|
| 01 Oct 2013 01:06 AM |
Seranok found a way to send a GET request to any URL on the Internet and, if the reply is in XML and corresponds to the right format (saying what format it is would give it away), to get the response. This made him able to set up a web server and to send requests to it with parameters in the URL. The server would then save the data, and then would return it in the response when another server would request another URL on the same server. Data could then be transferred from one server to another.
He was able to use this to create inter-server chat, which many of us saw a live demonstration of and which worked. He also wanted to use it for other things. It was leaked by Shedletsky, who either used Fiddler to find out or looked directly at the place file using his special abilities (which of those he did is not known for sure).
It turned out Shedletsky leaked the URL to the domain which corresponded to Seranok's web server. The domain had to be on the com TLD and its name had to end with "roblox" because ROBLOX did the filtering by only accepting requests to URLs in which the domain ended with "roblox.com", without thinking about the fact that other domain names could be registered that ended with roblox.com without being owned by ROBLOX (such as abcroblox.com).
One of the many reasons why Seranok should be ashamed is because his web server ended up not being very well protected, or in fact protected at all. The hierarchy was visible and so it was possible to explore the contents of the site, and someone found some code hosted there that contained the bug (exploit?) Seranok was using to send requests to that web server. It was leaked.
The server was very badly secured, such that RenderSettings has been able to upload files to it. He uploaded a PHP shell there and messed up the server, but what really annoyed Seranok is that his method for sending requests and getting the response had been leaked, meaning it would be patched.
He then started complaining about what Shedletsky and RenderSettings did, but he is the one who should be ashamed of himself for having a so badly secured website in the first place, for leaving the hierarchy visible, for putting the code on the website and for not using authentication from the games in which he uses the server to communicate with them. |
|
|
| Report Abuse |
|
|
|
| 01 Oct 2013 01:09 AM |
| because when exploiting a security hole, the most important priority is security |
|
|
| Report Abuse |
|
|
|
| 01 Oct 2013 01:19 AM |
Ah, well isn't that exciting.
~The alpaca of the acting world. |
|
|
| Report Abuse |
|
|
|
| 01 Oct 2013 01:27 AM |
| So will Seranok's old loop-holes become an actual feature later? Or is basically nothing confirmed. |
|
|
| Report Abuse |
|
|
Oysi
|
  |
| Joined: 06 Jul 2009 |
| Total Posts: 9058 |
|
| |
|
Seranok
|
  |
| Joined: 12 Dec 2009 |
| Total Posts: 11083 |
|
|
| 01 Oct 2013 01:34 AM |
I realized that there were gaping security holes in my website. I accepted the risk because no one knew about my domain nor would be able to figure it out without reading the source of server-side scripts. Shedletsky downloaded my place file, read the scripts, and leaked URLs from those scripts.
I do not care about the fact that my website was trashed. It had absolutely nothing worth protecting. I am upset because my method for performing HTTP requests was patched. |
|
|
| Report Abuse |
|
|
cntkillme
|
  |
| Joined: 07 Apr 2008 |
| Total Posts: 44956 |
|
| |
|
Oysi
|
  |
| Joined: 06 Jul 2009 |
| Total Posts: 9058 |
|
| |
|
cntkillme
|
  |
| Joined: 07 Apr 2008 |
| Total Posts: 44956 |
|
|
| 01 Oct 2013 01:40 AM |
| Bloccoism vs Oysism (Potatoism?) |
|
|
| Report Abuse |
|
|
Seranok
|
  |
| Joined: 12 Dec 2009 |
| Total Posts: 11083 |
|
| |
|
cntkillme
|
  |
| Joined: 07 Apr 2008 |
| Total Posts: 44956 |
|
| |
|
|
| 01 Oct 2013 01:47 AM |
ex·ploit Noun /ˈekˌsploit/ A bold or daring feat
Seranok is brave Joking aside I think the word exploit can change. Perhaps people think you did something unfair by using that loophole. Something something monopolizing. |
|
|
| Report Abuse |
|
|
Oysi
|
  |
| Joined: 06 Jul 2009 |
| Total Posts: 9058 |
|
| |
|
Merely
|
  |
| Joined: 07 Dec 2010 |
| Total Posts: 17266 |
|
|
| 01 Oct 2013 02:26 AM |
| This thread borders on a personal attack/harassment. It's one thing to state that a person wasn't wise in a decision, but it's another thing altogether to call them out in a hostile and demeaning manner on the forums. |
|
|
| Report Abuse |
|
|
|
| 01 Oct 2013 02:39 AM |
Yeah OP could have made this more informational and less personal.
- Seranok's place isn't here anymore because of this - Shedletsky did this - People reacted like this - This could potentially this |
|
|
| Report Abuse |
|
|
R8N
|
  |
| Joined: 07 Aug 2013 |
| Total Posts: 1164 |
|
|
| 01 Oct 2013 03:40 PM |
| roblox.com/Johns-Reaction-To-This-item?id=130759239 |
|
|
| Report Abuse |
|
|
|
| 01 Oct 2013 04:02 PM |
> This thread borders on a personal attack/harassment. It's one thing to state that a person wasn't wise in a decision, but it's another thing altogether to call them out in a hostile and demeaning manner on the forums.
That's not at all how it was meant to be interpreted. :o
> Yeah OP could have made this more informational and less personal.
What? I don't see how anything could have been made more informational. Read it again. The only single thing that is not informational in that post is the statement that Seranok should be ashamed. |
|
|
| Report Abuse |
|
|
blocco
|
  |
| Joined: 14 Aug 2008 |
| Total Posts: 29474 |
|
|
| 01 Oct 2013 05:04 PM |
oh christ what is this
i thought we were done with this
seranok never intended for it to go down like this man, he never knew shedletsky would give out his URLs willy-nilly |
|
|
| Report Abuse |
|
|
blocco
|
  |
| Joined: 14 Aug 2008 |
| Total Posts: 29474 |
|
|
| 01 Oct 2013 05:27 PM |
If you want my full unabridged philosophy on this matter, I will say that I believe Shedletsky is the main antagonist. His main offense is not being curious and looking at Seranok's place file, nor is it finding out how Seranok did what he did or even fixing the hole that Seranok found. No, his main offense is sharing Seranok's data with people who are technically unauthorized to see it. No, Mark (ColorfulBody), you cannot say that we are authorized to see all data on ROBLOX. The copylock is a tool used to prevent **unauthorized access** (i.e. access given without permission or authorization), and it is a tool used to imply ownership. Note that the copylock does NOT apply to administrators.
Assuming that places can contain data that is created by the place creator and unauthorized for others to see (copylocked), Shedletsky has access to this data and we all do not; Shedletsky can look at it all he wants. He cannot, however, share this data with us, because we are not authorized to have this data.
Shedletsky should have notified Seranok that he figured out his *modus operandi* and was working on a patch. Shedletsky should not have given to us Seranok's data. Seranok has paid money for the server, and spent time and effort figuring out how to do what he has done. His server (i.e. the data contained within it) has been ravaged (maybe too strong of a word, but I'm using it anyway), and would not have been ravaged were the URL never leaked. You may argue that since his server was not well-protected, [John Doe] had permission/a right to edit the files and/or structure of it. Well no. Permission/A right was not explicitly given, so permission/a right could not have been assumed.
Seranok did NOT leak the exploit in concern that we would use it malevolently and maliciously. Merely claims to have reported the exploit to administrators while he and Seranok were working at ROBLOX. Nothing was done.
1. Shedletsky should not have leaked the URL(s). 2. Seranok kept the exploit to himself for a reasonable reason. 3. Merely reported the exploit; action was not taken to patch it when he reported it. |
|
|
| Report Abuse |
|
|
R8N
|
  |
| Joined: 07 Aug 2013 |
| Total Posts: 1164 |
|
| |
|
blocco
|
  |
| Joined: 14 Aug 2008 |
| Total Posts: 29474 |
|
|
| 01 Oct 2013 05:37 PM |
^
1. thats 2. why 3. i 4. did 5. bullets |
|
|
| Report Abuse |
|
|
Xnite515
|
  |
| Joined: 18 Feb 2011 |
| Total Posts: 22763 |
|
|
| 01 Oct 2013 05:38 PM |
| won't this break his whole game now |
|
|
| Report Abuse |
|
|
badcc
|
  |
| Joined: 18 Jan 2009 |
| Total Posts: 3170 |
|
|
| 01 Oct 2013 05:46 PM |
| What's awesome is it still works! :D |
|
|
| Report Abuse |
|
|
|
| 01 Oct 2013 06:07 PM |
| Haha, he JUST figured this out? |
|
|
| Report Abuse |
|
|