Yeah, this was happening all day again today, along with a ton of gold being handed out to a lot of random users on Bifrost. Guessing they found another way to dupe gold 
Not fixed! Spam all day
They Devs should stop just fixing that one particular thing and start fixing the main issue itself. This is getting more and more ridiculous. Even content creators seem to send advice to AGS on how to fix their stuff …
Today saw the biggest nuts on the chat around 7PM CET. So still not fixed in Niflheim
Because their hiring process is shit. They have you take a test designed for people who are in college or recently graduated, instead of engineers that have been working for over 20 years.
IDK why but they also think 200k in San Fransisco is competitive. If you’re fine with living in a hut then I guess it’s okay. But houses out there are EXPENSIVE.
Apparently you have no idea what you are on about.
Modifying a file on your side is not going to change the image for the others…
Also this has been patched multiple times, people are finding new ways…
the patch is a shitty quick fix, still not properly sanitizing user input.
That’s still not validating on the server. The server should never trust what the client sends. If the client says “X player needs the reward for Y quest.” The server shouldn’t unquestionably send those rewards. It should check things like
- “have you already completed that quest recently?”
- “are you in the correct location to complete this quest?”
- “did you fulfill all prerequisites to complete this quest?”
Only then should the server trust the client. And there should be more checks than just the three examples I gave.
4 Likes
Seems to be fixed again now, can’t post eggs in chat.
1 Like
The thing is, you don’t even need college to sanitize html inputs. 13 year olds know this stuff. It’s standard practice everywhere, certain languages literally have a dedicated function to do it for you. These forums do it too (pretty likely this isn’t made by Amazon devs but rather just some sort of a plugin bulletin board).
I’m sure their hiring process is based on political correctness rather than actual skill. People in higher command don’t really care if the job gets done, only if certain bottom lines are met.
PS: 200k is a huge amount of money where I come from. I can fix this issue for them in 2 minutes if they can pay me even a tiny fraction of that.
0% chance you’ve made it past the take home assessment while saying this shit lmao. The little world you’ve created in your imagination to explain the root cause of all your life’s problems must be so sad.
They can’t. A youtuber got trolled on 4chan and made a video claiming it was a thing without providing any proof of it whatsoever so now people act like it’s a real issue.
Was that supposed to be a response to my comment?
By the way they can since there is a quest that auto completes and gives you 50g. If you link that guest into the chat to a item and hover over it then it keeps on auto completing every time you hover over that item and you get 50g.
It would be interesting to have actual proof of this and not just quote what was said in a Youtube video.
PS: Not displaying how to do it, but showing it in action.
1 Like
I agree with you. They could have easily show the mouseover completing quests without showing the codes but no… everyone kept saying it is possible. The video that everyone spoke about… he said theoretically it could be used for that but there is no proof of that. Although the img linking is back but that doesn’t mean they could exploit the quest completions.
Evidence where
Sanitizing html is not going to help now that people know they don’t have server side validation. You can just use something like wireshark to intercept requests and change them.
My brain can’t compute not having server validation on a 2021 mmorpg.
I’ll give them the benefit of the doubt, they can’t be that incompetent.
The problem is that it isn’t just images… 
I don’t know about 13 year olds but I remember my first web design class with Dmitry Babichenko, this was one of the first things he taught us. He also gave an example where in a previous job, the startup he was working for had issues with SQL injection. He said that he made a backup of their database then during a meeting he showed them how he could easily drop all their tables with an input field on their website.