lento”, post:7, topic: 875255]
Bigger issue on the Hub is that we as users don’t have control over it’s updates, right now Hub 3 automatically downloads and installs Hub updates that go live next time we open Hub. It’s a big security threat that’s very real, considering that node-ipc change actually slipped through them.

There’s no real trust here that something worse couldn’t happen soon since we all know how slowly Unity operates and reacts for bigger changes and at the same time Hub keeps installing things on it’s own to our computers.
[/quote]

This.

This is one example of why “newer is not always better” - sure, I can understand Unity Tech’s desire to keep people up to date with the Unity Hub, but this behaviour should definitely be opt-in. Automatically (Silently in some cases) updating things can lead to screw ups, and like this one, if the payload was worse than it is already, the Unity Hub could have done some serious damage.

Hopefully Unity Tech has learnt a lesson from this issue, and will incorporate measures to avoid similar ones in the future. The end developer should have the power to say “No, I will update when I want to” and avoid issues like these.

3 Likes

The other thread had link to a way to stop the hub auto-updates but there's no way to tell if Unity will remove this option in the future now that people rush blocking the updates..

https://discussions.unity.com/t/875070/6

1 Like

I freaked out when I saw a text file FROM-AMERICA-WITH-LOVE.txt on my desktop. I thought I had malware so I scanned my PC but came up with nothing. I had updated the hub before that and didn't notice it then, didn't think it would have come from something like Unity. That's crazy.

Also think of the following for a moment:
- Unity does really poor job at communicating this security threat
- People get pissed off about this and block future Hub updates
- Unity can't silently patch out future discovered security threats anymore since people have blocked the updates.

Instead, in ideal situation Unity Hub would inform users there's an update available and clearly indicate what it fixes so people can make educated decisions whether they need to update or not. Only exception to this could be if there's a clear security issue with currently deployed version but even then I feel it should be left up to user to decide if they want to update, just pop up a message box explaining why it's urgent etc.

10 Likes

Being open and honest about this is the best way to deal with it, I had to get told about this before I even realised it was a thing because I've been busy with RL stuff. The Unity staff have kind of dropped the ball on this and I know it took people by surprise but you really need to make sure people know what's going on when so many are using your software, the staff aren't usually this bad with communication and patches.

Well this just goes from bad to worse - having been aware of this issue over the last few days and making various posts in the threads about it, this morning I discover to my horror that the Unity Hub has auto-downloaded the 3.1.1 update and will AUTOMATICALLY install it the next time its restarted!

This is annoying on many levels, not least as I had wondered about how the Hub updated as I could find no user settings to opt-in or out beyond the production vs beta channels. I guess I know the answer now, Unity doesn't believe in giving its customers the option ( beyond registry hacks? which is also too late for me now ). Instead they just automatically download and install and provide probably the most effective security threat to my PC that I've seen in decades!

What really pisses me off about this is that this update is either an amazing coincidence or Unity have decided to push this out to everyone to try and cover any existing issues or threats ( known or not ) within third party code used by the hub. Perhaps trying to reach people who may have updated to 3.1.0 and not know there is an issue, though there really should have been an additional announcement as to the reason for doing this.

Firstly if this was a coincidence, what the HELL is Unity doing allowing auto-updates to the Hub whilst they are supposedly meant to be performing a full audit of all third party code? The auto-update should have been disabled immediately the initial event occurred and should not have been re-instated ( for everyone ) before providing the necessary reassurances and documentation to customers that the Hub is guaranteed to be safe.

If its the latter then again what the HELL is Unity doing allowing auto-updates to the Hub whilst they are supposedly meant to be performing a full audit of all third party code? I simply don't believe they were able to perform such an audit in two days or less!

In the end all of this frustration goes back to the same two issues

  • Why didn't Unity provide user setting to opt-in or out of auto-updates for the Hub?
  • Lack of transparency and dialog with the community/customers.

For example there may be a very good reason to force users with older hub versions ( e.g. 3.0.1 ) to 3.1.1 but without any information from Unity as to why I really dislike being pushed to the most current version when a serious threat was found in the previous version ( 3.1.0) and little time to audit the current version for any other issues.

Seriously considering uninstalling the Hub, but at this point I'm not sure if thats even possible anymore? I know with it installed launching any editor will simply open the Hub and with the 3.0.1 release licensing completely breaks any time my machine goes to sleep and I have to go through the hub to get any editor to sign into my Unity account.

4 Likes

[quote=“mischa2k”, post:4, topic: 875255]

  • Super slow startup, sometimes the screen stays all gray [1]

  • Which seems to require a complete machine restart.

  • Sometimes crashes after leaving it running for more than a day. [2]

  • UI is extremely unresponsive. About 1 second latency on apple silicon.

  • Sometimes logs you out of the Hub, needing to restart.

  • Unity installs / downloads sometimes fail for weird reasons.

  • Security breaches as mentioned above.

  • Editor sometimes can’t connect to package manager / Asset Store tools because being logged out. Requiring Editor & Hub restart.

  • Unity.Licensing.Client sometimes keeps running after closing the Hub [3]
    [/quote]

Can’t talk about the Taiwan bug since I’m (almost) in the other side of the world, but I had every single bug reported here, plus the bug that prevents to make new projects with Unity 2019.1, which is marked as fixed but IS NOT FIXED AT ALL!
https://issuetracker.unity3d.com/issues/hub-error-is-thrown-when-creating-a-new-project-with-2d-or-3d-templates

Also I dislike the new dark theme.

Please, make the updates optional!

1 Like

This also proves what many people feared when auto-updates were first introduced as mandatory across various software and even with Windows. All it's going to take is for one rogue employee with access to the servers and they'll very easily be able to cause a catostrophe. Will this blatant security flaw make companies rethink their attitude towards auto-updates in general? I have my doubts precisely because sometimes people seem to have a duck and cover attitude towards justifiable outrage.

At this rate, I'm going to end up being forced to Linux and I'll be better off re-writing the code I have so far for Godot if companies won't honestly address this problem because there's no way in hell I'm leaving my own PC and really my life's work exposed to such a blatant security flaw. It's a shame, because I really like using Unity and I like the general workflow in spite of everything, but what other option is there?

2 Likes

I'm completely confused, can I upgrade Unity Hub to version 3.1.1 now, or will the integrity of my data be compromised?

[quote=“BaKsPlayer”, post:16, topic: 875255]
I’m completely confused, can I upgrade Unity Hub to version 3.1.1 now, or will the integrity of my data be compromised?
[/quote]

It’s still up in the air right now, I’d hold off, they do seem to have caught it but this is precisely why communication is important even if it’s just “We’ve stopped it from infecting our side of things so there’s nothing to worry about”.

[quote=“mohamedelzayatmop”, post:3, topic: 875255]
I don’t know how is this not malicious? Or am I looking at the wrong place?
Edit 1:
I meant, it’s overriding people’s files with heart emojis.
Edit 2 :
Apparently I’m still quite nervous and reread the paragraph, just noticed that the latest code changes with the emojis feature didn’t make it to the HUB …
[/quote]
The code that replaced stuff with heart emojis did not land in that Hub version. The one that just creates an empty .txt file onto your desktop did. While it’s a nuisance, it’s harmless.

[quote=“BaKsPlayer”, post:16, topic: 875255]
I’m completely confused, can I upgrade Unity Hub to version 3.1.1 now, or will the integrity of my data be compromised?
[/quote]
They fixed this issue in 3.1.1, so yes, you should update to be safe.

Against my better judgement I ran Unity hub and it installed the update automatically, haven't spotted anything nefarious as of yet, the Unity staff absolutely need to let you have the option to disable updates. If you did this then somebody trying to tamper with the code wouldn't be a problem, I really don't see how this could be contoversial to implement unless the Unity staff themselves are up to something. You let people have their own version of unity installed without forcing them to update, so why can't Unity hub operate the same way at peoples' own risk? We know software and how to deal with it, just put up a pop up message stating that and be done with it.

1 Like

I can see how Unity want users of the Hub to be current with it since it's the gateway to login to your account and the licensing system for the Editor (even though the login process itself is what I consider rather convoluted and questionable, when it makes a request to some API through the web browser).
Nonetheless it would be better to prompt the user about it, much the same as the editor informs about new updates being released.

As for automatic updates, well at least I don't have that issue for I'm running on Ubuntu and updates go through its packaging system (although there is still something called "unattended updates" which can run to install important security upgrades without waiting until I authorize it. which is what leads to the dreaded Firefox tabs that happily tell me that I can't open a link for there was an update in the background and I need to restart Firefox first. The least this does is severely interrupt whatever I was currently doing. I hate that!)

(With the Unity Hub unlike with Firefox, at least the interactions are usually short and not very often. Just clicking on a project to open it in the Editor, or create a new project. Sometimes installing new Unity versions (or removing outdated ones), and selecting a different version of the editor to use for a project in order to update it...)