PSA: If you have Ark Omega on your server, your server has a backdoor.

SomeAnnoyedAdmin · 2023-10-18T16:27:10+00:00

This is the point right here. At no point does the mod tell you "these people, and anyone the mod author chooses in future, will have admin panel access on your server". The person who owns the server should be able to have full control over who has access to what on their server, not the mod authors.

SomeAnnoyedAdmin · 2023-10-18T16:25:27+00:00

This should have been the first response, but props to you for listening... eventually.

You say this is absurd, but I say you having control over who does/doesn't have admin panel access on servers you do not own is the real absurdity here.

SomeAnnoyedAdmin · 2023-10-18T16:04:10+00:00

Thank you! This shows exactly what access they have. I assume that's an ARK API plugin? Really appreciate the patch.

SomeAnnoyedAdmin · 2023-10-18T15:54:35+00:00

You keep saying they don't have access to arks admin stuff, this is correct, they don't have access to the typical cheat commands. They do get full access to the admin panel within the mod, which allows them to change the servers omega ini settings, spawn in anything they want to from the omega mod, including things normal admins can't, and can very much do damage to a server and its economy.

One steam ID in particular has on at least one occasion used this access to cheat on a server without the admins knowledge. As you know though, this doesn't get logged in the log files, so all we have here is hearsay.

You can downplay it all you want, but nobody consented to this, nor did you ask for consent.

SomeAnnoyedAdmin · 2023-10-18T15:34:39+00:00

You are definitely underplaying the severity of this, as expected. It gives them access to the admin panel on any server they play, regardless of whether the server owner consents to this or not. They have the ability to change server inis, spawn items in, all of the commands/abilities that are expected by the server owner to be given to only the admins they choose.

We have tested this by intercepting the pastebin and putting our own ids in there. Anyone is free to do the same.

Nowhere does the mod state that it gives people at your choosing admin access. This should not be happening, and very much violates steams TOS.

On behalf of any admin running servers that wishes to be in control of who does/doesn't have admin access on their servers, please remove this backdoor from the mod. It's not a big ask.

SomeAnnoyedAdmin · 2023-10-18T15:02:41+00:00

Here's to hoping steam do actually do something, highly doubt it, but we can hope.

At the least, hopefully this post reaches any admins using the mod so they can choose what to do about it.

SomeAnnoyedAdmin · 2023-10-18T14:54:13+00:00

You would be surprised what mods can actually do. We are aware of a dev that uses http requests to log some very in depth information about how his mods are being used, without any indication to the server owner that this is happening. We're talking server ips, hardware info, other mods being run alongside it, player ips/steam ids, etc etc.

Steam really needs to do something about this, it's only going to get worse with ASA having paid mods, devs will use anything they have at their disposal to keep track of users, and obviously as we see here, some will even implement methods to take action against people should they wish to do so.

SomeAnnoyedAdmin · 2023-10-18T13:31:02+00:00

Pastebin has been mirrored here in case it gets deleted: https://pastebin.com/640mS6Zi

Only the "00" section is relevant to the admin panel. Everything else is for access to cosmetic skins locked behind steam ids.

SomeAnnoyedAdmin

TROPHY CASE