I work on and co-own BeamMP[1], an open-source multiplayer mod for BeamNG.drive (the driving simulation game at the core of this breach) with about 1M registered users/ >20k daily active users. I missed the original thread[2].
I can add some context on how this (likely) happened.
BeamNG.drive runs a Lua scripting engine, in which they also run a large amount of their own game / simulation code. This Lua scripting engine uses LuaJIT[3], which includes C FFI functionality. This whole scripting environment is sandboxed, but the C FFI is obviously needed to allow optimizations between the game's Lua logic and the game engine (C++).
People I know personally have found various ways around this sandbox, which effectively allows any mod (which can contain Lua scripts), to bypass the sandbox. These were always disclosed immediately to BeamNG GmbH itself, sometimes against payment, sometimes entirely for free. These people continue to find and report ways to break the sandbox, and BeamNG GmbH is very quick to fix these issues before they ever get found and exploited.
The following is my opinion, and not that of BeamMP Ltd. or BeamNG or anyone but me: I think the BeamNG developers would do well with hiring or otherwise working towards fixing their sandbox. These issues have been in the sandbox for such a long time that it's almost emberassing that they still exist -- I won't go into detail, but some of the exploits found (and fixed) are incredibly trivial. Add to that the possibility that a lot of players run the game as Administrator when it errors in any way, and you have admin permissions on random foreign Lua code that is barely sandboxed.
Of course the blame is on the hackers, but I can't help but feel like at least the more common hacks could be prevented. By hiring a security engineer or two, or not (occasionally) ghosting people who do this work for free, for example.
We (BeamMP, not affiliated with BeamNG.drive or BeamNG GmbH in any way, as they ignore any attempt we make at talking to them), are working actively to make sure players know that they cannot trust mods, especially mods from servers they join. But, sadly, we can't help them fix their game or their sandbox.
I personally just went down the route of stripping down the FFI system when integrating LuaIT. It included things like removing the ability to define new ffi types\functions or loading libraries, as well as removing most casting and pointer indexing.
Make sure to also remove any way to load bytecode. Luau has a good page on what they've done in pursuit of sandboxing: https://luau-lang.org/sandbox (it's also a good alternative to consider if ever you don't need LuaJIT specifically)
Are you aware of any information out there about what mod exactly contained the exploit and where it came from?
I'm of course quite curious about how said mod ended up on this person's computer in the first place. As I'm sure you know but I'll explain for the benefit of the wider HN audience, there's a big divide in the BeamNG community over third-party mod sites versus sticking to the official repository. The official repo has rules against stolen content like models ripped from commercial games so the people who just want to crash real life cars tend to go to the third party sites where there's a lot less oversight and quality control, while those of us who don't care about that tend to recommend sticking to the official repo for both ease of use and minimization of potential problems like version update breakage and security exploits. If this came from the official repo that'd blow a lot of holes in the main arguments against the third party sites, and vice versa if it did come from a third party site it'd stand as a demonstration of the point.
I didn't know BeamMP could automatically download mods from the server (none of my friends play Beam so I haven't really used it much), obviously that could have been it as well.
As far as we know it was a mod from modland, and nothing to do with BeamMP (luckily). We don't know which mod, but I've seen people on twitter talk about reverse engineering it - maybe someone knows which mod?
And yes when people join modded servers (which is clearly marked and the mods are listed), the mods are downloaded and installed. This enables super cool community made gamemodes, some of which have thousands of players.
The story is incomplete. The user can’t read those channels, but the app someone may have used his credentials to authorize did. Google Workspaces have the same problem with adding “backup” apps. It’s a broken authorization model.
We also don’t know where the tokens came from, they could have just been leaked literally anywhere else.
If I were Disney, I wouldn’t consider it “case closed.”
If I were you, I would focus on what you can affect. I am sure a motivated party can use the multiplayer code you’ve authored to manipulate a remote player’s computer. There’s nothing to say here besides software is riddled with security holes and egos too big to concede obscurity is the most important defense.
Yes, I'm sure our code allows various exploits. It's open source though, and we try our best - that's really all we can do since we're volunteers and the project is not commercial, and none of us get paid.
All the money we generate indirectly (i.e. through offering a multiplayer experience) goes to BeamNG themselves via game sales, who sadly also refuse to speak to us. All direct donations go to keeping our infrastructure up, and the rest is saved up for rainy days.
We can't hire security researchers, not if they wanna get paid ;)
I can add some context on how this (likely) happened.
BeamNG.drive runs a Lua scripting engine, in which they also run a large amount of their own game / simulation code. This Lua scripting engine uses LuaJIT[3], which includes C FFI functionality. This whole scripting environment is sandboxed, but the C FFI is obviously needed to allow optimizations between the game's Lua logic and the game engine (C++).
People I know personally have found various ways around this sandbox, which effectively allows any mod (which can contain Lua scripts), to bypass the sandbox. These were always disclosed immediately to BeamNG GmbH itself, sometimes against payment, sometimes entirely for free. These people continue to find and report ways to break the sandbox, and BeamNG GmbH is very quick to fix these issues before they ever get found and exploited.
The following is my opinion, and not that of BeamMP Ltd. or BeamNG or anyone but me: I think the BeamNG developers would do well with hiring or otherwise working towards fixing their sandbox. These issues have been in the sandbox for such a long time that it's almost emberassing that they still exist -- I won't go into detail, but some of the exploits found (and fixed) are incredibly trivial. Add to that the possibility that a lot of players run the game as Administrator when it errors in any way, and you have admin permissions on random foreign Lua code that is barely sandboxed.
Of course the blame is on the hackers, but I can't help but feel like at least the more common hacks could be prevented. By hiring a security engineer or two, or not (occasionally) ghosting people who do this work for free, for example.
We (BeamMP, not affiliated with BeamNG.drive or BeamNG GmbH in any way, as they ignore any attempt we make at talking to them), are working actively to make sure players know that they cannot trust mods, especially mods from servers they join. But, sadly, we can't help them fix their game or their sandbox.
[1]: https://beammp.com and https://github.com/BeamMP
[2]: https://news.ycombinator.com/item?id=40955693
[3]: https://luajit.org/