IP exploit +
closed
Lucifer MStar
I've seen a similar post about this with a very skeptical response from Tupper stating "IPs are not expected to be private information." While this is kinda half true IP's are not made to be so easily visible. That is why there are programs invented for showing ip's and traffic such as wireshark.
IP's are counted as personal data. In a game such as VRChat which is a social game with not just 1 community but many this shouldn't be so easily accessible and the exploit should be patched immediately. There is a reason IP's are not shown visibly everywhere.
Not only could this harm individuals of vrchat but the community as a whole. We shouldnt have to use a vpn to play your game which already has 150ping + Across europe and outside of america in general many players aren't even IT literate enough to use or understand the use of one.
You should know what kind of community you've created with VRChat and its largely growing into one of the most toxic I've ever had the pleasure of playing because of exploits such as these.
The IP exploit needs fixing.
Log In
Tupper - VRChat Head of Community
closed
As we've stated before, IPs are not expected to be private information. Steam Networking is a peer-to-peer realtime networking service in use by many applications, including VRChat. If you want to keep your IP truly safe, we encourage the use of a VPN. This is the case with any online application, game, website, or etc, and VRChat is no different.
That being said, this is something we'd like to see fixed in the future-- either from our side, or from Steam's.
As noted in previous posts, this post will be closed.
xxx_red_xxx
Tupper - VRChat Head of Community: Lol maybe actually say something different instead of the same ctrl + v'd BS. At least it would look like you aren't just trying to circumvent the situation and cover your ears about it.
bote
xxx_red_xxx: If you're worried about users grabbing your IP, then use a VPN. Any game using Steam Networking has this "issue," so it's unlikely that there will be a fix unless Valve changes how Steam Networking works.
bote
Grabbing user IPs isn't an exploit, the ability to check those is built into your computer. Certain parts of the game P2P in nature; until it's not, then you will always be able to grab anyone's IP in the game. The game uses Steam Voice, which is P2P, for voice communication. Source: https://partner.steamgames.com/doc/features/voice
Edit: General rule of thumb online is to be using a VPN anyways, period.
Lucifer MStar
bote: Again it shouldn't be so easily found. How the exploit can now just read our ip's for the maliouses user to do whatever they please with should not be a thing. Again there is a reason everyone's IP's are not just visible next to their names at all time. Stop trying to justify leaving users open to this vulnerability. Not all users will have the know how of using a VPN nor should they have to just to play this game.
bote
Lucifer MStar: It's not an excuse lol. Grabbing a user's IP isn't an exploit. You're going to be hardpressed to find games with P2P components that actually mask your IP in someway. What you're asking for would actually hurt your connection to the service more than getting a VPN would.
The days of LOIC are long-dead, and the only real DDoS threats are from large botnets, which require your local skiddy to have a lot of money to access nowadays. You're not going to get DDoS'd by wolfboy #19283483 on a modern network with a modern modem/router.
Lucifer MStar
bote: lmao ok. You clearly dont understand whats going on here.
bote
Lucifer MStar: I understand fearmongering and how people believe anything a discord chain letter says. Do your research before submitting another canny request based on this "exploit."
Posted by my iPhone. IP: 127.0.0.1
Lucifer MStar
bote: Do your research before you comment and base things off of believing that people get their info from discord.
john Jane
Lucifer MStar: you're the one that needs to do research. There is no "exploit". VRchat uses peer to peer networking which "broadcast" your IP to whoever you connect with ingame. devs can't change that. at least not while keeping the game free to play. Just get a VPN. You might imagine it to be some advanced rocket science but VPN providers purposely make their software interface as user friendly as possible. My grandmother could use one.
xxx_red_xxx
bote: I've been DDoSed a few times by a few crasher gangs because they all voluntarily form a botnet most likely. Did you ever consider that?
bote
xxx_red_xxx: Get a VPN.
Lucifer MStar
john Jane: Please don't respond to closed submissions. Also it is well known know that the exploit is actually a VRChat development choice. Even though it is still possible to retrieve such information it should not be as easy. The client community has fixed this issue with 1 simple line change.
Mimi
I get no noticable slowdown at all using a VPN, in fact, I've noticed I'm connecting to worlds much quicker with one. I forget I even have it now
Lucifer MStar
Mimi: That's not really the whole point. Some might not have access to good VPN's etc.. and it is different for everyone's connection and setup. But mainly you shouldn't have to use a VPN to play this game.
owlboy
It's counted as protected private data when stored inside of a database/filesystem on a server by a company under GDPR. This is not what is happening here.
If you are storing the IP, that storage needs to be protected, and other GDPR rules apply.
So I would keep that out of the conversation if you want to lobby for not having peer to peer connections in VRChat. _That_ is what you should be arguing for. The end of P2P in VRC. You would have a much more direct and clear request. One that is not mixed up in complicated laws that don't (or only tangentially) apply.
(To be clear, I am not advocating for P2P to be removed from VRC.)
/disclaimer/
I am not a GDPR expert. If you are and you can show us all the place where it clearly says P2P connections are covered, that would help these people's case. But I'm sure VRChat has done their due diligence with respect to GDPR.
Lucifer MStar
owlboy: I'm not arguing the protection of IP's or the GDPR I'm saying VRChat need to make it more secure to hide our IP's from their huge growing exploiting/hacking community. I know for a fact it can be done.
Naelily
Not only is ip-grabbing one of many tools that crash/hacker groups use to harass people but using a vpn is also the main way they get around bans, so it's odd that staff would _recommend_ using one. What games expect you to use a vpn just to avoid harassment? VRChat apparently. Perhaps if they had an anticheat system not only would the IP-mining get resolved but so would all the other exploits like VRCheat and so on. Or at least checksum the client & its files? At any rate this is one of many exploits that need fixing and it is no secret that VRChat has some glaring security problems. I think fixing the problem Lucifer is reporting is a reasonable expectation.