Jump to content

PSA: Turn off your Backpack.tf Automatic - critial bug/backdoor

dumbname4dumbgame

By dumbname4dumbgame
in General Website Discussions

Recommended Posts

dumbname4dumbgame Newbie

dumbname4dumbgame

Posted
Posted

The latest version 1.2.3 has a bug/backdoor that allows an incoming trade offer to ask for all the refined metals in your inventory on top of a listed trade, and it will be accepted automatically.


 


I had a strange sniper rifle with parts listed for 1 key using Automatic. It accepted the following offer while I was afk:


14:48:58 - trade: [u:1:288126566] Everything in offer #979636575 looks good, accepting


14:48:58 - trade: [u:1:288126566] Offer #979636575 - Asked: 1 keys (Strange Sniper Rifle, Refined Metal x330). Offered: -330 metal 1 keys (Mann Co. Supply Crate Key).


14:48:59 - trade: [u:1:288126566] Offer #979636575 successfully accepted; confirmation required


 


This user: http://steamcommunit...561198248392294 was obviously aware of this bug/backdoor in Automatic and exploited it to trade 1 key for my strange sniper rifle plus all the refined metal in my inventory (330).


 


 


Edit: Thanks to Brad Pitt for compensating my losses. I hope you don't have too many victims to deal with.


post-11523-0-05688600-1453873751_thumb.jpg

Link to comment
Share on other sites
Mengh. Newbie

Mengh.

Posted
Posted

 

The latest version 1.2.3 has a bug/backdoor that allows an incoming trade offer to ask for all the refined metals in your inventory on top of a listed trade, and it will be accepted automatically.

 

I had a strange sniper rifle with parts listed for 1 key using Automatic. It accepted the following offer while I was afk:

14:48:58 - trade: [u:1:288126566] Everything in offer #979636575 looks good, accepting

14:48:58 - trade: [u:1:288126566] Offer #979636575 - Asked: 1 keys (Strange Sniper Rifle, Refined Metal x330). Offered: -330 metal 1 keys (Mann Co. Supply Crate Key).

14:48:59 - trade: [u:1:288126566] Offer #979636575 successfully accepted; confirmation required

 

This user: http://steamcommunit...561198248392294 was obviously aware of this bug/backdoor in Automatic and exploited it to trade 1 key for my strange sniper rifle plus all the refined metal in my inventory (330).

 

I cannot believe they released the program with such a blatant bug/backdoor. Backpack.tf you have lost my trust.

 

 

Report the user on Backpack.tf as well, for exploiting this bug for profit. Not sure if SteamRep might even look at your report.

Backpack.tf: http://backpack.tf/profiles/76561198248392294

Link to comment
Share on other sites
♥Prof. Sugarcube♥ Rookie

♥Prof. Sugarcube♥

Posted
Posted

I fail to see how it's bp.tf's fault the exploit existed, i think the point of bugs is to report them so they can be fixed, not so you can growl at the creators despite the fact they went through tireless hours of coding and testing to even get it to function like its supposed to

 

y'know, bug reporting

 

All you can do is try to get him banned on trading sites so he can't offload his ref with much ease

Link to comment
Share on other sites
dumbname4dumbgame Newbie

dumbname4dumbgame

Posted
  • Author
Posted

I fail to see how it's bp.tf's problem, i think the point of bugs is to report them so they can be fixed, not so you can growl at the creators despite the fact they went through tireless hours of coding and testing

 

All you can do is try to get him banned on trading sites so he can't offload his ref with much ease

 

What? So I should have stayed quiet about it while more Automatic users get scammed?

 

Or perhaps it's unreasonable to expect a critically compromised program to be taken down until it is fixed, again to prevent further victims.

 

Yes indeed you do fail.

Link to comment
Share on other sites
SapienS Newbie

SapienS

Posted
Posted

Hi there,

I feel sorry about what happened to you. But you know this kind of things happens so you dont have to take it personaly.
Just make sure to report the bug in the proper section ==> http://backpack.tf/issue?category_id=541aeee2ba8d8836548b456a
About what you lost, if you can reach the staff management of the website, im pretty sure they will offer some sort of compensation.

And the guy who got banned is most likely an alt account, so the reel user is free to do more damage

 

Best of luck

Link to comment
Share on other sites
Geel Newbie

Geel

Posted
Posted

I fail to see how it's bp.tf's fault the exploit existed, i think the point of bugs is to report them so they can be fixed, not so you can growl at the creators despite the fact they went through tireless hours of coding and testing to even get it to function like its supposed to

 

y'know, bug reporting

 

All you can do is try to get him banned on trading sites so he can't offload his ref with much ease

How in the hell is it NOT the creator of the tool's fault that their tool had a major exploit?

Link to comment
Share on other sites
SapienS Newbie

SapienS

Posted
Posted

I fail to see how it's bp.tf's fault the exploit existed, i think the point of bugs is to report them so they can be fixed, not so you can growl at the creators despite the fact they went through tireless hours of coding and testing to even get it to function like its supposed to

 

y'know, bug reporting

 

All you can do is try to get him banned on trading sites so he can't offload his ref with much ease

the automatic feature is a service provided by bp.tf for thier users(customers), there is no mention about the feature being on beta test or something. So i think this kind of situation should be handled by the support service for sure

Link to comment
Share on other sites
Dr. McKay Newbie

Dr. McKay

Posted
Posted

Firstly, it's been barely an hour since you posted this (publicly, after midnight in the USA, without giving us time to fix the issue before it was revealed to the general public).

 

A new version v1.2.4 is up which resolves this issue. I apologize for it having slipped through. I try to test everything, but this particular case slipped through. All older versions have now been kicked off the server. They'll get an "invalid token" error as we don't have any mechanism with which to send arbitrary messages to Automatic (currently). They can't start back up until they update.

 

Finally, as an apology I've granted you a year of backpack.tf premium.

 

If you ever come across an issue like this, please report it privately before going public with it. If you want to warn people, you can do so without disclosing specifics.

Link to comment
Share on other sites
dumbname4dumbgame Newbie

dumbname4dumbgame

Posted
  • Author
Posted

Firstly, it's been barely an hour since you posted this (publicly, after midnight in the USA, without giving us time to fix the issue before it was revealed to the general public).

 

A new version v1.2.4 is up which resolves this issue. I apologize for it having slipped through. I try to test everything, but this particular case slipped through. All older versions have now been kicked off the server. They'll get an "invalid token" error as we don't have any mechanism with which to send arbitrary messages to Automatic (currently). They can't start back up until they update.

 

Finally, as an apology I've granted you a year of backpack.tf premium.

 

If you ever come across an issue like this, please report it privately before going public with it. If you want to warn people, you can do so without disclosing specifics.

 

Point taken, in hindsight it was handled quite quickly. Although I knew of no channels to privately report something like this.

 

It is still alarming that a major exploit that could be fixed in less than an hour stayed up for so long.

 

Thank you for the apology but premium does nothing for me, especially with most of my trading wealth gone.

Link to comment
Share on other sites
Geel Newbie

Geel

Posted
Posted

Point taken, in hindsight it was handled quite quickly. Although I knew of no channels to privately report something like this.

 

It is still alarming that a major exploit that could be fixed in less than an hour stayed up for so long.

 

Thank you for the apology but premium does nothing for me, especially with most of my trading wealth gone.

 

It's not as if McKay knew about the exploit and didn't fix it. As soon as he was aware of the issue he fixed it, and it seems they have a way to ensure that vulnerable versions won't be affected any longer.

Link to comment
Share on other sites
42isTooShort Newbie

42isTooShort

Posted
Posted

Same guy came after mine, but I shut my computer down last night so bp.tf auto wasn't running (I don't remember why I did that, had to be the first time in over a week). I use my phone for confirmations so I still would have had to manually confirm the trade even if bp.tf auto had accepted.

 

 

http://i.imgur.com/I8YYKXy.png

Link to comment
Share on other sites
BoomZoom Newbie

BoomZoom

Posted
Posted

They got trade banned by Valve a moment ago.

Let's hope that he did not send all the metal in the other accounts, although I very much doubt.

Link to comment
Share on other sites
Brad Pitt Newbie

Brad Pitt

Posted
Posted

First of all, I'd like to apologize for this issue. I have a log of all the offers this user has completed successfully and I will do my best to refund people who lost metal because of this. Anyone who got scammed will receive 1 year of backpack.tf premium added to their account as a bonus. If you have lost items because of automatic please message me directly with details of the trade (including trade id from the logs) and I will do my best to make this right.

 

In the future, should a security issue like this be discovered, it would be best to contact an admin privately. Making the bug public is basically telling people how to scam others. Not everyone is online at every moment, so a "PSA" telling people to close off their bot while they're sleeping is only triggering scammers to try and scam others. Thankfully mckay handled this correctly and disabled the bot from our side.

Link to comment
Share on other sites
Lava Newbie

Lava

Posted
Posted

Following a private report from backpack.tf admins, the exploiter has received a tag on SteamRep.

 

Unfortunately, this appears to be a throwaway account created specifically for exploiting the bug, and we are unable to track any alts. Seeing the exploiter is already trade banned, and unlikely to be the main account, the impact of a tag is probably minimal. We are looking at what we can do to try and research this further, but cannot make any promises.

 

I would like to commend Brad Pitt for repaying those who were affected by this bug.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...