- Dec 24, 2019
A couple of days ago CDPR issued a warning to all players about potential security issues with mods. Today the creator of Cyber Engine Tweaks hit back at CDPR stating that the problems were fully on them and modders should not be blamed for the problems.
Ok, I feel like I need to say something, this kind of bad practice has to stop.
Let me introduce myself, I am yamashi the creator of Cyber Engine Tweaks.
I wasn't planing on saying anything but since we, the modders, are getting blamed for this, I can't just stand on the sidelines and take it.
What CDPR posted above is WRONG, it isn't caused by an external DLL, the vulnerability is caused by a buffer overflow in a function they use to load strings, this function is used more than 100 times in the game, it is used to load the save games, the archive assets and other parts that we haven't investigated. This is 100% CDPR's fault, it isn't anybody else's fault. This is caused by a lack of proper unit testing.
What happened to owning up to your mistakes CDPR? Not only did PixelRick communicate this a week ago and you didn't do anything (this should have been hotfixed a few hours after you knew about it), but then you go public lying about the nature of the vulnerability so that modders take the fall for this? What we do, we do for free, we aren't your scapegoat, and this is definitely on you. The fact that we redirect the buffer overflow to xinput because it doesn't have ASLR does not mean that it's xinput's fault, we shouldn't be able to access xinput in the first place.
Just so you know everyone this isn't just a PC issue, every platform is affected.
It has been exploited to gain access to Geforce NOW already, maybe you should explain to NVIDIA how it is not your fault CDPR, I am not sure that's going to work once they audit the exe.
CDPR really does need to puck the pace up on the fixes, especially ones like this that impact the community that is crying out for more content and utilising mods. Hopefully, they will respond and act on the problem quickly.