If you played C:S II recently with mods, you may want to have a read.

TL;DR, Malware was distributed via a mod for the Cities: Skylines sequel that could have stolen Exodus cryptocurrency wallet information, if you had that available on your system.

LINK

1 week ago*

Comment has been collapsed.

Were you impacted?

View Results
Probably
Nope, don't have crypto
Nope, don't play with mods
Nope, don't have the game
Potato
1 week ago
Permalink

Comment has been collapsed.

Thank you, though fortunately does not affect me, I don't have the game nor crypto wallet.

1 week ago
Permalink

Comment has been collapsed.

Same. I do play the game, I just don't use any mods. :)

1 week ago
Permalink

Comment has been collapsed.

What a strangely specific thing to target. You'd think they'd cast their net as wide as they could.

I don't have either the game or crypto, so I don't have to worry about this--but it, along with other incidents, does make me worry about the games I do play, because I'm the kind of person who can spend more time modding than actually playing.

1 week ago
Permalink

Comment has been collapsed.

What a strangely specific thing to target. You'd think they'd cast their net as wide as they could.

Could be a trial balloon.

1 week ago
Permalink

Comment has been collapsed.

This is the type of thing I worry about with mods, and one of the major reasons I don't use them and never have.

1 week ago
Permalink

Comment has been collapsed.

Usually mods can't cause this kind of thing because they are just simple scripts or files that only the game understands and with limited capabilities.

The problem with Cities Skylines gameplay mods are that they come as executable components that have full access to Windows and its functionality. They are essentially normal applications that you download without any security guardrails.

That this could be a vehicle for malware was already a worry before the first Cities Skylines came out. Gaining some level of trust in mods, by making the code open source and modders building up a reputation in the community, was supposed to prevent it. But this "web of trust" has failed because a modder's account was supposedly hacked.

In any case, Cities Skylines is unique in how the company behind it purposefully chose to use executable code for mods, and not executing that code in a protected environment (aka a "sandbox")

1 week ago
Permalink

Comment has been collapsed.

Mods are no more or less "dangerous" than any game really.

For $100 anyone can publish a game on steam, say a f2p game, it can be set up to contact a remote server to selectively download or enable "extra stuff" (so it won't be flagged on any initial scans). It can hide its malicious behavior if it detects a debugger or a test environment to avoid being detected or analyzed.

Sure it might eventually get spotted and banned, but it would have already done damage to some.

As another example, just think of how invasive anti-cheats has become in games, to the point they are acting like rootkits!

What I am saying is that anytime you download and run a game, you are taking a certain amount of risk...

1 week ago
Permalink

Comment has been collapsed.

Mods that have DLLs? Those are plug-ins. And plug-ins are inherently dangerous.
Mods as scripts and content, e.g. in ATS and ETS2, work only within the program environment, unless that environment has been made to make those scripts to have access to things they shouldn't; shoddy programming. But ATS and ETS2 keep things safe. The only thing mods can do is mess up your gameplay or saves.
Plug-ins, on the other hand, are real programs, but should only make function calls to what the parent program responds (the API - Application Programming Interface). The parent program should nullify any kind of other calls through various procedures (sandbox has been mentioned). And those function calls should only pertain to the parent program data. Otherwise, shoddy programming. And plug-ins+shoddy programming = vulnerabilities mayhem. I bet many people are trying to find more vulnerabilities in CS2 API.
What kinda calls my attention is that a program with such a budget doesn't have the kind of protection that many other minor projects, open source/free software, and also commercial ones big and small, have. I thought by now these people would know how to program for protection from plug-ins.
But hey, we're the only ones who not only trip on the same stone, but also find new ways to trip on it, right?

1 week ago
Permalink

Comment has been collapsed.

With limited knowledge about the ins and outs of mods, I thank you very much for the information.
Even though I have nether crypto nor this particular game, I do have the first game and if I ever play it modded, I'll be sure to check things out properly before jumping in.

1 week ago
Permalink

Comment has been collapsed.

Happy to share/help!

It's really unfortunate the mods are set up this way, because the first game has some amazing features made available via the modding community. I actually haven't used any mods on the new version, but I was unaware of the ability even for something like this to come through, and now I'm hesitant to try any.

1 week ago
Permalink

Comment has been collapsed.

Understandably. I wonder if something can be done to avoid that kind of issue in the future but I guess the devs of the game won't really get involved and I get that.

1 week ago
Permalink

Comment has been collapsed.

I mean, the second half of the linked update basically says they won't own the problem/fix, and that it's up to users to be vigilant and "always keep your firewall and antivirus software installed and updated". :|

My understanding is that they'd have to completely redesign how mods work, and even getting modding capabilities as they are has been a long time coming.

1 week ago
Permalink

Comment has been collapsed.

Didn't mod the game. When I first started this I played it as it was intended. People blame them for not having malware protection and should have used Steam Workshop as they did for CS1. I agree. Much easier that way. Besides, it's much better when fans create mods than their own team or permit only what they want.

1 week ago
Permalink

Comment has been collapsed.

I don't understand the Steam Workshop argument. The same risks would be there, as they have been since the launch of Cities Skylines 1.

Maybe Steam's security is a bit better with 2FA (that it's missing at the new mod hub is frankly inexcusable from Colossal Order / Paradox), but CS1 mods from the Steam Workshop are also executable code.

1 week ago
Permalink

Comment has been collapsed.

It's true. There are risks and such on both ends. It's just that people wanted them to give the players the option for the Workshop as it's much much better from what I saw. I think there's more security on Steam's side, but I could be wrong. I only would prefer it to be on Steam, that's all.

Now if that lead to an attack that's kinda bad on the side of the hacker that did that. It's a nasty move just because you don't like it. Idk if they can and will implement the workshop again to get some of the problems off their back.

1 week ago
Permalink

Comment has been collapsed.

Wow. Though I don't have the game, thanks for the heads-up; it's a good reminder about security in general.

Gaffi, I think this bit should also be mentioned:

Only the “Traffic” mod was affected. We have confirmed that the account of the “Traffic” mod’s author was compromised, and the malicious upload originated from an unauthorized location. The account has now been secured, and no further tampering with their work is expected.

I believe it's important to mention that because, as far as I can tell, this wasn't something that the mod author did intentionally, but something that a third party did, so the mod itself is not malicious and an updated version should not (in theory) cause any problems.

On a related matter, from earlier news:

We have already removed it and the current version as of 2024-10-31 15:35 CET is safe to download and use, but if your mod synced and you played the game using the mod between Monday and then, there is a possibility that you may have the malicious file.

And:

We have contacted the modder whose mod was compromised and discussed our recommended steps to secure their account. They have updated Traffic to a safe version, so anyone playing with version v.0.2.4 is playing with a safe version.

1 week ago
Permalink

Comment has been collapsed.

Fair point about the specific mod at fault, but I guess I also wanted to highlight the general risk, especially given the apparent innocence on the actual modder's part. You can never be too careful. :)

1 week ago
Permalink

Comment has been collapsed.

Hmm, yeah, that makes sense. It's often joked that if you want security you should start by unplugging the power cord, and, I mean, there is some truth to that, so what we can (and should always) do it try to mitigate risks (and then pray the bolt strikes elsewhere). This isn't really an earth-shatteringly new attack vector or anything, but I don't remember seeing news of anyone compromise the account of the author of a popular mod in order to deliver malware before either, so I suppose the security reminder is just as important as the relevant news itself (if not more).

On a separate but also relevant note, I'd say the people behind the game ought to be praised for their fast and thorough response and responsible disclosure, which is something we don't always see. They took responsibility for the mess and went out of their way to control the damage and minimize the impact even though technically it isn't even really their fault. Yes, they have some responsibility as far as officially hosted mods are concerned, but it only extends so far; they could simply have banned the mod and moved along, but, though they didn't really have to, they elected to respond properly.

1 week ago
Permalink

Comment has been collapsed.

On a separate but also relevant note, I'd say the people behind the game ought to be praised for their fast and thorough response and responsible disclosure, which is something we don't always see.

Agreed. Actually, my initial response was that the devs could have done better up front to help prevent this (via other modding methods), but you're absolutely right about the higher transparency than we usually get.

1 week ago
Permalink

Comment has been collapsed.

Yeah, but on further thought your initial response isn't wrong, either. It's true that once the issue came up they did the right thing, but it's also true that it could have been avoided altogether if the mod didn't need to (and in fact couldn't) use DLLs to achieve what it wanted to do. So while they deserve praise for the response, they also deserve some criticism for having let it happen to begin with.

1 week ago
Permalink

Comment has been collapsed.

damn, what a crappy modding platform

1 week ago
Permalink

Comment has been collapsed.

^^

2 hours ago
Permalink

Comment has been collapsed.

Sign in through Steam to add a comment.