Suggestion Suggestion: Resource deletion warning/alert

Discussion in 'Community Feedback and Suggestions' started by MrDienns, Jan 9, 2018.

  1. So, a while ago this thread was created where a user found a backdoor in some plugin here on Spigot. We have resource staff working hard on keeping the forums safe, but realistically speaking, sometimes they miss an entry here and there. If a backdoor gets uploaded, people will download and install it. When a resource staff member later deletes the plugin because of malicious code, the user isn't notified what so ever. It prevents people from downloading it in the future, but it doesn't help the ones that downloaded it.

    My suggestion: Add an ability for resource staff member to alert the downloaders after a resource was deleted. This can be optional, and a category can chosen, for example a malicious category. I don't think Spigot takes care of what users downloaded the resource, however, you can use the list of users that watch the resource and notify those users. You'd probably alert 9 out of 10 people with that. Additionally, you can send a message with instructions to every resource watcher with details of the backdoor, for example instructions on how to fully delete it. With this you can assure a little more safety on the community.

    Tagging @2008Choco since he was involved with the deletion and discussion of the resource. Also tagging @peyman since he discovered the backdoor.
    • Agree Agree x 14
    • Like Like x 7
    • Optimistic Optimistic x 1
    • Creative Creative x 1
  2. MiniDigger


    mmmh. I think many ppl download resources without being logged in, so there are quite a few who can't be alerted at all.
    I like the idea of checking who watches something, no idea how xenforo stores this stuff but you should be able to get a list of names or user ids with a sql query. then you could send them messages.
    no idea how often this occurs, maybe its enough when md_5 does it manually and just saves the query somewhere?
  3. Good idea ... :)
    Also sometimes it can be something more than a minecraft backdoor it can be a malware , miner or even a botnet
    I think SpigotMC should add a new limit for new users, no one should able to post a free resource in their first 2 weeks
    #3 peyman, Jan 9, 2018
    Last edited: Feb 13, 2018
  4. Oh right, I forgot about users not signed in. Maybe it can de done with cookies. Download a plugin, save a cookie that he did (if not signed in). If a resource was recently deleted & an alert was configured, check if the user has downloaded it through this cookie. If so, show a giant red popup. Just an idea. If @md_5 agrees with this, he has several options to how far he can take it.
    • Like Like x 2
  5. If Trump can become president, we can certainly make this happen!
    • Winner Winner x 6
  6. Make Spigot safe again!
    • Like Like x 1
  7. I was going for #MakeMinecraftGreatAgain
    But yours is even better!
    #MakeSpigotSafeAgain !
    • Like Like x 3
  8. Legoman99573


    Waiting for the "Dont download random resources" comment :/

    Please make this a feature. It saves server owners who are new to spigot/bukkit from worrying too much. It will give them a warning to remove the resource.
    • Agree Agree x 1
  9. md_5

    Administrator Developer

    If someone makes this addon, we will install it.

    • Agree Agree x 2
    • Winner Winner x 1
  10. What happens if that addon as a backdoor? :cool:
  11. md_5

    Administrator Developer

    I'm not stupid
    • Funny Funny x 6
    • Winner Winner x 4
    • Optimistic Optimistic x 3
    • Friendly Friendly x 1
  12. Maximvdw


    Fairly sure that you won't be able to hide a backdoor in a scripting language from even the most skiddies programmer.
  13. As long as you can read English, you're fine.
  14. Suprisingly enough, you can do fairly well actually. I was doing internship at some ecommerce company a while ago, and one customer managed to get malware on his site (dont ask me how). If I remember correctly the malware was a one-liner, hex encoded, which screws up your SEO results and replaces all SEO text with illegal things, such as a fashion webshop selling illegal guns/drugs all of a suddon...

    As long as you basically go over all lines of code and look for anything it shouldn't do. Downloading external files (especially executable ones), opening weird connections, etc.
  15. about the cookie for users that arent signed in, how would they be notified about such an issue?
  16. Maximvdw


    Bad luck. Should've joined spigot then :]
    • Winner Winner x 1
  17. Thats the entire point of the cookies. We can simply make a popup or some kind of notification when they visit the site.
    #18 MrDienns, Jan 16, 2018
    Last edited: Jan 16, 2018
    • Like Like x 1
  18. Why not using the xenforo notification system to send an alert and if player has the recieve email notifications option enabled you just send the message too.
  19. Sending an email is a lovely addition. Would only apply to signed in users though, but it can be added.

Share This Page