All of the Fortnite models on workshop by CandyApple is backdoored.
The backdoor is a backdoor which invites you and all your players to CandyApple's Discord server for his Gmod community https://asapgaming.com
The backdoor code.
What the code does is that it creates an invisible GUI element, and then it loads up the Discord invite via a HTML panel, which makes the Discord invite popup (even if performed in-game)
if SERVER then
hook.Add("PlayerInitialSpawn", "discord_meme", function(pPlayer)
timer.Simple(1, function()
pPlayer:SendLua('createDiscord()')
end)
end)
end
if CLIENT then
function createDiscord()
timer.Simple(5, function()
local frame = vgui.Create('DFrame')
frame:SetSize(1, 1)
frame.Paint = function() end
local html = vgui.Create( "DHTML" , frame)
html:SetSize(ScrW(), ScrH())
html:SetPos(1, 10)
html:Dock( FILL )
html:OpenURL( "https://discord.gg/GNEbZmC" )
timer.Simple(10, function()
html:Remove()
frame:Remove()
end)
end)
end
end
https://files.facepunch.com/forum/upload/317874/a27c3a47-9aa1-4645-9326-4d66bf5d12bb/image.png
CandyApple's profile
https://steamcommunity.com/profiles/76561198168652477
Proof in case he removes the backdoors
https://streamable.com/f23y8
https://files.facepunch.com/forum/upload/317874/b0d239a4-1d2c-498c-a6df-06794c8fd7dc/image.png
Every single of his Fortnite addons:
https://steamcommunity.com/sharedfiles/filedetails/?id=1669527678
https://steamcommunity.com/sharedfiles/filedetails/?id=1669527757
https://steamcommunity.com/sharedfiles/filedetails/?id=1669527719
https://steamcommunity.com/sharedfiles/filedetails/?id=1669527638
https://steamcommunity.com/sharedfiles/filedetails/?id=1647097072
https://steamcommunity.com/sharedfiles/filedetails/?id=1647096963
https://steamcommunity.com/sharedfiles/filedetails/?id=1647096845
https://steamcommunity.com/sharedfiles/filedetails/?id=1647096687
https://steamcommunity.com/sharedfiles/filedetails/?id=1647096579
https://steamcommunity.com/sharedfiles/filedetails/?id=1646420976
https://steamcommunity.com/sharedfiles/filedetails/?id=1646420901
https://steamcommunity.com/sharedfiles/filedetails/?id=1646420857
https://steamcommunity.com/sharedfiles/filedetails/?id=1646420814
https://steamcommunity.com/sharedfiles/filedetails/?id=1646420777
https://steamcommunity.com/sharedfiles/filedetails/?id=1646420723
https://steamcommunity.com/sharedfiles/filedetails/?id=1646419007
https://steamcommunity.com/sharedfiles/filedetails/?id=1644456602
https://steamcommunity.com/sharedfiles/filedetails/?id=1643925825
https://steamcommunity.com/sharedfiles/filedetails/?id=1643925666
https://steamcommunity.com/sharedfiles/filedetails/?id=1643925583
https://steamcommunity.com/sharedfiles/filedetails/?id=1643925473
https://steamcommunity.com/sharedfiles/filedetails/?id=1643923881
https://steamcommunity.com/sharedfiles/filedetails/?id=1643232537
https://steamcommunity.com/sharedfiles/filedetails/?id=1643232371
https://steamcommunity.com/sharedfiles/filedetails/?id=1643217789
https://steamcommunity.com/sharedfiles/filedetails/?id=1643201613
https://steamcommunity.com/sharedfiles/filedetails/?id=1642777822
https://steamcommunity.com/sharedfiles/filedetails/?id=1642764302
https://steamcommunity.com/sharedfiles/filedetails/?id=1642764208
https://steamcommunity.com/sharedfiles/filedetails/?id=1642732819
https://steamcommunity.com/sharedfiles/filedetails/?id=1642721245
https://steamcommunity.com/sharedfiles/filedetails/?id=1642695403
https://steamcommunity.com/sharedfiles/filedetails/?id=1642695306
https://steamcommunity.com/sharedfiles/filedetails/?id=1642695169
https://steamcommunity.com/sharedfiles/filedetails/?id=1642694105
Okay great. And once again, reporting stuff here on the forum is not the right place.
Plus, its fornite crap so..who cares
Oh god. All of these probably account for a good chunk of subscribers up till this point as well so one can only imagine the damage, and the amount of people that got struck by this.
Thankfully it's "only" a Discord invitation, although I somewhat fail to understand why these kind of Discord invitations matter to people so much as to make a backdoor designated to them.
Why is it that people really care about popularizing their Discord servers so much? If this is all really just to popularize one community then wouldn't there be other more effective options of doing so (here I go suggesting that there is a greater malicious cake to be had somewhere, I know) rather than just harmlessly(?) incorporating Discord into this?
I'm sorry but I couldn't find what email I had to write to.
Probably Discord partnership or something?
People will do anything for a discord partnership
It is still possible to picture someone who'd claim their data isn't theirs and purposely try to avoid everything while under that sequel
A cool chunk of people with communities are now happy to sacrifice everything for a hoodie and free nitro
It might be not that malicious but it's still for someone to place that code in their published workshop addons while knowing that's not allowed
It also may not be that problematic but for the people who can't really solve it themselves will be having to pay someone for them to do it on their behalf.
Thank you sleeppyy and iLegend for illuminating me on Discord partnerships.
Knowing that such a partnership exists and that Discord at all encourages partners to cram Discord invitations on the common user is disgusting me personally to the point where I question myself to leave Discord installed on my own computer.
Wow, isn't this basically what the person in this thread was/is doing?
Except clear difference is that they're also grabbing basic player info, crashed you, and attempted to obfuscate the shit out of it and just reuploaded other people's stuff.
It even did the same invisible GUI thing.
To play devil's advocate for Discord, I'm sure that what they want community owners to do, and what they encourage them to do in their written materials, is to grow their communities with more people who're interested in being there (which encourages more people to use Discord more and makes it more likely that they'll want to use emotes from one server on another and buy Nitro).
The fact that idiots are doing popunder advertising in backdoored copyright-violating model rips for a video game is a symptom of people looking to cheat the system and juice their numbers the cheap and fast way, and I'm sure Discord doesn't appreciate their service being reduced to a promotion vehicle that gets shilled at potential users without their consent. You could probably report the Discord server to Discord if there's evidence that the person uploading the backdoored models is the server owner or affiliated with the owner.
I did report this to Discord already, not sure if its bannable but just submitted a support ticket in case. And the uploader is the server owner
Contacted Robotboy about it last night.
Not sure if it was him that has removed all of the playermodels or Candy.
Either way, I'm not really sure if this even constitutes for a backdoor? It's not hugely malicious, just annoying more than anything.
He still doesn't inform people of it, still scummy as hell.
It is not a backdoor, the addons completely cover the screen of every player who joins a server (or goes singleplayer), even if it is for a limited time, which I would consider malicious because it prevents people from playing the game.
This is being picky, but the code itself does not completely cover the screen, let alone half of it unless you consider a player with a 1x1 monitor :/.
he was not talking about the fact if it actually covers the whole screen or not, but if it is acutally a backdoor or not. You would consider something a backdoor if it actually redirects you to other servers, steals information etc. But just giving you some advertisement on the screen is not a backdoor. Its just..shitty
What is actually occurring due to subscribing to the addons is bad, I will 100% agree on that. It's the reasoning that is flawed because he is saying it is malicious BECAUSE the addon "completely cover the screen of every player who joins a server". There was no actual mention of the advertising occurring and you can't say he did talk about it because now you are making an implication based off of what you perceived. The only reason I bring this up is because it's coming from Rubat.
*On a side note that code will still work in a 0x0 frame which if that were the case would make his reason even more illogical.
This is not normal for addon to do shit like autojoin discord guilds.
This is also part of a bigger issue where server owners tell people to "Subscribe to the collection" instead of properly setting up their server to download shit automatically.
Ending up with shit like this inside of people's single player games and tons of addons that they did not want.
Not sure if there will ever be a fix to make players more aware of what they're doing when subbing to a collection because a server told them to do it to fix the errors
So - they got their Workshop content packs back up again, now owned by atlas - Steam Community
The same Discord script is found in this content pack:
https://steamcommunity.com/sharedfiles/filedetails/?id=1672156383
Correct me if I'm wrong, but a backdoor is anything that shouldn't be on a script, if you're getting an addon its to get whatever the addon is claiming, and adding additional code to that should be considered a backdoor, regardless the intentions this is malicious.
reporting it anywhere isnt the right place, gmod devs can't prevent people from uploading shit to the workshop.
wrong, there is a place to report workshop addons, because not even valve likes addons that are backdoors or do other scummy crap. I just dont know that place..
Imo Volvo only cares about copyright shit. They don't care what the addon (?) actually does.
I just dont know that place
https://files.facepunch.com/forum/upload/2134/80beb643-0e84-4e99-94ce-1cd6bd76c250/Steam_2019-03-04_15-11-01.png
well then....
It's a PSA to let others know what they are adding to their servers and was already reported properly before posting... how have you not wrapped your brain around that yet?
They removed the backdoor from that specific addon (I went ahead and checked), but when I joined their server it invited me straight to their discord, however I donno if that's something they have in the server or if it's been placed in one of their 1000 addons I had to download. I went ahead and joined their Discord and proceeded to get banned when I posted goaste.
This would explain why his discord jumped from a little over 1k members to about 3-4k in only a few days
Yep. Even tho most of the users arent there by their own will
Yea i was Super Admin for Candy but he banned me from his discord
wow dude i was hos and got demoted for making someone feel insecure smh
so much in common!!!!
That's a pretty stark exaggeration.
His Discord reached 5k members legitimately. 5-6.1k was largely the adware memes.
Sorry, you need to Log In to post a reply to this thread.