Concerning about security vulnerability of bannerlord modding

Users who are viewing this thread

Hello,

For those who don't know, there was a malware that have been spread with a mod on cities skylines 2. The malware was a dll added to the mod executed when launching the game.

The problem is that bannerlord also allow dll loading for modding which is known to be a huge security vulnerability as it can allow someone to access to all your memory, expecially for people running on an admin session.

Why bannerlord doesn't use and only allow on secured scripted language like lua ? Or even better a propriatory language ?
 
The problem is that bannerlord also allow dll loading for modding
This is also the only way to get any mod that does more than XML edits to do anything.

which is known to be a huge security vulnerability as it can allow someone to access to all your memory, expecially for people running on an admin session.
Depends on how well sandboxed it is - which, to be fair, I don't think it is.

Why bannerlord doesn't use and only allow on secured scripted language like lua ? Or even better a propriatory language ?
Because both of those are inherently less powerful. We had that with Warband, and people got really creative with it, but it has its limits.

Doesn't OS scan DLLs too ?
Windows Defender or other Anti Virus software might, but that is no guarantee.

If true, this needs to be addressed ASAP.

Mods are what keeps this game alive and breathing.
What exactly are you expecting here? If they go "ok, no more DLLs" modding is basically dead. Getting a major refactor to use Lua/something proprietary as the OP suggests is not happening at this point in the games lifecycle.

---


There is a reason the launcher has that red icon next to all community mods saying TaleWorlds cannot verify the code included in the module and that they are not responsible for consequences of using it. It has been there all along guys.

tldr; Bannerlord modding is pretty powerful, but that also does allow malicious things to be done with it. Install mods only from trusted sources and, preferably, trusted authors. Generally, mods being open source is a good sign (but not guarantee), too.
 
Crusader kings 3 uses a proprietary script language, and you can make pretty nice thing. Looks at got and lotro on it.
Yeah, but even that has its limits. Those are fairly far out, because the game was made with that custom script language in mind, but they do exist - I distantly remember seeing some list from the CK3 modders with things that were blocking them.

Bannerlord is too far down the line for TaleWorlds to introduce such a language now. You could try asking for more sandboxing, but even that will take a good bit of effort on their end and it WILL break (some) mods.
 
Nexus scans all files for common attack vectors; I would presume ModDB and others do, also, to not be liable for hosting malware.

On the technical side... yeah, it's a huge security hole, but all networks of human activity are built on trust.

You can trust me! I don't want to hack you. Try my mods :smile:
 
Yeah I agree with Namakan here. Putting more restrictions and hurdles on mods is going to kill the modding community at this point and it'll probably lead to almost every big mod project currently in the works to being cancelled (there are quite a few).

Leaving the door open for malicious actors isn't a great compromise but this is more a matter of the internet simply not being a safe space to begin with, this kind of thing is always going to happen. I can't even remember how many viruses my first computer had because I installed a few minecraft mods on it.
 
Yeah I agree with Namakan here. Putting more restrictions and hurdles on mods is going to kill the modding community at this point and it'll probably lead to almost every big mod project currently in the works to being cancelled (there are quite a few).

Leaving the door open for malicious actors isn't a great compromise but this is more a matter of the internet simply not being a safe space to begin with, this kind of thing is always going to happen. I can't even remember how many viruses my first computer had because I installed a few minecraft mods on it.
this is 101% correct. The internet is not a safe space and you never know where you can get hit from, but its absurd to ask for a complete re-do of how modding works. Even WoW private servers are susceptible to harmful code. It's should be a person's choice if he is willing to risk it or no.

At minimum the players must trust the mod creators and the other thing is that its the same that should provide workaround if Taleworlds are not capable or competent enough. You can't expect from people to know all about everything.
 
For those who don't know, there was a malware that have been spread with a mod on cities skylines 2. The malware was a dll added to the mod executed when launching the game.

The problem is that bannerlord also allow dll loading for modding which is known to be a huge security vulnerability as it can allow someone to access to all your memory, expecially for people running on an admin session.

Why bannerlord doesn't use and only allow on secured scripted language like lua ? Or even better a propriatory language ?
You're downloading things from the internet, and "unofficial" files too, it's an assumed risk. Whether it's due to dll or any other scripted language or whatever. Mod/download at own risk is only disclaimer that is really needed.
 
You're downloading things from the internet, and "unofficial" files too, it's an assumed risk. Whether it's due to dll or any other scripted language or whatever. Mod/download at own risk is only disclaimer that is really needed.

No, dll are dangerous. Open source specific scripts are not at all.

dll are compiled binary files usually from C# or C++, so you can do whatever you want with a dll, especially on pc running on admin session like 99% of ppl.

A good exemple, you can download whatever mod on steamworkshop for games like total war or paradox GS games, you have 0 risk, because even if a dll is placed in the mod folder the game wont execute it.

Like i said you can have a good modding script language if the dev takes time to build it. Allowing full DLL injection is the laziest way to implement modding support in a game.
 
Last edited:
No, dll are dangerous. Open source specific scripts are not at all.

dll are compiled binary files usually from C# or C++, so you can do whatever you want with a dll, especially on pc running on admin session like 99% of ppl.

A good exemple, you can download whatever mod on steamworkshop for games like total war or paradox GS games, you have 0 risk, because even if a dll is placed in the mod folder the game wont execute it.

Like i said you can have a good modding script language if the dev takes time to build it. Allowing full DLL injection is the laziest way to implement modding support in a game.
It doesn't matter how foolproof a system is, you should never download something from the internet, even from a trusted platform, and assume nothing could possibly go wrong (even if technically nothing could). Human error will put holes in any foolproof plan.

Restricting mod freedom at this stage is punishing the majority due to the mistakes of a select few bad apples, and in this case nothing has even happened yet. It's excessive, it's far more reasonable to just inform people of the risk and communicate with each other when something does happen, as many modding communities already do.

Besides I think Taleworlds would be more open to just shutting down modding capabilities over sandboxing the game and creating more modding tools, if they decide that a response is warranted.
 
No, dll are dangerous. Open source specific scripts are not at all.

dll are compiled binary files usually from C# or C++, so you can do whatever you want with a dll, especially on pc running on admin session like 99% of ppl.

A good exemple, you can download whatever mod on steamworkshop for games like total war or paradox GS games, you have 0 risk, because even if a dll is placed in the mod folder the game wont execute it.

Like i said you can have a good modding script language if the dev takes time to build it. Allowing full DLL injection is the laziest way to implement modding support in a game.
so you want from Taleworlds to sit up and create their own new language, because of what, you don't trusting dlls enough. Its something that is officially supported and used by Microsoft. Should I not use windows?

I hope what drivegol said would never happen, but I agree It seems easier to just shut down official mod support if this thing is that dangerous. And screw that, I'd rather risk it.

And if you are such a security expert, kindly figure out a solution to the issue, without completely changing how modding works for bannerlord, mkey?

 
Last edited:
Like i said you can have a good modding script language if the dev takes time to build it. Allowing full DLL injection is the laziest way to implement modding support in a game.
I can agree that they are lazy and implement for ****; they can't even get the official game managed. But you're downloading something from the internet, there's no "idiot-proof" method, even with scripts; as they say, there will always be a better idiot. One just has to be smart before they hit the download button from some stranger on the internet or assume the possible risks.

Do I sometimes make credit card payments over the phone even if I never met the other person? Yes. Can someone's grandma get scammed thousands through same method? All the time. But, I don't want the convenience stripped just because of someone's grandma, I know the risks, I just have to accept/be smart with them.
 
so you want from Taleworlds to sit up and create their own new language, because of what, you don't trusting dlls enough. Its something that is officially supported and used by Microsoft. Should I not use windows?

Pointless remark.

Yes I trust Microsoft, but not random ppl from internet.

They are 130+ at TaleWorlds, barelly releasing a game every 10 years. And can't even develop a proper API ? What a shame.
 
No, dll are dangerous. Open source specific scripts are not at all.
These are not mutually exclusive. On top, you're wrong.

dll are compiled binary files usually from C# or C++
yes

so you can do whatever you want with a dll, especially on pc running on admin session like 99% of ppl.
no??? if you're doing most of your day-to-day stuff on an admin account, YOU are doing it wrong.
still, there are a lot of things that you can do that a proprietary scripting language *could* restrict - as to why that is not happening for bannerlord, see my previous posts.

A good exemple, you can download whatever mod on steamworkshop for games like total war or paradox GS games, you have 0 risk, because even if a dll is placed in the mod folder the game wont execute it.
wrong.

Like i said you can have a good modding script language if the dev takes time to build it.
Sure, but Bannerlord has been out for nearly 5 years and been worked on for over 10 - this is not happening anymore.

Allowing full DLL injection is the laziest way to implement modding support in a game.
I don't think I agree. From a surface view, probably, but considering that there are supporting systems below that you (as someone that does not create any mods, I take it) most likely do not know about, I disagree. That said - even if you see it as lazy, it is also the most powerful way to do it.


Overall, I still don't know why you're raising a fuss here now. All of this *should* be clear to running a modded version of the game that can clearly see the warning I attached below...
TLDaVJ3.png
 
Back
Top Bottom