13AUG24 - URL-editing Exploit Closed |
Post Reply 
|
Page 123> |
| Author | ||||
GM Jejune 
Moderator Group 
GM Joined: 24 Feb 2022 Location: Illyriad Status: Offline Points: 567 |
 Post Options
 Thanks(1)
 Quote Reply
 Topic: 13AUG24 - URL-editing Exploit ClosedPosted: 13 Aug 2024 at 04:14 |
|||
|
The DEVS have taken decisive action to identify, confirm, and rectify an exploit that was recently used in a live combat setting between 2 players and called out in a subsequent petition. The exploit involved circumventing the game’s user interface to claim sovereignty on a square co-occupied by a rival. Sov Claiming on a Square with an Inbound Exodus As many players are aware, claiming sovereignty on a square with an exodused city inbound is prohibited by the game’s design. If a player encamps an army on a square that has an exodused city inbound to it, the “Claim Sovereignty” option in the pop-up navigation on the tactical map for that square will not appear. Additionally, to our knowledge, there are no other paths for implementing a sovereignty claim on a square with an inbound city on any other navigation or functionalities offered to users in the UI of the game. Details of the Exploit The DEVS were able to confirm that sovereignty was initiated on the square in question after the petitioner's city was en route to it: - Exodus was initiated at 2024-08-11 15:17:15.517 - The sov claim was initiated at 2024-08-12 00:07:12.500 - Exodus arrived at 2024-08-12 01:49:26.837 This safeguard was circumvented by a player not by creative use of the game’s features or user interface, but by editing the URL of the sovereignty claim confirmation page with the coordinates of the square that otherwise would be prohibited from being sov’ed. Specifically, the sequence of the exploit is as follows:
Having the occupied army on the square fulfilled the requirements of having an army from the sov-claiming city, but manipulating the URL circumvented the user interface. This exploit has been closed by the dev team. The URL is not part of Illy’s UI It should be reiterated that, while several of the game’s graphical interfaces were used to initiate this exploit, it was the manipulation of the URL that allowed circumventing what the GUI seeks to prevent in-game. The editable text box where the URL of any web page resides is a component of a web browser – it is not part of Illyriad and the game is not designed to be traversed by players forcing their way through the safeguards of the graphical user interface by making changes to URL structures. We feel that this fact of the game is eminently self-evident. Consequences of the Exploit We took this exploit very seriously because it gave players an unfair advantage in combat situations by allowing the player with claimed sovereignty to monitor armies occupying the city, as well as other scenarios that could break the game state. In short, the exploit created an unlevel playing field, which is against the principles of fair play that we uphold in our community. GM Stormcrow was very clear in his remarks about the “GDT Hacks” in May, 2024 when he noted (emphasis added): "If you directly let us know about an exploit that you’re aware of, there’s currently an amnesty on the ‘how-to’ knowledge, but not the practice. I’d rather know about it and get it closed than throw people out of the game, but my patience threshold for players and alliances who continue to use GDT exploits has been broached." While this case is not technically classified as a "GDT hack," it nonetheless violated the spirit of SC’s warning and the integrity of our platform. We want to make it clear - again - that we are done tolerating any attempts to manipulate URLs, leverage GDT, or similar methods to achieve results that the user interface was clearly not designed to allow. Any such actions will result in the permanent loss of your account. Players are strongly urged to stop experimenting with subversive tactics like these – particularly when other players’ cities are at stake. A good game rule is: If the UI won’t let me do it, don’t look for ways to get around it. In this specific case, we have taken action against the player who used this exploit against a rival player in a live combat setting, issuing a suspension of the account. We urge everyone to respect the rules of the platform and play fairly. Let's keep the game enjoyable and competitive for everyone. Thank you for your understanding and cooperation. Sincerely, The Illyriad Development Team |
||||
|
||||
 |
||||
|
Thirion
Postmaster
Joined: 10 Apr 2018 Status: Offline Points: 680 |
Post Options
Thanks(1)
Quote Reply
Posted: 13 Aug 2024 at 07:36 |
|||
|
Hello The Illyriad Development Team,
i reported the bug via a petition and got an answer from a GM on 25/05/2024 18:00:01. The dev team had problems reproducing the issue - thus i sent an E-Mail with screenshots and a detailed description on how to reproduce it to the developers on Sat, 25 May, 21:04. After that we had a discussion about this topic in the petition. At no point in the conversation did the developers mention that it is not allowed. On the contrary - there was a statement by GM Stormcrow that to me personally read like there is no issue with the situation and thus in my opinion allowing this situation. Unfortunately i am not allowed to share the details here. I also updated the developers about how the situation was created yesterday (without being asked about it). Let me summarize the situation:
Copying (and also changing) URLs in Illyriad is a common practice - thus in my personal opinion the URL is part of the UI. Good to know that it is not. I told the player on how to do it because i was under the impression that it was allowed according to the rule "Unintended by the developers behaviour is allowed as long as the ingame UI is used" and there not being a statement that it is not allowed. I am glad you fixed the bug. Because of the situation mentioned above the developers should in my opinion re-consider the suspension. Best regards, Thirion/Ellania/TrollHunter Edited by Thirion - 13 Aug 2024 at 07:39 |
||||
|
||||
|
Thirion
Postmaster
Joined: 10 Apr 2018 Status: Offline Points: 680 |
Post Options
Thanks(0)
Quote Reply
Posted: 13 Aug 2024 at 08:14 |
|||
|
I just checked our Discord. The suspended player quite likely did not even modify the URL. He just clicked a link that i supplied:
 We claim Sov around our Exodus locations to protect the city there. This is a common approach done for a lot of our war wagons/exos. The same in this case - the player in question tried to claim Sov around his Exo when he found the issue mentioned above. I sent him a link that worked. Thus in my opinion the suspended player did nothing wrong. I also explained what was going on in a seperate discussion and what to do to still claim sov there. At that time we did not know the implications of having sov under a city (i.e. what exactly would happen)! We did not know who exoed there. We just wanted to protect our city - as we usually do. Note: Again, sharing links is a common feature and approach used in Illyriad! In this case since the beginning we have been open and communicate the bug and issue. If you need someone to suspend then it should be me. I found the bug, reported it and i was the one that modified the URL. Best regards, Thirion/Ellania/TrollHunter
Edited by Thirion - 13 Aug 2024 at 08:16 |
||||
|
||||
|
Island Living
Greenhorn 
Joined: 19 Jun 2024 Location: United States Status: Offline Points: 102 |
Post Options
Thanks(1)
Quote Reply
Posted: 13 Aug 2024 at 08:33 |
|||
|
SMA tried to move towns close to Westmarch in a stealthy manner and only claimed sov AFTER thier towns moved into exo and were close to landing. In hindsight that was a terrible move on SMA's end as we remained vigilant. Your claim that you sov exo landings simply doesn't apply to this case because you didn't pre sov and you know it. The devs tracked everything event by event. GM Stormcrow made it very clear when he said:
"... When (in hindsight unwisely) I said that "if it's done using the UI, it's legal"' I - in no way whatsoever - thought for one second that anyone would believe this meant "SC says it's fine to go behind the User Interface, using GDT or Tampermonkey, and push manually-altered data into the back end that the publicly-available front-end would never allow...." More remarks from GM Stormcrow can be found on this matter in the post GM JJ mentioned above. The siege of Puffin was a huge deal and the rules were made 100% clear afterwards. The fact that you think you can still break them is baffling, let alone escape punishment when caught red handed. |
||||
|
Would you like a cookie with that?
|
||||
|
||||
|
Thirion
Postmaster
Joined: 10 Apr 2018 Status: Offline Points: 680 |
Post Options
Thanks(0)
Quote Reply
Posted: 13 Aug 2024 at 09:29 |
|||
He was late, yes. In my opinion that has nothing to do with this topic though.
We knew someone was coming. We didn't knew who. We had an issue recently where 2 SMA players exoed next to each other. I explained in detail the "how". He quite likely essentially clicked a link that i modified. What the devs posted was my initial description on how to produce the bug.
I changed the URL. I did not change any (other) data that was pushed into the backend (outside of the coordinates in the URL). The Sov claim was done the conventional way with the conventional user interface. In my personal opinion the URL is part of the UI. Sharing URLs is quite common in Illyriad. And until now changing/modifying URLs is quite common. I do not know how exactly DurcTools works - but i am quite sure that they create and/or modify URLs there. As an example for tournaments i manually modify URLs to send out direct attack links to the tournament squares.
There are multiple major differences here. 1) The devs made the statement "Everything done by the UI is fine". The URL being part of the UI is at least reasonable to assume? No external or developer tools are used. 2) Sharing and/or modifying the URL is in my experience quite common. Thus it is reasonable to assume that this wasn't an issue? 3) The devs knew about this issue for months and they did not mention in the petition that it is not allowed. In my personal opinion even the contrary. 4) The suspended player quite likely just clicked a link. The modification of the URL was done by me (proof see in my previous post). 5) We did not know who was moving there and/or the implications it would have. We just wanted avoid further issues by claiming the Sov. As i said - if someone needs to be suspended then it should be me. I was the one who changed the URL here.
|
||||
|
||||
|
Island Living
Greenhorn
Joined: 19 Jun 2024 Location: United States Status: Offline Points: 102 |
Post Options
Thanks(1)
Quote Reply
Posted: 13 Aug 2024 at 09:40 |
|||
|
The player in question had to have a unit on the un-sov'able square AND had to have a unit from the same city on another square where sov could be claimed. Once that happened then they could theoretically "click your link" and claim sov in a manner not intended within the UI. None of that sounds like "I didn't know better". It sounds even worse when you toss in the fact that you knew someone was moving there and claimed the sov maliciously, not defensively. The RE city was already in exo to the square, all elements of defensive sov to prevent that was mute at that point.
|
||||
|
Would you like a cookie with that?
|
||||
|
||||
|
Thirion
Postmaster
Joined: 10 Apr 2018 Status: Offline Points: 680 |
Post Options
Thanks(0)
Quote Reply
Posted: 13 Aug 2024 at 09:58 |
|||
I am quite certain you are wrong here. You need an army there yes. But then the link is enough to initiate the Sov claim here. As far as i remember i have done this in the past. I think the issue is fixed thus i cannot reproduce it anymore.
I reported the bug to the devs months ago. In my initial bug report i also stated that in my opinion it is done (more or less) within the UI. Thus allowed. They did not say "it is not allowed". On the contrary. They essentially said "we do not see a reason to prevent this" (pharaphrasing here). Thus i was under the assumption that it was allowed and also mentioned that to the devs. Otherwise i would not have modified the URL and sent it to the suspended player.
Edited by Thirion - 13 Aug 2024 at 10:01 |
||||
|
||||
|
Thirion
Postmaster
Joined: 10 Apr 2018 Status: Offline Points: 680 |
Post Options
Thanks(0)
Quote Reply
Posted: 13 Aug 2024 at 10:26 |
|||
|
Sorry for the "rants". But in my opinion this topic is important. And i hope this is considered as positive and constructive critique. I am trying to give more information and my point of view. If there is a problem please inform me and i am glad to change my approach (e.g. move back to petitions) or stop.
I stated from the beginning that in my opinion all major or gamebreaking bugs should not be allowed. Including "Siege in a city" and "NPC siege". I still believe this.
In my opinion this statement encourages players to look for "creative use" of game features. Which in my opinion leads to more about finding and abusing gamebreaking, but allowed bugs instead of playing the game. And to be honest in its currenty state warfare in Illyriad is a buggy mess. I have 4 open or unfixed warfare bugs and there are more i know about (they are not that impactful - thus i have not reported them yet). The devs make the rules. I play by the rules. I personally thought that similar to the "Siege in a city" and "NPC siege" it was unintended but allowed. I had multiple reasons that supported this. That is why i used it.
|
||||
|
||||
|
King Sigerius
Forum Warrior 
Joined: 11 Nov 2017 Location: Michigan Status: Offline Points: 256 |
Post Options
Thanks(0)
Quote Reply
Posted: 13 Aug 2024 at 12:01 |
|||
|
Altering the URL or other backdoor means of actions non native to to the UI or normal play have always been illegal. And I was told I can't call you a cheater yesterday, thanks for doing it for me today. These are the reasons our war wasn't fun.
I'd offer my bag of tricks to the devs but nah, I'd rather see sma be banned for using them before they're closed. It's so weird how sma has acted this war, very shameful and unsportsmanlike. To the point my much much smaller team left. Manipulating people to cheat is also bannable I still feel justice hasn't been served.
|
||||
|
KS
|
||||
|
||||
|
Meat puppet
New Poster 
Joined: 27 Feb 2022 Location: US Status: Offline Points: 19 |
Post Options
Thanks(1)
Quote Reply
Posted: 13 Aug 2024 at 12:38 |
|||
|
So, aside from whatever else transpired, the system will not allow you to claim sov on a square where an exodused city is going to land but it will allow another city to be exodused to an adjacent square. This clearly violates the 10 square rule for exodus. The system either knows a city is coming or doesn't, you can't fix one exploit and allow the other. It's long overdue for this "bug" to be closed.
|
||||
|
||||
|
Post Reply
|
Page 123> |
Tweet
|
| Forum Jump | Forum Permissions You cannot post new topics in this forum You cannot reply to topics in this forum You cannot delete your posts in this forum You cannot edit your posts in this forum You cannot create polls in this forum You cannot vote in polls in this forum |
Topic Options
Island Living wrote: