Avatar ID stealing countermeasure
complete
T
Tidus
Add a check box in the SDK like "I'll be the only one using this avatar", then use that flag as an index to check how many occurrences of that said ID happen to be in use. If more than one instance, then flag the offended user for review and send an e-mail to the owner asking them to re-upload the Avatar to change the ID. It won't stop cache rip techniques though, but people who have the knowledge to do so is considerably lower.
-Credit goes to Kane on discord for the idea
Log In
Fax
complete
Thank you for the request! This post is rather old, and we've made various improvements to avatar security. If you encounter any other issues, please report them here on Canny!
SPOONPAI
Fax and here we are, 7 years later
owlboy
This is what the private checkbox should already be doing.
owlboy
__should_ already be doing_
Lhun
I realized as we were talking about this that there is a simple solution. If someone changed avatar into an existing blueprint ID - and that blueprint ID is NOT tied to an avatar pedestal - they should immediately be flagged. - because only avatars that are tied to pedestals or uploaded fresh can be worn by users normally.
Now this wouldn't stop people from uploading cached avatars under a new id, but that could be addressed differently - md5 the avatar directory and look for matches. Compare blueprint ids of matching avatars to ones that have pedestals and eliminate those.
Remaining avatars are either public .unity packages or stolen. You'll start to see a pattern of which ones are obviously public , eliminate those. The rest are likely using a modded client.
GotoFinal
Lhun: then smallest change in package would change hash and you can again upload that avatar under new id.
Lhun
GotoFinal: indeedy but at that point the file is "new" anyway. This is a quick and dirty way to swiftly deal with the known modded client's way of doing things and make it harder for people stealing avatars to do it, as it'll now require modification in unity or whatever.
Locks don't stop thieves, they're a deterrent - this works the same way. It'll at least give them time to come up with a better way to flag things. I don't know if vrca files can be unpackaged or whatever or how they're doing it but it would give them time to make sure that can't happen easily or whatever.
GotoFinal
Lhun:
> as it'll now require modification in unity or whatever.
why? You can just edit that from code side. It will be "fixed" by cheaters in less than 1 day.
lexidoll
or just prevent people from loading an avatar ID that is set to private? the SDK knows if you don't own a blueprint ID if you try to upload an avatar with the same ID as someone else. so why doesn't the vrchat client / server check to see if someone is trying to access a blueprint ID they both don't own and is set to private?
If the server itself makes that check then people with modded clients shouldn't be able to bypass it if private avatars needed a specific key from the owner to access.
avatars creators shouldn't have to worry about any of this or even needing to reupload it, there should be countermeasures for this built into where the avatars are stored and sent out from. making checks to see if said person even should be allowed access to an avatar.
GotoFinal
lexidoll: then hacker will just download that avatar and reupload it with new id
Lhun
lexidoll: you're right about blueprint ids. You actually cannot upload an avatar to someone else's account if your blueprint id is still tied to it, the blueprint id is tied to the username. I know this because I make avatars for my wife and vice versa but we test them on our accounts first and sometimes forget to clear them. It seems logical to conclude that people who are stealing avatars are doing more then wearing them and re-uploading them under a new id.
Anyway - the logic would go like this: if someone uploaded a completely new avatar shortly after their logged in account changed into one they had not worn before, and the md5 matches, they stole it.
OR, simply, if someone changed into an existing blueprint ID and that blueprint ID is NOT tied to an avatar pedestal they should immediately be flagged. - because only avatars that are tied to pedestals or uploaded fresh can be worn by users normally.
ivankazuya
Lhun: I had the suggestion to have an in-game message which notifies you about a stolen avatar ID.
Lhun
I realized there's an easier way, see my comment below.
GotoFinal
Lhun: someone can just repackage that avatar and get new id... so there is no reason to even fight with this.
GotoFinal
most of cheaters don't really steal your avatar - they just want to show off that they can do it. So they don't care about such "protection" as 90% of them will only switch to your avatar in front of you and go to other map only do this same. (on create new account if banned) Only very small percentage of people will really steal avatar and use it after that - and then they will just spend some time on it and remove that element, either by unity or by code.
Ny jion
barry noice