Telemetry is not properly anonymized or encrypted
Belgarel
Join Date: 2017-07-03 Member: 231570Members, Subnautica Developer
Join Date: 2017-07-03 Member: 231570Members, Subnautica Developer
Subnautica sends telemetry to two different servers, one at kleientertainment and one at unknownworlds. The telemetry going to klei is encrypted but contains the user's true steam id as "user". The telemetry going to unknownworlds is sent unencrypted over plain HTTP and sounds like it was meant to be anonymized ("by crypto-hashing player Steam IDs") but it isn't being done properly. The 'session_id' and 'entity_id' can both be reversed to the user's true steam id.
The session_id is sha256(date + "7g4M9a" + (steam id 64) + "8Pv32b"). 64 bit steam ids aren't uniformly distributed and are all (that I know of) within about a billion of each other (you can check yours, it probably starts with 765), and a date with a resolution of seconds is similarly in a small range. It's not very difficult to turn a session_id back into a steam id.
The entity_id is much worse. It's sha256("7g4M9a" + (steam id 64) + 7g4M9a"). That's trivial to turn back into a steam id.
EDIT:
There is also an unencrypted steam id sent to uwese.herokuapp.com although that doesn't seem to be for telemetry. The server looks like it supports https, it just isn't used.
The session_id is sha256(date + "7g4M9a" + (steam id 64) + "8Pv32b"). 64 bit steam ids aren't uniformly distributed and are all (that I know of) within about a billion of each other (you can check yours, it probably starts with 765), and a date with a resolution of seconds is similarly in a small range. It's not very difficult to turn a session_id back into a steam id.
The entity_id is much worse. It's sha256("7g4M9a" + (steam id 64) + 7g4M9a"). That's trivial to turn back into a steam id.
EDIT:
There is also an unencrypted steam id sent to uwese.herokuapp.com although that doesn't seem to be for telemetry. The server looks like it supports https, it just isn't used.
Comments
My guess is Hugh or Flayra. EDIT: Also, I would personally have taken a matter such as this directly to PMs. Pick a dev, any dev, and PM them about who you should contact regarding such a find, then go from there. This ▲ will most likely not bode well for future conversations on this forum. As soon as someone gets mad about anything, even a year from now, they'll reach back here, grab this, and lob it like a flaming bag of poo. Unfortunate, but it's most likely going to happen IMHO (I do hope I'm severely mistaken here, but you already get people saying the devs are lazy, only care about taking our money and running, etc, when people get mad {because they're immature little whiners, but that's beside the point}).
I'd save publicly posting something like this for if you already tried a couple of devs and got zero response or a negative response.
Of course, that's just my two cents; I'll leave it at that.
EDIT2: Obraxis is pretty active, so you might have better luck getting him to tell you who to bug (or he'll probably send this to the right person?)
Eh, this is a pretty normal information leak from telemetry and I don't see why it can't get triaged in the usual way. The thing I'm saving for PMs needs handled privately, though. I'll bug Obraxis.
You know that. I know that. The devs of course know that. Mr. steam-for-brains gamer that's mad that Subnautica doesn't have multiplayer and that his save just got corrupted will somehow not be able to comprehend it, though. Then they'll go bellyaching all over the forums until they get banned for being a troll, but they'll pretend like they were banned for letting everyone know about "the spyware in Subnautica"....
Eh
Maybe I'm getting too cynical.
I'll fix the non-SSL requests today.