exclamation-circle Lackey Vulnerabilities

28 Apr 2021 23:33 #102185 by self biased
Replied by self biased on topic Lackey Vulnerabilities

Do we know who own Lackey? If he can fix the code?


Yes, and he's basically content to only host the server, and that's about it.  he's come out and said that there are no plans to further update Lackey.

Please Log in or Create an account to join the conversation.

More
29 Apr 2021 16:42 #102187 by Ankha
Replied by Ankha on topic Lackey Vulnerabilities

Do we know who own Lackey? If he can fix the code?


Yes, and he's basically content to only host the server, and that's about it.  he's come out and said that there are no plans to further update Lackey.

And considering it's been years we've sent requests to him, at least to support non-qwerty keyboards, I think we can assume no change will be ever done.

Prince of Paris, France
Ratings Coordinator, Rules Director

Please Log in or Create an account to join the conversation.

More
29 Apr 2021 19:14 #102188 by beslin igor
Replied by beslin igor on topic Lackey Vulnerabilities

 


Do we know who own Lackey? If he can fix the code?


 


yes we know,i just checked me old meseges with lackey owner. he promise in end 2019 how will talk with some people to share lackey code to they fix bugs. i remind him some time if he want to do that but him stop to answer on me mesages. 
because lackey server be much time down one guy want to donate : a dedicated VPS machine with good connectivity,to help with this problem,lackey admin say he will checked shared topic about this,but never reply.
idk if make sense ask him to share code again,because some people inform me if him share code him will lose control of lackey.
well if want to contact him first need to find again people who want to help about fix bugs,because people who promise that earlier maybe dont have more free time for that.
The following user(s) said Thank You: Katricz

Please Log in or Create an account to join the conversation.

More
09 Feb 2022 12:58 #104660 by rolv
Replied by rolv on topic Lackey Vulnerabilities

Greetings folks.

I found 05 vulnerabilities in Lackey that I share with all of you.

First, I would like to emphasize that the goal is to make it public for everyone and look for a solution for this application and for our beloved game.

01 - Cancel Draw

The Cancel Draw button returns the leftmost card to the library, if the cards are changed order in your hand, Cancel Draw will return the wrong card.

02 - No Shuffle

In the main folder of the plugin, which is at:
(...) \ LackeyCCG \ plugins \ vtes \
has a file called plugininfo.txt with the settings for shuffling the deck, marked as Yes. If you switch to No, the decks will not be shuffled when imported, allowing the user to choose the order of the cards he will draw (order that was placed in the deck creation).

03 - Disconect and Load Game Offline

the user can disconnect in a match, go offline and use the Load Game. With that he restores the same game table online.
That user will be able to see his hands and all his library before resuming to the online game, giving them an unlawful advantage.

04 - Cain Mode

When passing the turn, Lackey generates an autosave file in the \ LackeyCCG \ plugins \ vtes \ saved \

This file contains all the information of the table, such as hand, libray, crypta, pool of all players.
Although the card is in code, it is easily possible to make the corresponding name for that code.

It is not need to map all the cards to have extraneous advantages, just know that the X, Y, Z codes are deflection cards and the T card is Archon, to be able to use that bleed of 07 without worry.

I mapped all cards ID and Names to show how this work, and I will gladly show you.
After start a game and pass turn, I can tell all hand, livrary order, crypt for all players.


05 - Revert to Autosave

The Autosave file can be changed before using Revert to Autosave. It is possible to change the pool, the cards, the library before using Revert to Autosave.



This information is already known to several people from different countries.
I can't say that anyone used that in games, but I'm sure they know it.

Rather than trying to solve the problem, people that knew tried to hide these flaws to prevent users from using it.

I prefer to divulge to everyone about them and ask the community for help in finding solutions.

No further.

Katricz


 

File Attachment:

File Name: LackeyID-Library.zip
File Size:55 KB


I've been fiddling with Lackey's commands and macros recently, and I think some solutions can be found, for some of these issues at least. Here are the commands is anyone's interested: lackeyccg.com/tutoriallogcommands.html

01 - Cancel Draw

In Lackey terms, Cancel Draw moves a card from top of "Hand" zone to top of "Library" zone. I think that in order to fix that, the order of library would have to be tracked, which is not possible at the moment AFAIK. At the moment, players have to remember what was the last card they've drawn.

02 - No Shuffle

In my opinion this could be resolved using:
/shuffleseat S Z

Where S is a player's seat and Z is number of the zone to be shuffled. This, combined with chained commands can give is a command to shuffle All 5 players Library that could be dispatched by the judge, provided that players haven't changed the zone order in plugininfo.txt (I mean, that would result in other horrible bugs, so this is highly unlikely and is a part of a larger problem):
/shuffleseat 1 2;/shuffleseat 2 2;/shuffleseat 3 2;/shuffleseat 4 2;/shuffleseat 5 2

03 - Disconnect and Load Game Offline
04 - Cain Mode
05 - Revert to Autosave

Well, that would be basically cheating, so the problem is the insecurities of an adult that is cheating in a card game played for fun, I don't know how to fix that :/ Opinions aside, it's indeed an issue and would require extending Lackey with some encryption capabilities.

Some other ways I can think of in order to prevent it is to have a judge/unbiased player who's handling the game state, i.e. runs /savegame gamefile_name, /loadgame gamefile_name commands. This won't prevent bad intentions though.

Another one would be that after restoring a saved game, all players have to whisper the checksum of the save file using the "/checksum LocalPath" command. This however can get a bit tedious since it's requires a chain of actions to handle, but basically yeah, checking a file sum of a file can indicate whether the file has been tampered with, it won't fix the issue of peeking into the file without making changes though.


As far as vulnerabilities go, in general, Lackey was not designed to handle malicious intent in my opinion. It's intended for having fun together, at least that's how I try to use this software. For example, if somebody would like to ruin the game, they could just run /shufflealldecks in the chat and boom, every zone of every player gets shuffled (Hand, Library, Crypt etc.), one could exchange hands of players clockwise with a command and so on.

Also, I agree that online tournament ranking should be a separate category and/or should be calculated differently from real-life tournaments.

Please Log in or Create an account to join the conversation.

More
10 Feb 2022 12:37 #104663 by Lönkka
Replied by Lönkka on topic Lackey Vulnerabilities
LOL,
such a system is sure fine and dandy for casual games but especially now during covid there has been official championships organized using Lackey which leaves the tournament wide open to anyone sorry and ruthless enough to exploit these weaknesses :'(

Finnish :POT: Politics!

Please Log in or Create an account to join the conversation.

  • Lönkka
  • Lönkka's Avatar
  • Offline
  • Antediluvian
  • Antediluvian
  • War=peace, freedom=slavery, ignorance=strength
More
Moderators: AnkhaKraus
Time to create page: 0.116 seconds
Powered by Kunena Forum