Deploying to gh-pages from @ 8c30865 🚀

.well-known/org.flathub.VerifiedApps.txt

@@ -0,0 +1,2 @@
+# net.runelite.RuneLite
+09592d25-08cd-408b-b156-742f56eb2543

_config.yml

@@ -0,0 +1 @@
+include: ['.well-known']

blog/show/2023-01-22-security-incident-jan21/index.html

@@ -0,0 +1,9 @@
+<!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta name="viewport" content="width=device-width,initial-scale=1,shrink-to-fit=no"><meta name="theme-color" content="#000000"><meta name="google-site-verification" content="_wxrTRAcgx3bHof630x75_YKSXklUH55NkOAA_5GfmU"><link rel="manifest" href="/manifest.json"><link rel="shortcut icon" href="/favicon.ico"><title>Security Incident Jan 21 2023 - RuneLite</title><meta name="description" content="Security Incident Jan 21 2023"><meta name="author" content="Adam"><meta property="og:site_name" content="RuneLite"><meta property="og:url" content="https://runelite.net/blog/show/2023-01-22-security-incident-jan21"><meta property="og:title" content="Security Incident Jan 21 2023 - RuneLite"><meta property="og:description" content="Security Incident Jan 21 2023"><meta property="og:image" content="https://runelite.net/img/runelite_logo_transparent_small.webp"><meta property="og:type" content="article"><meta property="twitter:card" content="summary_large_image"><script type="text/javascript">!function(i){if(i.search){var a={};i.search.slice(1).split("&").forEach((function(i){var l=i.split("=");a[l[0]]=l.slice(1).join("=").replace(/~and~/g,"&")})),void 0!==a.p&&window.history.replaceState(null,null,i.pathname.slice(0,-1)+(a.p||"")+(a.q?"?"+a.q:"")+i.hash)}}(window.location)</script><link href="/static/css/7.7b033bdf.chunk.css" rel="stylesheet"><link href="/static/css/main.dd2bec91.chunk.css" rel="stylesheet"><link rel="stylesheet" type="text/css" href="/static/css/5.80a8d347.chunk.css"><script charset="utf-8" src="/static/js/5.ca584576.chunk.js"></script><script charset="utf-8" src="/static/js/159.90e89192.chunk.js"></script></head><body><div id="root"><div style="height: 100%;"><div class="fixed-top animated loader" style="display: none;"></div><nav class="navbar navbar-expand-lg fixed-top navbar-dark"><a class="navbar-brand" activeclassname="active" href="/"><img src="/img/runelite_logo_transparent_small.webp" class="icon" alt="RuneLite"> </a><input type="checkbox" id="navbar-check-box"><label for="navbar-check-box" class="navbar-toggler"><span class="navbar-toggler-icon"></span></label><div class="collapse navbar-collapse" id="navbar"><ul class="navbar-nav"><li class="nav-item"><a class="nav-link" activeclassname="active" href="/features">Features</a></li><li class="nav-item"><a class="nav-link" activeclassname="active" href="/blog">Blog</a></li><li class="nav-item"><a class="nav-link" activeclassname="active" href="/pulse">Pulse</a></li><li class="nav-item"><a class="nav-link" href="https://github.com/runelite/runelite/wiki">Wiki</a></li><li class="nav-item"><a class="nav-link" activeclassname="active" href="/tag">Tags</a></li><li class="nav-item"><a class="nav-link" activeclassname="active" href="/tile">Tile markers</a></li><li class="nav-item"><a class="nav-link" activeclassname="active" href="/plugin-hub">Plugin Hub</a></li></ul><ul class="navbar-nav ml-auto"><li class="nav-item"><a class="nav-link" href="https://www.patreon.com/runelite">Become a patron</a></li><li class="nav-item"><a class="nav-link nav-icon" href="https://runelite.net/discord" title="Discord"><i class="fab fa-discord"></i><span class="d-lg-none"> Discord</span></a></li><li class="nav-item"><a class="nav-link nav-icon" href="https://twitter.com/RuneLiteClient" title="Twitter"><i class="fab fa-twitter"></i><span class="d-lg-none"> Twitter</span></a></li><li class="nav-item"><a class="nav-link nav-icon" href="https://github.com/runelite" title="GitHub"><i class="fab fa-github"></i><span class="d-lg-none"> GitHub</span></a></li><li class="nav-item"><form class="form-inline"><button class="btn btn-primary" type="button">Login</button></form></li></ul></div></nav><div class="container" id="layout"><section id="blog"><div class="content-section"><div class="page-header"><h1>Security Incident Jan 21 2023</h1><p class="text-muted"><span title="Sun Jan 22 2023 10:00:00 GMT+0000 (Coordinated Universal Time)">last year</span> by Adam</p></div><div class="markdown-body news-page"><div><p>On January 10 a plugin named <code>ChatClip</code> was erroneously published to the plugin hub which, under non-default configuration, would permit an attacker to remotely execute code on a victims computer by sending an in-game message.</p>
+<p>This was caused by human error on our part, where we approved the plugin despite the code being exploitable.</p>
+<p>To be affected by this issue, you would have had to 1) installed the chat clip plugin, and 2) enabled the <code>Add to history</code> option within the plugin.</p>
+<p>Over the 11 day period the plugin was active on the plugin hub, the plugin was installed 118 times by 78 unique IPs. We have no way to determine how many of those users enabled the <code>Add to history</code> option allowing the exploitable behavior.</p>
+<p>We raised the issue to Jagex, and provided to them the IPs of the players who we think could be affected. A staff member briefly took a look at the possibly affected accounts on Saturday, did not find anything requiring immediate attention, and has promised to look into it this week. I hope that they will be able to take corrective action if any compromised accounts are found.</p>
+<p>We have also checked all existing plugin hub plugins and found no other plugins with similarly exploitable code.</p>
+<p>To prevent this from happening again in the future, we will be automatically flagging plugins which use potentially dangerous APIs that can allow command injection, to require them to be more closely scrutinized.</p>
+<p>- Adam</p>
+</div></div></div></section><section id="footer"><div class="content-section"><footer><hr>Developed with <i class="fas fa-heart"></i> and <i class="fas fa-coffee"></i> using <a href="https://getbootstrap.com/">Bootstrap</a>, <a href="https://reactjs.org/">React</a> and <a href="https://fontawesome.com/">Font Awesome</a><a href="/atom.xml" class="float-right"><i class="fas fa-rss"></i> Subscribe via RSS</a></footer></div></section></div></div></div><script>!function(e){function f(f){for(var d,a,n=f[0],o=f[1],b=f[2],u=0,l=[];u<n.length;u++)a=n[u],Object.prototype.hasOwnProperty.call(t,a)&&t[a]&&l.push(t[a][0]),t[a]=0;for(d in o)Object.prototype.hasOwnProperty.call(o,d)&&(e[d]=o[d]);for(i&&i(f);l.length;)l.shift()();return r.push.apply(r,b||[]),c()}function c(){for(var e,f=0;f<r.length;f++){for(var c=r[f],d=!0,a=1;a<c.length;a++){var o=c[a];0!==t[o]&&(d=!1)}d&&(r.splice(f--,1),e=n(n.s=c[0]))}return e}var d={},a={3:0},t={3:0},r=[];function n(f){if(d[f])return d[f].exports;var c=d[f]={i:f,l:!1,exports:{}};return e[f].call(c.exports,c,c.exports,n),c.l=!0,c.exports}n.e=function(e){var f=[];a[e]?f.push(a[e]):0!==a[e]&&{1:1,4:1,5:1,6:1,8:1,9:1,10:1,11:1,12:1,13:1,14:1,15:1,16:1}[e]&&f.push(a[e]=new Promise((function(f,c){for(var d="static/css/"+({}[e]||e)+"."+{0:"31d6cfe0",1:"a84d955d",4:"0e1cf7b6",5:"80a8d347",6:"80a8d347",8:"ce29400d",9:"4531eef3",10:"564de6f4",11:"331a4702",12:"e4e96a00",13:"e4e96a00",14:"c81f7f39",15:"05f3feda",16:"05f3feda",17:"31d6cfe0",18:"31d6cfe0",19:"31d6cfe0",20:"31d6cfe0",21:"31d6cfe0",22:"31d6cfe0",23:"31d6cfe0",24:"31d6cfe0",25:"31d6cfe0",26:"31d6cfe0",27:"31d6cfe0",28:"31d6cfe0",29:"31d6cfe0",30:"31d6cfe0",31:"31d6cfe0",32:"31d6cfe0",33:"31d6cfe0",34:"31d6cfe0",35:"31d6cfe0",36:"31d6cfe0",37:"31d6cfe0",38:"31d6cfe0",39:"31d6cfe0",40:"31d6cfe0",41:"31d6cfe0",42:"31d6cfe0",43:"31d6cfe0",44:"31d6cfe0",45:"31d6cfe0",46:"31d6cfe0",47:"31d6cfe0",48:"31d6cfe0",49:"31d6cfe0",50:"31d6cfe0",51:"31d6cfe0",52:"31d6cfe0",53:"31d6cfe0",54:"31d6cfe0",55:"31d6cfe0",56:"31d6cfe0",57:"31d6cfe0",58:"31d6cfe0",59:"31d6cfe0",60:"31d6cfe0",61:"31d6cfe0",62:"31d6cfe0",63:"31d6cfe0",64:"31d6cfe0",65:"31d6cfe0",66:"31d6cfe0",67:"31d6cfe0",68:"31d6cfe0",69:"31d6cfe0",70:"31d6cfe0",71:"31d6cfe0",72:"31d6cfe0",73:"31d6cfe0",74:"31d6cfe0",75:"31d6cfe0",76:"31d6cfe0",77:"31d6cfe0",78:"31d6cfe0",79:"31d6cfe0",80:"31d6cfe0",81:"31d6cfe0",82:"31d6cfe0",83:"31d6cfe0",84:"31d6cfe0",85:"31d6cfe0",86:"31d6cfe0",87:"31d6cfe0",88:"31d6cfe0",89:"31d6cfe0",90:"31d6cfe0",91:"31d6cfe0",92:"31d6cfe0",93:"31d6cfe0",94:"31d6cfe0",95:"31d6cfe0",96:"31d6cfe0",97:"31d6cfe0",98:"31d6cfe0",99:"31d6cfe0",100:"31d6cfe0",101:"31d6cfe0",102:"31d6cfe0",103:"31d6cfe0",104:"31d6cfe0",105:"31d6cfe0",106:"31d6cfe0",107:"31d6cfe0",108:"31d6cfe0",109:"31d6cfe0",110:"31d6cfe0",111:"31d6cfe0",112:"31d6cfe0",113:"31d6cfe0",114:"31d6cfe0",115:"31d6cfe0",116:"31d6cfe0",117:"31d6cfe0",118:"31d6cfe0",119:"31d6cfe0",120:"31d6cfe0",121:"31d6cfe0",122:"31d6cfe0",123:"31d6cfe0",124:"31d6cfe0",125:"31d6cfe0",126:"31d6cfe0",127:"31d6cfe0",128:"31d6cfe0",129:"31d6cfe0",130:"31d6cfe0",131:"31d6cfe0",132:"31d6cfe0",133:"31d6cfe0",134:"31d6cfe0",135:"31d6cfe0",136:"31d6cfe0",137:"31d6cfe0",138:"31d6cfe0",139:"31d6cfe0",140:"31d6cfe0",141:"31d6cfe0",142:"31d6cfe0",143:"31d6cfe0",144:"31d6cfe0",145:"31d6cfe0",146:"31d6cfe0",147:"31d6cfe0",148:"31d6cfe0",149:"31d6cfe0",150:"31d6cfe0",151:"31d6cfe0",152:"31d6cfe0",153:"31d6cfe0",154:"31d6cfe0",155:"31d6cfe0",156:"31d6cfe0",157:"31d6cfe0",158:"31d6cfe0",159:"31d6cfe0",160:"31d6cfe0",161:"31d6cfe0",162:"31d6cfe0",163:"31d6cfe0",164:"31d6cfe0",165:"31d6cfe0",166:"31d6cfe0",167:"31d6cfe0"}[e]+".chunk.css",t=n.p+d,r=document.getElementsByTagName("link"),o=0;o<r.length;o++){var b=(i=r[o]).getAttribute("data-href")||i.getAttribute("href");if("stylesheet"===i.rel&&(b===d||b===t))return f()}var u=document.getElementsByTagName("style");for(o=0;o<u.length;o++){var i;if((b=(i=u[o]).getAttribute("data-href"))===d||b===t)return f()}var l=document.createElement("link");l.rel="stylesheet",l.type="text/css",l.onload=f,l.onerror=function(f){var d=f&&f.target&&f.target.src||t,r=new Error("Loading CSS chunk "+e+" failed.\n("+d+")");r.code="CSS_CHUNK_LOAD_FAILED",r.request=d,delete a[e],l.parentNode.removeChild(l),c(r)},l.href=t,document.getElementsByTagName("head")[0].appendChild(l)})).then((function(){a[e]=0})));var c=t[e];if(0!==c)if(c)f.push(c[2]);else{var d=new Promise((function(f,d){c=t[e]=[f,d]}));f.push(c[2]=d);var r,o=document.createElement("script");o.charset="utf-8",o.timeout=120,n.nc&&o.setAttribute("nonce",n.nc),o.src=function(e){return n.p+"static/js/"+({}[e]||e)+"."+{0:"da263fb4",1:"c7f6ac57",4:"f4279977",5:"ca584576",6:"8b31eff6",8:"e46392e3",9:"2138700b",10:"d21eec56",11:"56560e92",12:"27e50217",13:"85396b1b",14:"5fee5def",15:"480db188",16:"19625a89",17:"429a6923",18:"ab757883",19:"965cd23c",20:"71ae775c",21:"b69ae13a",22:"ead97899",23:"d0f7f215",24:"ed21d2d5",25:"2fcb3630",26:"03657595",27:"650ef959",28:"61c87868",29:"de5b64b9",30:"3df49031",31:"4a4c233f",32:"4474bc7f",33:"c4289d83",34:"ad76e96a",35:"77d3866f",36:"c3f93721",37:"0e895e23",38:"aa273ffd",39:"246782de",40:"a15a7621",41:"5172a0ab",42:"b64f47e5",43:"7b5e24c0",44:"15cb5c09",45:"4620406b",46:"702693cd",47:"495473b8",48:"563ff224",49:"dcd54463",50:"e486c0fa",51:"b7dad8dd",52:"5b975a19",53:"a5a4cd5a",54:"08c5d72d",55:"26f9d5db",56:"042a9f61",57:"1560ecd1",58:"0ffde795",59:"7f3967e3",60:"7bfb81d4",61:"601b2085",62:"5a073228",63:"d344125a",64:"ac4863b7",65:"1f63a476",66:"aac767c4",67:"613c11a8",68:"88ba4792",69:"eedabcd7",70:"64a0e193",71:"8ad630e3",72:"53d1a1c5",73:"494e7d44",74:"621a6485",75:"69a4b1bf",76:"eef5a2d5",77:"7018f253",78:"e0340fa9",79:"e9258a3a",80:"8fdde840",81:"84330a7b",82:"6cf52313",83:"923205ea",84:"9ed526bb",85:"8ecb5036",86:"0fac9206",87:"b1d5a080",88:"05655334",89:"b3791ef4",90:"e98cc0d4",91:"89730dda",92:"0161b2c3",93:"8e4a6aa7",94:"d13ad504",95:"f77fcb17",96:"383e51be",97:"1ce3b748",98:"38a93077",99:"99888f24",100:"4c100485",101:"485729cc",102:"62e061d0",103:"de89b958",104:"e2fafda2",105:"26922674",106:"aaba779d",107:"8f09dd19",108:"4f31c7e5",109:"267273f1",110:"eec0da7d",111:"4fb08f3f",112:"f3767d44",113:"5f398440",114:"483266ef",115:"723ab803",116:"82cfb4c3",117:"ce3dd0bd",118:"c46f0032",119:"79bd2e9d",120:"16e25e66",121:"ad0efbf8",122:"867c12a6",123:"00eab965",124:"64d8a114",125:"013abb3a",126:"c97413d0",127:"f68008e1",128:"b10d1c80",129:"68e53a78",130:"f9bedcf3",131:"4de7b85e",132:"f0dc0d4c",133:"476ae942",134:"4992c71c",135:"13177433",136:"5d1414a8",137:"4994fc2b",138:"4fb392c9",139:"7c533985",140:"8ac8b0e1",141:"2565231e",142:"fa0d2df4",143:"96cc9182",144:"498696a6",145:"8bdb0315",146:"c5fa6642",147:"32e24664",148:"eac46e76",149:"4b7bc910",150:"55b9afa9",151:"205738ca",152:"b02cf8a2",153:"4533f6dc",154:"ae70fd4e",155:"aa3f28a1",156:"75b7ff6b",157:"019e45fe",158:"b057afef",159:"90e89192",160:"97d2cc95",161:"341e9f6e",162:"739b9a95",163:"a8adb4ef",164:"3802dd6f",165:"31cc8912",166:"2f841439",167:"b292f1e5"}[e]+".chunk.js"}(e);var b=new Error;r=function(f){o.onerror=o.onload=null,clearTimeout(u);var c=t[e];if(0!==c){if(c){var d=f&&("load"===f.type?"missing":f.type),a=f&&f.target&&f.target.src;b.message="Loading chunk "+e+" failed.\n("+d+": "+a+")",b.name="ChunkLoadError",b.type=d,b.request=a,c[1](b)}t[e]=void 0}};var u=setTimeout((function(){r({type:"timeout",target:o})}),12e4);o.onerror=o.onload=r,document.head.appendChild(o)}return Promise.all(f)},n.m=e,n.c=d,n.d=function(e,f,c){n.o(e,f)||Object.defineProperty(e,f,{enumerable:!0,get:c})},n.r=function(e){"undefined"!=typeof Symbol&&Symbol.toStringTag&&Object.defineProperty(e,Symbol.toStringTag,{value:"Module"}),Object.defineProperty(e,"__esModule",{value:!0})},n.t=function(e,f){if(1&f&&(e=n(e)),8&f)return e;if(4&f&&"object"==typeof e&&e&&e.__esModule)return e;var c=Object.create(null);if(n.r(c),Object.defineProperty(c,"default",{enumerable:!0,value:e}),2&f&&"string"!=typeof e)for(var d in e)n.d(c,d,function(f){return e[f]}.bind(null,d));return c},n.n=function(e){var f=e&&e.__esModule?function(){return e.default}:function(){return e};return n.d(f,"a",f),f},n.o=function(e,f){return Object.prototype.hasOwnProperty.call(e,f)},n.p="/",n.oe=function(e){throw console.error(e),e};var o=this["webpackJsonprunelite.net"]=this["webpackJsonprunelite.net"]||[],b=o.push.bind(o);o.push=f,o=o.slice();for(var u=0;u<o.length;u++)f(o[u]);var i=b;c()}([])</script><script src="/static/js/7.27d25fc0.chunk.js"></script><script src="/static/js/main.3922a676.chunk.js"></script></body></html>