bit-gamer.net

Ubisoft disables Uplay over free game exploit

Ubisoft disables Uplay over free game exploit

Uplay, Ubisoft's digital distribution service, has been temporarily disabled following a flaw that allowed ne'er-do-wells to download free games - including the as-yet unreleased Far Cry 3: Blood Dragon.

Ubisoft has taken its Uplay digital distribution service offline, after a flaw was discovered that allowed ne'er-do-wells to download games without payment - even making off with unreleased titles.

When gameplay footage for the upcoming first-person eighties-throwback shooter Far Cry 3: Blood Dragon leaked, Ubisoft was eager to figure out how the individual had got his or her hands on the title. Had it been leaked by a reviewer? Had their internal servers been attacked? Was one of their own employees leaking pre-release titles, heaven forfend?

The answer, it transpires, was at once simpler and more concerning: a flaw in the Uplay digital distribution service was allowing those with the knowledge to authorise their own transactions, downloading titles without having to go through that awkward having-to-actually-pay-for-them stage of the purchasing process. Worse, the flaw exposed titles that had been registered within the service but not actually launched, including the new Far Cry 3: Blood Dragon title.

By exploiting the flaw, the details of which will not be shared here, attackers were able to authorise the download for Far Cry 3: Blood Dragon without actually having purchased it - something they couldn't have done legitimately, as Ubisoft has yet to release the title for sale. Once downloaded, the title would run as normal. For a digital distribution service, which lives or dies by publisher confidence in the veracity of purchases and the strength of its digital rights management (DRM) implementation, that's hardly good news.

Ubisoft, naturally, is eager to get to the bottom of the problem. Accordingly, it has taken Uplay offline temporarily in order to find and fix the flaw, during which time it will also be conducting a thorough survey of user accounts to find those who had benefited from the exploit. Any account which shows a game as being owned without a corresponding purchase record, and especially those that profess to own pre-release titles, will likely find their accounts shuttered and may, depending on how far Ubisoft wishes to take their investigation, find themselves on the sharp end of some legal proceedings.

The company has released a statement that claims the flaw does not expose personal details of Uplay customers, and the outage will not affect other Ubisoft online services - just the download facility of Uplay. Thus far, the company has not provided a timescale as to when Uplay will be returned to normal.

22 Comments

Discuss in the forums Reply
Corky42 10th April 2013, 09:58 Quote
Quote:
it has taken Uplay offline temporarily

So i assume no one can play a Uplay game until they fix there problem.
Gareth Halfacree 10th April 2013, 10:09 Quote
Quote:
Originally Posted by Corky42
So i assume no one can play a Uplay game until they fix there problem.
Read further: it has only taken the ability to download a game away; you can still play your already-downloaded Uplay games (including those that were downloaded using the exploit, for now) without issue - unless you've heard differently? (I can't test it: there's no Uplay client for Linux.)
greigaitken 10th April 2013, 10:12 Quote
" the outage will not affect other Ubisoft online services - just the download facility of Uplay"
Gareth Halfacree 10th April 2013, 10:15 Quote
Quote:
Originally Posted by greigaitken
" the outage will not affect other Ubisoft online services - just the download facility of Uplay"
Yeah, that's what Ubisoft has told me - but I wondered if Corky42 knew something I didn't. Like I say, I can only take Ubisoft at its word: I have no Uplay installation to test out.
mi1ez 10th April 2013, 10:19 Quote
That Blood Dragon graphic is awesome!
Corky42 10th April 2013, 10:32 Quote
Sorry didn't catch the part at the end that said...
Quote:
just the download facility of Uplay
Cerberus90 10th April 2013, 11:42 Quote
uplay working fine here, playing anno 2070 as I type, :D
faugusztin 10th April 2013, 11:57 Quote
Quote:
Any account which shows a game as being owned without a corresponding purchase record

Considering how Ubisoft sometimes does things, i am afraid to think what will happen with my games running on Uplay, not bought on Uplay ( bouught in retail or on Steam - like some of the Assasins Creed games, or Anno 2070 etc). :D
Corky42 10th April 2013, 13:32 Quote
Quote:
Originally Posted by faugusztin
i am afraid to think what will happen

Best listen out for that knock on the door
Instagib 10th April 2013, 14:05 Quote
Quote:
Originally Posted by faugusztin
Quote:
Any account which shows a game as being owned without a corresponding purchase record

Considering how Ubisoft sometimes does things, i am afraid to think what will happen with my games running on Uplay, not bought on Uplay ( bouught in retail or on Steam - like some of the Assasins Creed games, or Anno 2070 etc). :D

That's my entire Uplay account. Anno 2070, far cry 3 and ac3, all bought from steam, all installed via Uplay. It's annoying games are distributed in such a way across many drm platforms.
blacko 10th April 2013, 14:17 Quote
never mind uPlay WTF have they done to far cry 3.....it looks nuts.

the Vaas character must have got into a few of the devs heads...."Did I ever tell you the definition...of Insanity?"


another quote from Vaas

"Take me into your heart. Accept me as your savior. Nail me to the f******* cross and let me be REBORN!"
Shirty 10th April 2013, 15:47 Quote
That was quite a dramatic second paragraph there Gareth, I enjoyed it :p
erratum1 10th April 2013, 16:04 Quote
Free games and I missed out always the last to hear about these things.
sotu1 10th April 2013, 18:11 Quote
"For a digital distribution service, which lives or dies by publisher confidence in the veracity of purchases and the strength of its digital rights management (DRM) implementation, that's hardly good news."

So this is BitTech saying that digital distribution requires DRM? Just getting that on record next time you scream murder at a form of DRM being present...
Gareth Halfacree 10th April 2013, 23:09 Quote
Quote:
Originally Posted by sotu1
So this is BitTech saying that digital distribution requires DRM? Just getting that on record next time you scream murder at a form of DRM being present...
No, it isn't. You've made several unwarranted assumptions there, based on your own bias. First, and least: I am not Bit-Tech. Bit-Tech is not me. Bit-Tech is a site which publishes words written by as diverse a group of people as you are likely to find sharing a common interest. Amazingly, we don't always agree on a given subject. Shocking, I know. Anything I write should not be taken as "Bit-Tech saying" anything, but simply something I am saying on Bit-Tech. See the distinction.

More importantly, you have misinterpreted the statement in a way that conforms to your pre-existing view - confirmation bias. At no point in the article did I claim in any way that digital distribution requires DRM. Look at the Humble Bundle: digitally distributed games, no DRM. Clearly, it works.

What I said - and, indeed, what you quoted - is that a given digital distribution service lives or dies by, among other things, 'the strength of its digital rights management (DRM) implementation.' This is a fact: a digital distribution service with a weak DRM implementation will not have publishers banging on its door. This is not the same as saying that DRM is required - just that if it is present, it must be reliable. Amazon's Kindle platform is not the best example, but one that is easily accessible to the public: it has (trivially breakable) DRM, but the publisher can choose whether or not to use that DRM. It's as simple as a checkbox when you publish your book: "Use DRM." Tick the box, DRM gets used; don't tick the box, it doesn't.

The Humble Bundle gets used despite not having any DRM, by publishers (or indies, in most cases) who have decided they don't need or want DRM. Other services offer - or, in some cases, force - DRM, and are used by publishers who have decided they do want DRM.

Still confused? Let's simplify: imagine three digital distribution services. Let's call one Bumble Hundle, one PlayU and one Vapour. Bumble Hundle has no DRM, PlayU has DRM that has been proven ineffective, and Vapour has DRM that has so far resisted attack. If I'm a publisher who has decided that my latest and greatest game should be protected from those filthy piratical types by DRM, which am I going to pick: the one without DRM, the one with known-vulnerable DRM, or the one with apparently secure DRM?

Exactly.

As I said, digital distribution services live or die by the perceived security of their DRM implementations. What I didn't say, and what perhaps may have prevented you from misreading the sentence quite so badly, was this: digital distribution services live or die by the perceived security of their DRM implementations where such implementations exist. Does digital distribution require DRM? Of course it doesn't, as a glance at the Humble Bundle proves.

Hope that's cleared things up for you.
Shirty 10th April 2013, 23:19 Quote
I can literally* hear those buckling springs pinging in indignation and outrage.


* (sorry)
Gareth Halfacree 10th April 2013, 23:21 Quote
Quote:
Originally Posted by Shirty
I can literally* hear those buckling springs pinging in indignation and outrage.
Actually, I'm on my laptop right now. :p
Quote:
Originally Posted by Shirty
* (sorry)
So you should be. Hyperbole? On *my* internet?
Sloth 10th April 2013, 23:24 Quote
I like to think of Gareth's articles as the literary equivalent of shouting "come at me bro". They all have some technically correct but easily misread line in them just for this.

He's probably off muttering about how none of us even lift right about now.
Shirty 10th April 2013, 23:26 Quote
I'm surprised you don't have the Model F plugged in to the laptop :D
Gareth Halfacree 10th April 2013, 23:31 Quote
Quote:
Originally Posted by Sloth
I like to think of Gareth's articles as the literary equivalent of shouting "come at me bro". They all have some technically correct but easily misread line in them just for this.
Nah, I'm just not very good at seeing anything other than my intended meaning when I read it back. It's better when it's not a quick-turnaround news piece: given a few hours of doing something else, I can re-read what I've written with fresh eyes and spot sentences that can be misconstrued. When it's a news piece, though, I don't have the luxury of popping off for a spot of lunch and coming back a couple of hours later, so these things slip through. It's something I'm trying to improve upon, though, and I'm always grateful when somebody points out sentences that can be easily misconstrued - providing, that is, they do so in a polite manner, otherwise I'll just think they're being a bit of an arse.
Quote:
Originally Posted by Shirty
I'm surprised you don't have the Model F plugged in to the laptop :D
Are you kidding? It weighs more than the laptop does!
Spreadie 11th April 2013, 09:34 Quote
I rather enjoy Gareth's articles, and especially his indignation when people misconstrue his meaning; having been on the receiving end of one of his corrective replies. :)
demastes 12th April 2013, 13:24 Quote
Quote:
Originally Posted by Gareth Halfacree
Quote:
Originally Posted by sotu1
So this is BitTech saying that digital distribution requires DRM? Just getting that on record next time you scream murder at a form of DRM being present...
No, it isn't. You've made several unwarranted assumptions there, based on your own bias. First, and least: I am not Bit-Tech. Bit-Tech is not me. Bit-Tech is a site which publishes words written by as diverse a group of people as you are likely to find sharing a common interest. Amazingly, we don't always agree on a given subject. Shocking, I know. Anything I write should not be taken as "Bit-Tech saying" anything, but simply something I am saying on Bit-Tech. See the distinction.

More importantly, you have misinterpreted the statement in a way that conforms to your pre-existing view - confirmation bias. At no point in the article did I claim in any way that digital distribution requires DRM. Look at the Humble Bundle: digitally distributed games, no DRM. Clearly, it works.

What I said - and, indeed, what you quoted - is that a given digital distribution service lives or dies by, among other things, 'the strength of its digital rights management (DRM) implementation.' This is a fact: a digital distribution service with a weak DRM implementation will not have publishers banging on its door. This is not the same as saying that DRM is required - just that if it is present, it must be reliable. Amazon's Kindle platform is not the best example, but one that is easily accessible to the public: it has (trivially breakable) DRM, but the publisher can choose whether or not to use that DRM. It's as simple as a checkbox when you publish your book: "Use DRM." Tick the box, DRM gets used; don't tick the box, it doesn't.

The Humble Bundle gets used despite not having any DRM, by publishers (or indies, in most cases) who have decided they don't need or want DRM. Other services offer - or, in some cases, force - DRM, and are used by publishers who have decided they do want DRM.

Still confused? Let's simplify: imagine three digital distribution services. Let's call one Bumble Hundle, one PlayU and one Vapour. Bumble Hundle has no DRM, PlayU has DRM that has been proven ineffective, and Vapour has DRM that has so far resisted attack. If I'm a publisher who has decided that my latest and greatest game should be protected from those filthy piratical types by DRM, which am I going to pick: the one without DRM, the one with known-vulnerable DRM, or the one with apparently secure DRM?

Exactly.

As I said, digital distribution services live or die by the perceived security of their DRM implementations. What I didn't say, and what perhaps may have prevented you from misreading the sentence quite so badly, was this: digital distribution services live or die by the perceived security of their DRM implementations where such implementations exist. Does digital distribution require DRM? Of course it doesn't, as a glance at the Humble Bundle proves.

Hope that's cleared things up for you.

That was awesome..... =)
Log in

You are not logged in, please login with your forum account below. If you don't already have an account please register to start contributing.



Discuss in the forums