False Alarm: Warning for dev: [email protected] / Jacob Pedersen

Status
This thread has been locked.

ConnorPeet

Feedback score
0
Posts
76
Reactions
109
Resources
0
Heads up for a developer, Jacob Pedersen, going with the email [email protected] or username frash23. Over in the MC-Market Skype chat we discovered that he's placed rather nasty backdoors in his some of his works, such as GravityPVP and Desteria.

While (as a former freelancer) I recognize there need for a fallback in the case of non-payment, but backdooring client work is an unacceptable and illegal way to go about this. Would not recommend hiring this developer.
 
Last edited:
PebbleHost
High performance, consistent uptime and fast support. Minecraft hosting that just works.

MCHelper

Feedback score
0
Posts
183
Reactions
61
Resources
0
Heads up for a developer, Jacob Pedersen, going with the email [email protected] or username frash23. Over in the MC-Market Skype chat we discovered that he's placed rather nasty backdoors in his some of his works, such as GravityPVP and Desteria.

While (as a former freelancer) I recognize there need for a fallback in the case of non-payment, but backdooring client work is an unacceptable and illegal way to go about this. Would not recommend hiring this developer.
Could you explain a bit more, what backdoors etc.
 

ConnorPeet

Feedback score
0
Posts
76
Reactions
109
Resources
0
Could you explain a bit more, what backdoors etc.

Throughout the code on both linked sites, there's obfuscated code that injects a script tag which loads http://pj.gy/i.js. At the time of writing there is nothing at that address, but if the developer wanted to (or if his site was compromised by an attacker), he could do anything he wanted to the site and its visitors. Defacement, drive-by malware, phishing, you name it.
 

MCHelper

Feedback score
0
Posts
183
Reactions
61
Resources
0
Throughout the code on both linked sites, there's obfuscated code that injects a script tag which loads http://pj.gy/i.js. At the time of writing there is nothing at that address, but if the developer wanted to (or if his site was compromised by an attacker), he could do anything he wanted to the site and its visitors. Defacement, drive-by malware, phishing, you name it.
Aha, so basically he could spread some malware. I got it thanks.
 

frash23

Feedback score
0
Posts
6
Reactions
7
Resources
0
pj.gy/i.js is a security measure taken against people who steal code. The inclusion of the script has been discussed with each of my clients thoroughly, and I gave them the option to opt in on it. I have not inserted this script to any of my works without my clients saying "Yes, I would like this feature". I am very aware of my position, and I know what risks I can take - this is not one of them.

The script is there in case someone copies the code and is conveniently dumb enough to not remove it. Then I'd run a php or javascript script to evaluate visitors' address and redirect them to the original clients' site if it doesn't match the original site.


EDIT: Also, my email is now [email protected], not [email protected]. Moved some time ago ;)
 
Last edited:

frash23

Feedback score
0
Posts
6
Reactions
7
Resources
0
Just to add on this: I have access to Desteria's webserver (as I manage it), and have full permissions to edit any code on it (check line 3 on desteria.com's source).

I have absolutely no reason to be running the script on this site if my intention is to inject malware.
 

ConnorPeet

Feedback score
0
Posts
76
Reactions
109
Resources
0
Okay, thanks for clearing that up. I was speaking with someone who worked with GravityPVP and he gave no indication that he was aware of these backdoors.

There is still the concern, of, if a third party gained access to your server, domain, or DNS, he would be able to attack client sites. If you're concerned about payment, a written contract and/or escrow would be much, much better than backdooring client sites.
 

frash23

Feedback score
0
Posts
6
Reactions
7
Resources
0
Okay, thanks for clearing that up. I was speaking with someone who worked with GravityPVP and he gave no indication that he was aware of these backdoors.
I've only discussed with "Kyle |Zumph|", whom I assume is the owner of the server.
There is still the concern, of, if a third party gained access to your server, domain, or DNS, he would be able to attack client sites. If you're concerned about payment, a written contract and/or escrow would be much, much better than backdooring client sites.
This is true, and I have given it thought before.
I do host this solution on the clients' servers now, it's just a while since i plotted it in to Desteria and GravityPvP (where I hadn't thought of this issue).
 
Status
This thread has been locked.
Top