I worked on BeamMP[0][1], for 5 years, both as a project manager and lead developer for the server and client. BeamMP is a wildly popular multiplayer mod for BeamNG (1M registered players, always at least 3k concurrent players, also it's AGPL licensed). I left the team this year, but I can tell you: Mods, if they manage to break the sandbox in any way, can do anything, and the BeamNG sandbox will never be perfect. To their credit, the BeamNG devs have hired people from the community who do a lot of security research, and they have found numerous issues and fixed them before they could be exploited.
We have seen prototypes that can make network requests out of the sandbox, call winapi functions, and do anything else with the same privileges as the game, which, worst case, is admin because players like running things as administrator. All of those exploits are fixed, now.
The issue remains one of the largest problems in the community, and sites that are well known for distributing mods with malware (which is pretty common) are at the top of Google search results.
BeamMP allows mods on servers, which causes clients to download and then execute code from those mods. That's a huge attack vector and BeamMP has been working hard to warn users and to come up with ways to prevent problems; but without funding (BeamMP is free) there is a limit on what can be done. The infrastructure costs already are sky high for supporting the crazy amount of users they have.
Sadly, everyone involved loves NDAs - I can only hope that companies start doing writeups, but I doubt it. So that's all the inside info I can give ;)
I'm not familiar with lua, but when it's embedded as a scripting engine is it really just allowed to import whatever packages it wants and have full access to the host computer's resources? If so it seems like a really poor fit for any game that intends to have user-created mods (and yes I'm aware that it's one of the most popular scripting engines in gamedev-land and has been for about two decades).
I remember when FPS games first embraced the mod community back in the late 90s many of them had their own dedicated scripting engines (QuakeC, UnrealScript, later quake 3 arena had "real" c programs but they were compiled to a custom bytecode interpreter) that didn't have free reign over anything but the game state and that seems like a much better way to do things. Games used to have options to let you automatically download requisite mods from servers and it was safe to do so, at least in theory. I have no doubt that at some point in time there was a ROP vulnerability that could've been used to turn this into a devastating malware vector but at least then the scripting engine wouldn't be functioning as designed.
You can lock down Lua, but you need ffi to achieve really good performance. This is what BeamNG.drive does, and that does theoretically open up the sandbox quite a bit. Suddenly you allow Lua to call C++ functions, and naturally vice versa. That could be a problem, and that's not the end of it, the Lua standard library (if you wanna call it that) contains io, command execution, etc. so you need to be selective about what you allow mods to do, while still making it possible for people to make mods.
In short; you need to give Lua power over your program in some way, and that's the weak link. Lua itself can run with zero access to the world, but then you have nothing more than a calculator or config file.
Indeed before online banking and widespread online shopping there wasn't much to care for in computer security. Also before ransomware were invented. I guess the biggest application was stealing passwords (and an occasional credit card #), botnets for DDoSing game servers and such, in which case user wasn't much affected. Nowadays specially with crypto wallets you can get crazy essentially unbounded prizes, maybe millions. Don't do cryptocurrency, kids (unless losing all your funds is the least of your concerns[0]).
[0] Like you're some kind of activist or maybe in an oppressive regime
I don't have anything meaningful to add to the discussion, but just wanted to say "Thanks!" to you, and the work that the Beam people have done to try and keep things as secure as they can. It'll never be perfect, but doing that work is important, and if it's done correctly the end user doesn't even know you did anything at all.
It's also really good to hear such an open and direct description of how things were/are, too. Clarity defeats the risks around obscurity of the unknowns. When the general public is given more info to work off of, they have a better idea of where the risks are, and how they can defend from, or if they are malicious - attack from, accordingly. The sharing of that information simply works to define what the areas of concern are for everyone involved.
This is the second time (we know of) BeamNG.drive being exploited due to bad security practices - the first time, disabling ASLR [0], leading to Disney being hacked, this time, disabling CEF sandboxing. It is weird to see them go out of their way to disable conventional security features on their product.
I'd imagine by the time your program's security is critically reliant on ASLR and process-level sandboxing, you're already in deep trouble, since any given minor update may turn existing holes into viable exploits. It will only slow down the rate of attacks at best.
The lesson I'd take here is "don't embed a web browser to run untrusted code unless you can keep it up to date 24/7". Hence the popularity of Lua interfaces for mods. Or even the alternative JS engines built for such purposes.
>It is weird to see them go out of their way to disable conventional security features on their product
Honestly with most developers I know, unless they also have a strong security background, it's not weird or surprising at all. Security features (almost?) never make debugging easier. When confronted with a failure that presents challenges devs will disable things that limit access or otherwise randomize the output in order to catch the problem and then 'hopefully' come tighten it back up when they are done. Unfortunately the second part rarely happens unless you have security auditors follow you around.
I had forced ASLR on in windows for a while... You'd be surprised how much stuff breaks with that. Almost feels like more is broken than not. Just to name a few: MinGW (including git for windows), Unity, Whatever installer Framework Signal and some others use, some Anti-Cheats
Still trying to understand - Did the mod developers intentionally shipped malicious code or they were compromised by some external attacker to target the downstream users?
The author indicates that the mod authors' account was "likely compromised" indicating a bad actor took over their account somehow, perhaps made easier by prolonged inactivity?
I don't think the author of this piece found it useful to speculate though and I have to agree. No need to break out pitch forks - let those involved get to the bottom of it.
I hate malware. I found two Android apps using an obfuscator loaded via JNI (libjiagu_64.so) which crashes on startup (on GrapheneOS) and I am at a loss at what to do next which doesn't involve send reports into the void hoping it reaches an human with the time, skills and willingness to check what is really going on.
That sounds familiar, I used <https://github.com/Cloudef/android2gnulinux> to reverse one libjiagu program in past. The deobfuscated code eventually ends up in the ram, and you can then extract it.
>Disclaimer: This blog post was written by Gemini, a large language model from Google AI, specifically the Gemini Pro model. My knowledge cutoff is June 2024. The information provided is based on my understanding and should not be taken as definitive professional advice.
I encourage you to cease contributing to the enshittification of the web.
Also, what did you expect from cheap no-name IoT shit? As we say, the S in IoT stands for Security...
What I meant is, I have ideas I like to explore but a two-liner blog post won't entice anyone.
For example on https://user934.com/2025/04/22/securing-home-and-smb-network... I mix several ideas together and define the test plan (chapter 5), and let LLM fill in the blanks. Plus I clearly identify it as mostly written by LLM, which is better than most SEO garbage spam. So I think I've achieved a good compromise.
I worked on BeamMP[0][1], for 5 years, both as a project manager and lead developer for the server and client. BeamMP is a wildly popular multiplayer mod for BeamNG (1M registered players, always at least 3k concurrent players, also it's AGPL licensed). I left the team this year, but I can tell you: Mods, if they manage to break the sandbox in any way, can do anything, and the BeamNG sandbox will never be perfect. To their credit, the BeamNG devs have hired people from the community who do a lot of security research, and they have found numerous issues and fixed them before they could be exploited.
We have seen prototypes that can make network requests out of the sandbox, call winapi functions, and do anything else with the same privileges as the game, which, worst case, is admin because players like running things as administrator. All of those exploits are fixed, now.
The issue remains one of the largest problems in the community, and sites that are well known for distributing mods with malware (which is pretty common) are at the top of Google search results.
BeamMP allows mods on servers, which causes clients to download and then execute code from those mods. That's a huge attack vector and BeamMP has been working hard to warn users and to come up with ways to prevent problems; but without funding (BeamMP is free) there is a limit on what can be done. The infrastructure costs already are sky high for supporting the crazy amount of users they have.
Sadly, everyone involved loves NDAs - I can only hope that companies start doing writeups, but I doubt it. So that's all the inside info I can give ;)
[0] https://beammp.com
[1] https://GitHub.com/BeamMP
I'm not familiar with lua, but when it's embedded as a scripting engine is it really just allowed to import whatever packages it wants and have full access to the host computer's resources? If so it seems like a really poor fit for any game that intends to have user-created mods (and yes I'm aware that it's one of the most popular scripting engines in gamedev-land and has been for about two decades).
I remember when FPS games first embraced the mod community back in the late 90s many of them had their own dedicated scripting engines (QuakeC, UnrealScript, later quake 3 arena had "real" c programs but they were compiled to a custom bytecode interpreter) that didn't have free reign over anything but the game state and that seems like a much better way to do things. Games used to have options to let you automatically download requisite mods from servers and it was safe to do so, at least in theory. I have no doubt that at some point in time there was a ROP vulnerability that could've been used to turn this into a devastating malware vector but at least then the scripting engine wouldn't be functioning as designed.
You can lock down Lua, but you need ffi to achieve really good performance. This is what BeamNG.drive does, and that does theoretically open up the sandbox quite a bit. Suddenly you allow Lua to call C++ functions, and naturally vice versa. That could be a problem, and that's not the end of it, the Lua standard library (if you wanna call it that) contains io, command execution, etc. so you need to be selective about what you allow mods to do, while still making it possible for people to make mods.
In short; you need to give Lua power over your program in some way, and that's the weak link. Lua itself can run with zero access to the world, but then you have nothing more than a calculator or config file.
Pretty sure it was not safe, people just cared less.
Indeed before online banking and widespread online shopping there wasn't much to care for in computer security. Also before ransomware were invented. I guess the biggest application was stealing passwords (and an occasional credit card #), botnets for DDoSing game servers and such, in which case user wasn't much affected. Nowadays specially with crypto wallets you can get crazy essentially unbounded prizes, maybe millions. Don't do cryptocurrency, kids (unless losing all your funds is the least of your concerns[0]).
[0] Like you're some kind of activist or maybe in an oppressive regime
Thank you! My kid is one of the million. It’s a great mod. It took us a minute to figure out that it really is free.
Is there a business model? Just Patreon? It seems unbelievable that’s enough.
I don't have anything meaningful to add to the discussion, but just wanted to say "Thanks!" to you, and the work that the Beam people have done to try and keep things as secure as they can. It'll never be perfect, but doing that work is important, and if it's done correctly the end user doesn't even know you did anything at all.
It's also really good to hear such an open and direct description of how things were/are, too. Clarity defeats the risks around obscurity of the unknowns. When the general public is given more info to work off of, they have a better idea of where the risks are, and how they can defend from, or if they are malicious - attack from, accordingly. The sharing of that information simply works to define what the areas of concern are for everyone involved.
[dead]
This is the second time (we know of) BeamNG.drive being exploited due to bad security practices - the first time, disabling ASLR [0], leading to Disney being hacked, this time, disabling CEF sandboxing. It is weird to see them go out of their way to disable conventional security features on their product.
[0]: https://news.ycombinator.com/item?id=41063489
I'd imagine by the time your program's security is critically reliant on ASLR and process-level sandboxing, you're already in deep trouble, since any given minor update may turn existing holes into viable exploits. It will only slow down the rate of attacks at best.
The lesson I'd take here is "don't embed a web browser to run untrusted code unless you can keep it up to date 24/7". Hence the popularity of Lua interfaces for mods. Or even the alternative JS engines built for such purposes.
>It is weird to see them go out of their way to disable conventional security features on their product
Honestly with most developers I know, unless they also have a strong security background, it's not weird or surprising at all. Security features (almost?) never make debugging easier. When confronted with a failure that presents challenges devs will disable things that limit access or otherwise randomize the output in order to catch the problem and then 'hopefully' come tighten it back up when they are done. Unfortunately the second part rarely happens unless you have security auditors follow you around.
That is why then there are folks like me, complaining in code reviews, or adding configurations into the CI/CD pipeline.
However it is indeed a quixotic battle in some scenarios, regarding security best practices.
I had forced ASLR on in windows for a while... You'd be surprised how much stuff breaks with that. Almost feels like more is broken than not. Just to name a few: MinGW (including git for windows), Unity, Whatever installer Framework Signal and some others use, some Anti-Cheats
One could be using the safest programming language in the world, if the culture doesn't get the point, it doesn't matter how safe it can be.
Still trying to understand - Did the mod developers intentionally shipped malicious code or they were compromised by some external attacker to target the downstream users?
The author indicates that the mod authors' account was "likely compromised" indicating a bad actor took over their account somehow, perhaps made easier by prolonged inactivity?
I don't think the author of this piece found it useful to speculate though and I have to agree. No need to break out pitch forks - let those involved get to the bottom of it.
Unrelated, on mobile, background is quickly oscilating colours giving an epileptic vibe
Firefox on Android seems to be unaffected.
It seems to scroll very jittery though
Seen the same on Android Chrome, for a moment I thought my screen was wrong.
Why is CEF used without sandbox?
But did the malware do anything significant through proton to the host OS?
nice
I hate malware. I found two Android apps using an obfuscator loaded via JNI (libjiagu_64.so) which crashes on startup (on GrapheneOS) and I am at a loss at what to do next which doesn't involve send reports into the void hoping it reaches an human with the time, skills and willingness to check what is really going on.
Summary: https://user934.com/2025/04/29/investigating-suspicious-beha...
That sounds familiar, I used <https://github.com/Cloudef/android2gnulinux> to reverse one libjiagu program in past. The deobfuscated code eventually ends up in the ram, and you can then extract it.
>Disclaimer: This blog post was written by Gemini, a large language model from Google AI, specifically the Gemini Pro model. My knowledge cutoff is June 2024. The information provided is based on my understanding and should not be taken as definitive professional advice.
I encourage you to cease contributing to the enshittification of the web.
Also, what did you expect from cheap no-name IoT shit? As we say, the S in IoT stands for Security...
Ok I could have been less snarky.
What I meant is, I have ideas I like to explore but a two-liner blog post won't entice anyone.
For example on https://user934.com/2025/04/22/securing-home-and-smb-network... I mix several ideas together and define the test plan (chapter 5), and let LLM fill in the blanks. Plus I clearly identify it as mostly written by LLM, which is better than most SEO garbage spam. So I think I've achieved a good compromise.
you’ve taken a slightly smaller shit on the floor than the seo slop factory next to you. do you want a medal?
I'm sorry I don't earn enough to hire a maid but still like to write blog posts :(