The end of trust? Unity hacking

For some time I’ve observed an unnerving trend on reddit of game developers reporting that they were hacked and blackmailed.

The angle seems to be:

  • Someone on their / a shared Discord makes contact
  • They ask if they’d be up for testing their game
  • They link to a legit looking itch.io page with a downloadable game
  • The game carries a virus or similar mechanism to steal user data or obtain access to their computer
  • Moments later they are contacted by the hacker and blackmailed to give access to their Discord / Steam account or similar

This exploit of trust among game developers is extremely saddening.

This is especially problematic for indie developers, if noone dates to download games anymore that aren’t thoroughly vetted by some third party.

To me it raises questions too: Are games uploaded to Steam safe against this?
Is this also possible with WebGL games?

If not, how can you possibly ensure anyone trusts your games? And if that’s possible, can’t this be exploited as well?

1 Like

The idea is to answer “No” at step 2 (“ask if”) and live happily ever after.

Steam games are not safe from malware, there were multiple instances where people complianed in reviews that game installs services they dislike. One example is Easy Anti-Cheat.

Regarding game trust - if the game ever asks for elevated privileges, that’s a warning flag. However even without those it can wipe out all your documents. So your only hope is signature from trusted party.

3 Likes

This form of spreading malware is called “social engineering” and the only thing one can do about this is education and raising awareness.

It worked for past approaches to the point they became memes everyone’s laughing about. Which reminds me, that cousin in Nigeria is still waiting for my $5,000 downpayment so I can get my share of his heritage amounting to over a million can you believe that???

No.

But they’ll find new ways every so often. It’s a cat an mouse game.

3 Likes

id like to think webgl was immune but the honest truth is, nothing is. the fact that people can/have embedded malware in pictures and so on just proves frankly nothing is safe. Back in the late 80s early 90s a computer magazine that put out a cd on the front cover got hammered when it turned out the cd have a virus on it… People had stupidly believed read only media was safe, well, it is, in that as long as it was clean when it went on, it stays clean, but if you burn a virus on, well, its on there now…

Everyone wants a bargin, everyone wants to feel special, so if they get a chance at an “early” copy, or to be paid for (allegedly) or, anything people will fall for it… I fear its going to be a long time before they stop falling for it.

1 Like

My issue is not with it happening to me (well also), but that, if everyone acts cautiously, no one will ever test someone else’s game again.

Not everyone can (or will) easily acquire a signature for their game. Especially in settings like game jams and the like.

But that sort of attack requires opening the image in a viewer that has such a security issue.

A far easier approach is to simply make that image a hyperlink and entice someone to click it.

My very first computer magazine (for Apple at that) came with a floppy disk with demos. One of them was ransomware which locked up the computer for money. How no one tested that before shipping thousands of copies is beyond me.

1 Like

Oh, they absolutely will. “This happened to someone else, and I’m different! No way it would happen to me”

Use builds that do not require admin rights to run. Basically a game should start from extracted zip archive.

1 Like

No matter the requested rights, Windows still gives that stupid warning regarding lack of signature.
Everyone who plays games from itch.io at least regularly should be used to it. But a newcomer will be frightened.

As for that scam issue, yeah it’s a real thing. I received such a message from a friend who got hacked as well. It sucks big time for game devs. Probably the only solution is to regularly mention that you work on a project so it’s not feeling like “suddenly I’m a game dev” when you do actually ask friends to be testers…

Discord itself closes their eyes in front of issues like these for some reason (and they reduced some workforce recently anyways). They don’t even act against easily auto-detectable spam (like a bot posting the same msgnin 10 channels within 10 seconds).

2 Likes

Sorry, but I stopped reading here because the average person on reddit is just a karma seeking idiot. I visit reddit as it’s taken over for forums for most communities but you have to be extremely doubtful of anything posted there because most people are just there farming for likes. Trends on reddit don’t really mean anything.

You can say that about pretty much any source, nowadays, though.
But it doesn’t matter. I also found a bunch of videos on it and watched in real-time as a Discord server was being taken over and the mods couldn’t do anything about it. Make of that what you will.

No. It’s far worse for reddit than any other community. Because of how large reddit is and how many people are on it you can’t figure out who has a good reputation and who doesn’t. With most communities you can know most of the major people and know for example that someone has a tendency to respond a certain way to a certain topic.

You can have that removed by purchasing an EV (Extended Validation) Code Signing signature. Once applied it will alert the user on install if the application has been compromised. You still have to verify that your code is safe and doesn’t accidentally have a virus but this will safeguard it once it leaves your hands.

Here are the companies that I’ve heard of but there are others too.

https://comodosslstore.com/code-signing/comodo-ev-code-signing-certificate
https://shop.globalsign.com/en/code-signing

This isn’t “new” and has been happening for over a year and a half now. Despite this, it’s still possible to get testers for games. This isn’t the “end of trust.”

I believe you’re talking about a different warning.

Windows gives gives warning for downloaded exe files and msi. The idea is not to use those, but archives. Extract the archive and run. I’ve never seen a warning on archive contents extracted with 7zip.

Then there’s an entirely separate issue when exe requests elevated rights to write into admin-protected folder. That one should not be ignored and is a red flag. Several steam games in fact trigger this, but it becomes less and less common.

It’s the one Ryiah refers to as well. It is explicitly regarding the certification of the publisher of an executable.
This, albeit it looks a tad different by now. https://stackoverflow.com/questions/38675959/can-i-mark-an-external-exe-as-safe-to-run-unknown-publisher-programmatically

Few hundred dollars each year are not that easy for an indie and not sure whether you can easily apply the same certificate to as many updates as you want…

2 Likes

That’s the third one and I’ve not seen it in ages.

Note that both question and accepted answer you linked talk about admin privileges. In my opinion, your application should not request them. Ever.

Microsoft automatically tracks opened executables and after enough people opt to open regardless of the warning they mark it as safe. I run into it on occasion but it requires me to be running an app that’s really unusual.

1 Like

That’s offtopic, but frankly this sort of feature is a good reason to ditch windows system.

Is it? Why? And ditch it for which superior alternative?

Yeah sure, I rather chose an OS where I gotta compile every other application myself xD

Indeed Windows stops showing the alert after enough people have opened it, but especially when you give someone your game to test it, it’ll appear :confused: