2023-05-21: Yes, we're back. No, you can't login yet
The new website is now running and the in-game Mod Manager should be working again. It doesn't require any client update to facilitate this.
We're still aiming to release a new client update soon to fix bugs and remove redundant features such as Glass Live.
There are a few add-ons (approximately ~100 out of 1,476) that have missing files. The download button for them will be grayed out and inaccessible. We're still figuring out the best way to restore these.
There are also a load of things that are still unfinished/missing such as (but not limited to):
- Logging in.
- Uploading new add-ons.
- Add-on screenshots.
- Commenting on add-ons.
- The add-ons home page (where the overview of trending/recently uploaded add-ons was).
- Searching for add-ons on the website (the in-game Mod Manager searching is working though and so is browsing the Boards here and in-game).
- The RTB Archive.
Steam authentication is technically "done" but as we have not finished rewriting the Glass add-on review process, nor have we started setting up the BLID linking system, the login button has been hidden as there's no point logging in without those features.
As a heads-up on the process, any existing add-ons you had uploaded will automatically be restored to you once you link the BLID that you uploaded the add-ons with. You will be able to link multiple BLIDs.
So, while you wait for us to finish rewriting the site, we're opening it early to at least make Glass add-ons available here and in-game again. It should also stop the error spam.
2023-05-06: An update regarding the April data breach
Originally posted on Discord:
"Just wanted to provide a quick update. I’ve been working through the breach of the Glass server with Conan, Shock, and McTwist. It appears that both a SQL injection exploit and path traversal exploit were used. The former allowed the attacker to manipulate add-on titles and descriptions as many saw, as well as grant themselves the role of admin to access the admin panel of the site. The latter allowed the attack to get access to the Stripe API key and access a small amount of Glass Live chat logs. The claims of the attacker having access to “plain text credit card information” is false, as this information has never been handled by Glass as an intentional security measure.
The attacker was unable to escalate privileges on the server itself; they did not gain root access to the server.
We’ve worked together to figure out a path forward and put together a list of critical security fixes to get in before bringing the site back online. Generally the changes are straight forward, but extensive, so it may take a bit. Some critical changes being planned are:
- A thorough audit of our MySQL interface with a move to an injection-safe query builder
- Moving away from email-based authentication to reduce the amount of sensitive information we handle
- Adopting modern password hashing techniques
- Adopting OAuth login such as Steam Auth
- Better containerization of web content, protecting sensitive keys and files from being exposed from any potential future path traversal exploit
Additionally, we’ll be discontinuing Glass Live. It was developed in a time where Discord hadn’t quite taken off, but we think that it’s mostly redundant these days. This also allows us to move away from some weaker authentication methods that are necessitated by the lack of HTTPS support by TGE. This will likely also mean putting the in-game mod manager in to a “read-only” mode, disallowing comments to be made in-game.
Lastly, I’ll be handing off ownership of Glass entirely. This project has gotten farther and grown larger than I had dreamed of when I started it 8+ years ago. I learned a lot from it and I don’t think I’d be where I am in my career today without it. I’m no longer able to contribute to the project due to the terms of my employment, which is a large part of why the project has fallen in to decay over the past few years. Given the extent of changes needed for Glass to come back online, and the attention it requires, it’s no longer feasible for me to continue ownership.
I first recall meeting Shock when he started beta testing Glass Live when I began development on it in 2016. He gave valuable feedback early on and continued on to become a moderator, admin, and contributor to the project for years afterward. Shock will be primarily taking over ownership of the domain and server hosting, and I’ve also given McTwist and Conan ownership on GitHub and will be working with all three of them to hand over any remaining privileges and data.
Thanks for your patience and understanding."