Hello everyone! Due to some unforeseen developments, we’re late with April’s post and will move all updates to May’s update post instead. As such, we don’t have a lot to share today, though we do want to highlight the topics below. See you again next month!
Overwolf’s acquisition of Tebex
Tebex is now part of the Overwolf family. What does that mean for FiveM? Well, nothing changes for you: Tebex continues to operate as they do, and will now receive funding from Overwolf to expand their network and further improve their platform. Their product won’t change, nor will they be rebranded. Check out their announcement for full details!
Unauthorized ‘anti-cheat resources’
An update released last month for FiveM fixed an exploit in the client, which allowed servers to read specific memory on players’ systems. This one took a while to discover, as it was tied to what we call an “abusive anti-cheat”.
First off, FiveM has built-in client-side anti-cheating measures which are continuously being updated, in part based on your reports of runnable cheats. However, we are aware some server-side assets may be lacking validation of user input, and additional “anti-cheat” assets may very well be a valuable addition if you’re not able to rewrite the entire server code.
However, over time, we’ve seen an increase in the amount of unauthorized anti-cheat resources being sold, both directly against the Cfx.re ToS (on unauthorized stores), but also containing various user-hostile and project-hostile behaviors, some of which we have already documented before as being undesirable, others popping up over time.
In this case, however, a group developing such an anti-cheat asset had found a code execution vulnerability in the FiveM client, and instead of reporting it as one usually would, they decided to use it to add a detection vector to their (unauthorized, weirdly obfuscated, and otherwise bad-faith) anti-cheat resource for a few common cheat injections.
It is unknown why these people did such, as if they actually cared about improving the community or deterring cheaters, they’d have both reported the vulnerability and proposed these detection vectors so that cheaters would not only be banned from servers buying their resource, but would be banned from anywhere, without putting all players at risk from anyone else finding this vulnerability, placing it in for example a backdoored server resource (see the previous section) .
To help counter the growth of these ever-worsening abusive assets purporting to be “anti-cheat” systems, we will provide guidelines and a ‘focus group’ for third-party anti-cheat developers to adhere to, collaborate both with us and colleagues in their sector, and help users find safe, non-abusive choices for hardening their server’s security.
More on this in May’s update.