Addressing recent Asset Escrow exploit

What happened?

As some of you may have seen already, someone published modified server binaries to make it possible to dump the bytecode (not original source code!) of encrypted resources.

While the output from this method is nowhere close to the original source code, we take the issue very seriously. We have allocated all applicable team capacity towards mitigating the attack.

Further details on the matter will make its way into our monthly update post, which will be published once we roll out various fixes and improvements to resolve the situation. This is planned for Wednesday. We are currently testing the changes and identified a last-minute issue. Updates can be found below.

Servers using pirated content will be banned

A quick reminder for anyone looking to use illegally acquired assets: we are actively monitoring the use of unlicensed code on any server. Since we store the list of servers that are licensed to run a certain resource, we can trivially identify any abusive servers. Our compliance team is directing all focus towards this.

Using pirated or leaked assets will put you at risk of a server and platform ban. We’re continuously suspending servers and/or users for being involved in pirated resource sharing/use. If you find any servers using illegitimate assets, report them.

Next steps

While we understand our community concerns, we will do everything to protect your assets and ensure your content is not at risk. Obfuscating your code before uploading it to our services is discouraged as it would hamper any of our enforcement effort in case your resource gets used by an unauthorized party.

Over the next couple of days, we will be implementing various changes to mitigate this attack. Details on those changes will be published once the update has been released.

Make sure your assets are legally acquired

When you’re purchasing assets for your server, always make sure it’s from a legitimate Tebex store. We monitor and remove any violating stores. Any sales outside of Tebex have a risk of it being illegitimately acquired code. Of course, you can always find freely available resources here on the forums.

As per usual, be wary of any third-party sites offering free resources, especially if they look like a paid resource or the code is difficult to read. This is usually an indication of pirated content.

If you find any stolen content being sold on Tebex or used on a server, please report your findings at [email protected] or on our support platform.


Development Update

We continue to work with all available capacity towards mitigating this issue. The planned updates are underway, and are currently being tested. We’ve identified a last-minute issue with the updated code and will get the update out later this week to iron out all issues. We will keep you up to date of further updates in this topic.


Full details

A patch was released on Saturday. More details were shared in the July’s Community Update.