dumbname4dumbgame Posted January 27, 2016 Share Posted January 27, 2016 The latest version 1.2.3 has a bug/backdoor that allows an incoming trade offer to ask for all the refined metals in your inventory on top of a listed trade, and it will be accepted automatically. I had a strange sniper rifle with parts listed for 1 key using Automatic. It accepted the following offer while I was afk: 14:48:58 - trade: [u:1:288126566] Everything in offer #979636575 looks good, accepting 14:48:58 - trade: [u:1:288126566] Offer #979636575 - Asked: 1 keys (Strange Sniper Rifle, Refined Metal x330). Offered: -330 metal 1 keys (Mann Co. Supply Crate Key). 14:48:59 - trade: [u:1:288126566] Offer #979636575 successfully accepted; confirmation required This user: http://steamcommunit...561198248392294 was obviously aware of this bug/backdoor in Automatic and exploited it to trade 1 key for my strange sniper rifle plus all the refined metal in my inventory (330). Edit: Thanks to Brad Pitt for compensating my losses. I hope you don't have too many victims to deal with. Link to comment Share on other sites More sharing options...
Mengh. Posted January 27, 2016 Share Posted January 27, 2016 The latest version 1.2.3 has a bug/backdoor that allows an incoming trade offer to ask for all the refined metals in your inventory on top of a listed trade, and it will be accepted automatically. I had a strange sniper rifle with parts listed for 1 key using Automatic. It accepted the following offer while I was afk: 14:48:58 - trade: [u:1:288126566] Everything in offer #979636575 looks good, accepting 14:48:58 - trade: [u:1:288126566] Offer #979636575 - Asked: 1 keys (Strange Sniper Rifle, Refined Metal x330). Offered: -330 metal 1 keys (Mann Co. Supply Crate Key). 14:48:59 - trade: [u:1:288126566] Offer #979636575 successfully accepted; confirmation required This user: http://steamcommunit...561198248392294 was obviously aware of this bug/backdoor in Automatic and exploited it to trade 1 key for my strange sniper rifle plus all the refined metal in my inventory (330). I cannot believe they released the program with such a blatant bug/backdoor. Backpack.tf you have lost my trust. Report the user on Backpack.tf as well, for exploiting this bug for profit. Not sure if SteamRep might even look at your report. Backpack.tf: http://backpack.tf/profiles/76561198248392294 Link to comment Share on other sites More sharing options...
dumbname4dumbgame Posted January 27, 2016 Author Share Posted January 27, 2016 Steamrep report is here: http://forums.steamrep.com/threads/report-76561198248392294-tf2-team-fortress-2-items.121345/ Although I doubt they will do anything this decade if at all. Link to comment Share on other sites More sharing options...
3.50 Posted January 27, 2016 Share Posted January 27, 2016 I doubt they will do anything this decade if at all. Very doubtful. You'll want to report them on FOG, or somewhere else active. Link to comment Share on other sites More sharing options...
dumbname4dumbgame Posted January 27, 2016 Author Share Posted January 27, 2016 The scammer's since been banned on Backpack.tf: http://backpack.tf/profiles/76561198248392294 However the compromised bot's yet to be taken down nor any official warning for other users not to use it. Link to comment Share on other sites More sharing options...
♥Prof. Sugarcube♥ Posted January 27, 2016 Share Posted January 27, 2016 I fail to see how it's bp.tf's fault the exploit existed, i think the point of bugs is to report them so they can be fixed, not so you can growl at the creators despite the fact they went through tireless hours of coding and testing to even get it to function like its supposed to y'know, bug reporting All you can do is try to get him banned on trading sites so he can't offload his ref with much ease Link to comment Share on other sites More sharing options...
dumbname4dumbgame Posted January 27, 2016 Author Share Posted January 27, 2016 I fail to see how it's bp.tf's problem, i think the point of bugs is to report them so they can be fixed, not so you can growl at the creators despite the fact they went through tireless hours of coding and testing All you can do is try to get him banned on trading sites so he can't offload his ref with much ease What? So I should have stayed quiet about it while more Automatic users get scammed? Or perhaps it's unreasonable to expect a critically compromised program to be taken down until it is fixed, again to prevent further victims. Yes indeed you do fail. Link to comment Share on other sites More sharing options...
SapienS Posted January 27, 2016 Share Posted January 27, 2016 Hi there, I feel sorry about what happened to you. But you know this kind of things happens so you dont have to take it personaly.Just make sure to report the bug in the proper section ==> http://backpack.tf/issue?category_id=541aeee2ba8d8836548b456aAbout what you lost, if you can reach the staff management of the website, im pretty sure they will offer some sort of compensation. And the guy who got banned is most likely an alt account, so the reel user is free to do more damage Best of luck Link to comment Share on other sites More sharing options...
Geel Posted January 27, 2016 Share Posted January 27, 2016 I fail to see how it's bp.tf's fault the exploit existed, i think the point of bugs is to report them so they can be fixed, not so you can growl at the creators despite the fact they went through tireless hours of coding and testing to even get it to function like its supposed to y'know, bug reporting All you can do is try to get him banned on trading sites so he can't offload his ref with much ease How in the hell is it NOT the creator of the tool's fault that their tool had a major exploit? Link to comment Share on other sites More sharing options...
SapienS Posted January 27, 2016 Share Posted January 27, 2016 I fail to see how it's bp.tf's fault the exploit existed, i think the point of bugs is to report them so they can be fixed, not so you can growl at the creators despite the fact they went through tireless hours of coding and testing to even get it to function like its supposed to y'know, bug reporting All you can do is try to get him banned on trading sites so he can't offload his ref with much ease the automatic feature is a service provided by bp.tf for thier users(customers), there is no mention about the feature being on beta test or something. So i think this kind of situation should be handled by the support service for sure Link to comment Share on other sites More sharing options...
Dr. McKay Posted January 27, 2016 Share Posted January 27, 2016 Firstly, it's been barely an hour since you posted this (publicly, after midnight in the USA, without giving us time to fix the issue before it was revealed to the general public). A new version v1.2.4 is up which resolves this issue. I apologize for it having slipped through. I try to test everything, but this particular case slipped through. All older versions have now been kicked off the server. They'll get an "invalid token" error as we don't have any mechanism with which to send arbitrary messages to Automatic (currently). They can't start back up until they update. Finally, as an apology I've granted you a year of backpack.tf premium. If you ever come across an issue like this, please report it privately before going public with it. If you want to warn people, you can do so without disclosing specifics. Link to comment Share on other sites More sharing options...
dumbname4dumbgame Posted January 27, 2016 Author Share Posted January 27, 2016 Firstly, it's been barely an hour since you posted this (publicly, after midnight in the USA, without giving us time to fix the issue before it was revealed to the general public). A new version v1.2.4 is up which resolves this issue. I apologize for it having slipped through. I try to test everything, but this particular case slipped through. All older versions have now been kicked off the server. They'll get an "invalid token" error as we don't have any mechanism with which to send arbitrary messages to Automatic (currently). They can't start back up until they update. Finally, as an apology I've granted you a year of backpack.tf premium. If you ever come across an issue like this, please report it privately before going public with it. If you want to warn people, you can do so without disclosing specifics. Point taken, in hindsight it was handled quite quickly. Although I knew of no channels to privately report something like this. It is still alarming that a major exploit that could be fixed in less than an hour stayed up for so long. Thank you for the apology but premium does nothing for me, especially with most of my trading wealth gone. Link to comment Share on other sites More sharing options...
Geel Posted January 27, 2016 Share Posted January 27, 2016 Point taken, in hindsight it was handled quite quickly. Although I knew of no channels to privately report something like this. It is still alarming that a major exploit that could be fixed in less than an hour stayed up for so long. Thank you for the apology but premium does nothing for me, especially with most of my trading wealth gone. It's not as if McKay knew about the exploit and didn't fix it. As soon as he was aware of the issue he fixed it, and it seems they have a way to ensure that vulnerable versions won't be affected any longer. Link to comment Share on other sites More sharing options...
I see dead digletts Posted January 27, 2016 Share Posted January 27, 2016 Just had the same person attempt to steal my ref. Luckily I'd already upgraded. Link to comment Share on other sites More sharing options...
BoomZoom Posted January 27, 2016 Share Posted January 27, 2016 I too be scammed. - 226 ref http://imgur.com/5hGsGfE 15 minutes later and I would have kept my metal. Finally, as an apology I've granted you a year of backpack.tf premium. Can I also receive compensation in the form of premium? Link to comment Share on other sites More sharing options...
Lo-Rez Posted January 27, 2016 Share Posted January 27, 2016 eh, shit happens. thanks for updating it so quick. Link to comment Share on other sites More sharing options...
42isTooShort Posted January 27, 2016 Share Posted January 27, 2016 Same guy came after mine, but I shut my computer down last night so bp.tf auto wasn't running (I don't remember why I did that, had to be the first time in over a week). I use my phone for confirmations so I still would have had to manually confirm the trade even if bp.tf auto had accepted. http://i.imgur.com/I8YYKXy.png Link to comment Share on other sites More sharing options...
AdamWTS Posted January 27, 2016 Share Posted January 27, 2016 They got trade banned by Valve a moment ago. Link to comment Share on other sites More sharing options...
BoomZoom Posted January 27, 2016 Share Posted January 27, 2016 They got trade banned by Valve a moment ago. Let's hope that he did not send all the metal in the other accounts, although I very much doubt. Link to comment Share on other sites More sharing options...
Brad Pitt Posted January 27, 2016 Share Posted January 27, 2016 First of all, I'd like to apologize for this issue. I have a log of all the offers this user has completed successfully and I will do my best to refund people who lost metal because of this. Anyone who got scammed will receive 1 year of backpack.tf premium added to their account as a bonus. If you have lost items because of automatic please message me directly with details of the trade (including trade id from the logs) and I will do my best to make this right. In the future, should a security issue like this be discovered, it would be best to contact an admin privately. Making the bug public is basically telling people how to scam others. Not everyone is online at every moment, so a "PSA" telling people to close off their bot while they're sleeping is only triggering scammers to try and scam others. Thankfully mckay handled this correctly and disabled the bot from our side. Link to comment Share on other sites More sharing options...
Lava Posted January 29, 2016 Share Posted January 29, 2016 Following a private report from backpack.tf admins, the exploiter has received a tag on SteamRep. Unfortunately, this appears to be a throwaway account created specifically for exploiting the bug, and we are unable to track any alts. Seeing the exploiter is already trade banned, and unlikely to be the main account, the impact of a tag is probably minimal. We are looking at what we can do to try and research this further, but cannot make any promises. I would like to commend Brad Pitt for repaying those who were affected by this bug. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.