Resource Injector, Vulnerability, Tickets, & more!

Status

Mick

BuiltByBit Owner
Management
Feedback score
28
Posts
6,413
Reactions
7,668
Resources
0
239055
Happy New Year!
2019 was a huge period of development for MC-Market with a new account upgrade, massive changes to our resource and reputation system, over $10,000 raised for charity and the doubling of staff team’s size. We now have four different developers working on projects for our platform, and we look forward to 2020 being a period of growth for us and our community’s creators.

Combatting Piracy

In July 2019, we made an announcement with huge changes to our resource system in our fight against leak sites and leakers: https://www.mc-market.org/threads/495708/

Most of these changes were preventative measures, to stop leakers from obtaining and leaking the products in the first place, but what happens when a file inevitably ends up falling into the wrong hands? How can we ensure that the leaker is stopped and action is able to be taken?

Since that announcement, we’ve been hard at work developing the software necessary in order to offer placeholders for our community to use in all of our resource categories, into which MC-Market will inject the download data upon each download. This will allow our creators to hide unique data in their products for identifying the downloader of whatever file becomes leaked. This feature will be employed retroactively as well. Injecting values into placeholders included in any resources uploaded prior to this change.

A list of all of the placeholders we’re offering, as well as an explanation of each, are available here: https://www.mc-market.org/wiki/resource-anti-piracy-placeholders/. They are available for free and paid resources in any category, however, the anti-piracy uses are clearly suited for paid products. If there are any more placeholders that you’d like to see added, please create a suggestion thread. It is more difficult for some resource types to utilize these anti-piracy features, but we still encourage all resource authors to use them in their paid products wherever possible. We will be continuing to develop this system in the future.​

Vulnerability Abuse

Between December 22, 6:50 PM GMT and December 23, 2:30 AM GMT, for a period of 7 hours and 20 minutes, MC-Market’s download page for its resources was missing its usual license check prior to providing the requested file.

During this period, exactly 21 users downloaded a file without authorization. After discovery, exactly 16 users continued to utilize this vulnerability to download additional resources without right. All 16 of those users have been restricted and will be required to either pay the resource authors they owe or be banned from our platform for the intentional exploitation of the vulnerability in order to circumvent normal restrictions and gain access to content on our site without authorization. The other five users have not been restricted, but are held to the same expectations.

All resource authors effected by these users have already received a private message. If you have not already been messaged by an administrator regarding this, your resources were not involved.

Authors whose abusers refuse to pay the for the products they downloaded and are banned will be reimbursed by MC-Market in the form of non-transferrable advertisement credit, covering the remainder of the owed amount.

Although thievery is inexcusable and each abuser should be held accountable for their intentional misconduct, we want to apologize for it having been possible for those users to abuse this. During the implementation of our resource injector, some test code disabling the license check was mistakenly not removed from the final version of the software we paid to have developed. We agree that this is completely unacceptable. To ensure nothing like this ever happens again, we will be adding a second code verification step before any addons we have commissioned are implemented into our website. Justis, with years of experience as a developer and resource moderator checking our community’s products will be personally verifying the integrity and safety of each custom addon we receive, as well as each modified version at every level of development where the live site receives an update, prior to installation. No development mistakes like this have ever made their way to our platform before and we fully intend on ensuring it never happens again.​

Tickets System

Over the past week we have released a new ticket support system to our Ultimate users, and later our Supreme users. Today, we have opened tickets up to be available to everyone. If you have any currently open support requests from our old system then you can convert them over to our new system, but we no longer allow any users to create support requests while we migrate.

This new system has many benefits over our previous system, such as the ability for guests to create tickets and a far more powerful backend for staff members to efficiently respond, reducing wait times.​

Other Changes

Along with the above, we have also made minor adjustments to site policies and some forum layouts. A full list of changes we have made are as follows:
  • Added ability for Premium users to charge Euros for resource sales
  • Added several new subforums to Development forum
  • Added new ‘Writing’ service forum
  • Added rule 1.23 clarifying that external sites and servers and services may only be linked or promoted if the hosted content abides by on-site rules
  • Added rule 3.1.2 clarifying that advertising content requiring user registrations is not allowed
  • Adjusted rule 3.4 slightly to 3.4 Do not send multiple advertisement messages within twenty minute increments, or advertise content which has been advertised in the last 20 minutes.
  • Adjusted rule 3.6 slightly to 3.6 Do not advertise products and services which you yourself do not own or have the right to redistribute.
  • Adjusted rule 5.6 slightly to clarify that although ebooks may not be sold, they can be distributed
  • Adjusted minecraft account sales to now be a forum with subforums rather than a category
  • Removed our new resource index page, reverting back until a new trial is developed
  • Removed ability to sticky minecraft account sale threads
Thanks everyone, have a good 2020!

Mick
 
Last edited:
PebbleHost
High performance, consistent uptime and fast support. Minecraft hosting that just works.

asa

i love kevin
Supreme
Feedback score
140
Posts
2,737
Reactions
5,305
Resources
0
Adjusted minecraft account sales to now be a forum with subforums rather than a category
please move this back, i literally have every other category closed
 

MarkElf

9+ Year Member
Supreme
Feedback score
27
Posts
1,215
Reactions
1,217
Resources
2
I personally think this should be the amount the plugin is worth via payment method of authors choosing, While it was an accident, Developers put trust in the website to release their product, Giving them a sticky on the resources page for a few days isn’t really compensation imo.
I agree, though I also don't expect Mick to pay out of his pocket for no benefit of his own. I think the advertising credits are fair enough as a virtual currency given Mick and Justis didn't even have to come out with the exploit existing at all and none of us would be any wiser about it occurring.
 

haner

my stummy hurt
Supreme
Feedback score
9
Posts
117
Reactions
42
Resources
0
Seconds happy new year Mick

Happy new year!

happy new years

Happy new year everyone! :p

thanks for this, and happy new year!

Noice, happy new year.

Happy new year!!!

Happy new year everyone!

Happy new year!

I like that.

Make that page to be more friendly to the new users.

And Happy New Year!

Happy new year!

Happy New Year!! I hope the staff team brings great changes to MCM this year. Looking forward to seeing them. :)

bro i swear if i see another one of these:mad:
 

SSH

The only way to reach me is discord: @ssh_
Supreme
Feedback score
30
Posts
585
Reactions
262
Resources
0
Great update Mick.

Glad to see resources are being focused on, it's an ever-growing aspect of the community, and I'm happy to see it getting the attention and updates it deserves.

JraGtt1.png

I might have had the idea of placeholder injection in May of last year, but you know how it goes, you miss 100% of the shots you don't take.
I didn't know Mick had discord.
 

Severingcastle8

Backend Web Developer
Supreme
Feedback score
27
Posts
736
Reactions
270
Resources
0
Happy new year.

But I kinda find it stupid we can't have sites that require them to login so if we sell our resources externally we can't anymore with a login see I see how it is now. Or if we have people apply for staff on our minecraft server forums we can't.

-- edit

And another thought with this doesn't that kinda just make all hosting companies out of the question with them making you register to order?

It would be nice if this was stated more clearly.
 
Last edited:

utaninja

( ̄^ ̄ )ゞ
Supreme
Feedback score
36
Posts
1,360
Reactions
940
Resources
0
It’s great to see that MCM is working on improving this systems. I believe that the reimbursement, assuming the users don’t pay back, should be given through actual currency and not advertising credit. If requested to be so.
 

VoidWardon17

Server Developer
Premium
Feedback score
2
Posts
222
Reactions
38
Resources
0
239055
Happy New Year!
2019 was a huge period of development for MC-Market with a new account upgrade, massive changes to our resource and reputation system, over $10,000 raised for charity and the doubling of staff team’s size. We now have four different developers working on projects for our platform, and we look forward to 2020 being a period of growth for us and our community’s creators.

[/fa] Combatting Piracy
In July 2019, we made an announcement with huge changes to our resource system in our fight against leak sites and leakers: https://www.mc-market.org/threads/495708/

Most of these changes were preventative measures, to stop leakers from obtaining and leaking the products in the first place, but what happens when a file inevitably ends up falling into the wrong hands? How can we ensure that the leaker is stopped and action is able to be taken?

Since that announcement, we’ve been hard at work developing the software necessary in order to offer placeholders for our community to use in all of our resource categories, into which MC-Market will inject the download data upon each download. This will allow our creators to hide unique data in their products for identifying the downloader of whatever file becomes leaked. This feature will be employed retroactively as well. Injecting values into placeholders included in any resources uploaded prior to this change.

A list of all of the placeholders we’re offering, as well as an explanation of each, are available here: https://www.mc-market.org/wiki/resource-anti-piracy-placeholders/. They are available for free and paid resources in any category, however, the anti-piracy uses are clearly suited for paid products. If there are any more placeholders that you’d like to see added, please create a suggestion thread. It is more difficult for some resource types to utilize these anti-piracy features, but we still encourage all resource authors to use them in their paid products wherever possible. We will be continuing to develop this system in the future.​

[/fa] Vulnerability Abuse
Between December 22, 6:50 PM GMT and December 23, 2:30 AM GMT, for a period of 7 hours and 20 minutes, MC-Market’s download page for its resources was missing its usual license check prior to providing the requested file.

During this period, exactly 21 users downloaded a file without authorization. After discovery, exactly 16 users continued to utilize this vulnerability to download additional resources without right. All 16 of those users have been restricted and will be required to either pay the resource authors they owe or be banned from our platform for the intentional exploitation of the vulnerability in order to circumvent normal restrictions and gain access to content on our site without authorization. The other five users have not been restricted, but are held to the same expectations.

All resource authors effected by these users have already received a private message. If you have not already been messaged by an administrator regarding this, your resources were not involved.

Authors whose abusers refuse to pay the for the products they downloaded and are banned will be reimbursed by MC-Market in the form of non-transferrable advertisement credit, covering the remainder of the owed amount.

Although thievery is inexcusable and each abuser should be held accountable for their intentional misconduct, we want to apologize for it having been possible for those users to abuse this. During the implementation of our resource injector, some test code disabling the license check was mistakenly not removed from the final version of the software we paid to have developed. We agree that this is completely unacceptable. To ensure nothing like this ever happens again, we will be adding a second code verification step before any addons we have commissioned are implemented into our website. Justis, with years of experience as a developer and resource moderator checking our community’s products will be personally verifying the integrity and safety of each custom addon we receive, as well as each modified version at every level of development where the live site receives an update, prior to installation. No development mistakes like this have ever made their way to our platform before and we fully intend on ensuring it never happens again.​

[/fa] Tickets System
Over the past week we have released a new ticket support system to our Ultimate users, and later our Supreme users. Today, we have opened tickets up to be available to everyone. If you have any currently open support requests from our old system then you can convert them over to our new system, but we no longer allow any users to create support requests while we migrate.

This new system has many benefits over our previous system, such as the ability for guests to create tickets and a far more powerful backend for staff members to efficiently respond, reducing wait times.​

[/fa] Other Changes
Along with the above, we have also made minor adjustments to site policies and some forum layouts. A full list of changes we have made are as follows:
  • Added ability for Premium users to charge Euros for resource sales
  • Added several new subforums to Development forum
  • Added new ‘Writing’ service forum
  • Added rule 1.23 clarifying that external sites and servers and services may only be linked or promoted if the hosted content abides by on-site rules
  • Added rule 3.1.2 clarifying that advertising content requiring user registrations is not allowed
  • Adjusted rule 3.4 slightly to 3.4 Do not send multiple advertisement messages within twenty minute increments, or advertise content which has been advertised in the last 20 minutes.
  • Adjusted rule 3.6 slightly to 3.6 Do not advertise products and services which you yourself do not own or have the right to redistribute.
  • Adjusted rule 5.6 slightly to clarify that although ebooks may not be sold, they can be distributed
  • Adjusted minecraft account sales to now be a forum with subforums rather than a category
  • Removed our new resource index page, reverting back until a new trial is developed
  • Removed ability to sticky minecraft account sale threads
Thanks everyone, have a good 2020!

Mick
GG, bye leakers
 

34010

Supreme
Feedback score
69
Posts
2,037
Reactions
2,189
Resources
0
cool update please message me whenever so i can claim my prize
 

nobody

Software Engineer
Supreme
Feedback score
1
Posts
0
Reactions
20
Resources
0
I agree, though I also don't expect Mick to pay out of his pocket for no benefit of his own. I think the advertising credits are fair enough as a virtual currency given Mick and Justis didn't even have to come out with the exploit existing at all and none of us would be any wiser about it occurring.
Why would they not have to come out with the existence of an exploit whose fault is on the them?
 

MarkElf

9+ Year Member
Supreme
Feedback score
27
Posts
1,215
Reactions
1,217
Resources
2
Why would they not have to come out with the existence of an exploit whose fault is on the them?
Mick and Justis didn't even have to come out with the exploit existing at all and none of us would be any wiser about it occurring.
Did you even read my whole message? The majority of people, myself included, clearly wouldn't be aware of the issue that had occurred. I didn't even notice and it slipped under my nose as it probably showed up on the purchase tab and I don't really check that often. In the event you were impacted, did you even notice? Anyway, good for them, being transparent with their community and making amends is the right way to govern a community.
 

nobody

Software Engineer
Supreme
Feedback score
1
Posts
0
Reactions
20
Resources
0
Did you even read my whole message? The majority of people, myself included, clearly wouldn't be aware of the issue that had occurred. I didn't even notice and it slipped under my nose as it probably showed up on the purchase tab and I don't really check that often. In the event you were impacted, did you even notice? Anyway, good for them, being transparent with their community and making amends is the right way to govern a community.
I read it lol, you assume all of us wouldn't hear about an exploit and that they could somehow hide it as a big market like this. Restricted credits aren't a good way to make amends for lost paid digital content either.
 

GKLennie

Premium
Feedback score
0
Posts
131
Reactions
25
Resources
0
How would the file Injection stuff work if I sold smth as a zip? I assume it wouldn’t inject all the files in the zip, rather just the zip? And couldn’t leakers just remove the MCM added data quite simply?
 
Status
Top