Thread: Censorship
View Single Post
08/09/17, 07:58 AM   #30
Sordrak
 
Sordrak's Avatar
AddOn Author - Click to view addons
Join Date: May 2017
Posts: 52
Originally Posted by Dolby View Post
We scan all exe's uploaded with virustotal along with our automated clamscan, we also spot check decompile them in a sandbox and compare with the provided source. We make sure the exe's can not update themselves or execute other exe's, etc.

So the issue here is that this exe can write lua, so it can possibly write AddOns or Modify on the fly from the servers API. Some one could possibly compromise that server and at worst make the exe write an AddOn that could possibly delete your items? It can do whatever the ESO AddOn API allows it to do. So the risk is limited to what the ESO AddOn API will allow.

The author has had many successful releases so far, has updated code and re-written things when asked. We are keeping a close eye on this project and will pull it if need be. We even alerted ZOS of this project.

With that said I agree its a good idea to have a warning on any AddOn that we allow that has an included exe. We don't normally allow them only if the author asks and provides source and does not have a way to update the exe remotely.
I guess I'll have to repeat myself again.

Scanning the exe with virustotal and clamav is mostly useless, as it will only detect known signatures. It isn't difficult to bypass this. If someone wants to attack the esoui users he certainly wouldn't spread already known malware (bypassing the signature checks of something known is already enough). This check gives only a complete false sense of security. And that's all it is.

Regarding the spot checks: you might miss malware and different levels. either you may not check the release or the malware might be obscured.

Both of the things above are giving only a false sense of security in my opinion.

Regarding the lua part. Yes, you're mostly restricted to the limited API (if you do not find any vulnerability to "break out" of it, but i guess that's another topic). Still you can cause harm in many different ways. I guess it's up to the creativity of a potential attacker and I'm not sure if your assessment here is correct. I mean an attacker most likely wouldn't be able to get your ebanking data but most likely could make you bankrupt in game, which actually using such an addon isn't worth.

In this case (including the author's behavior) I do not consider putting a warning on the addon site to be enough.
  Reply With Quote