Exploit found which can lead cheating

I am a new user to Zwift and did my first race today. It was a category enforcement test event and overall the experience was pretty positive. However reading through this thread and the response from Zwift makes me seriously question the platform. Prior to this I was absolutely planning on having an ongoing subscription but now I am looking at competing platforms instead.

There is an easy fix here. Unban the user that is actively helping make the platform better and quickly fix the bug. Hiding behind legal terms and conditions makes this worse not better.

Wonder if UCI Esports is aware of apparently how easy it is to cheat on Zwift and apparently hasn’t been addressed, even after Zwift was allegedly aware of the flaw that allows the cheating to take place?

I have a further smart a** comment about the corporate culture apparently stemming from a certain social media username of a well know person in the company but as others fear if I go there I too shall be “maintenanced”

Sorry - what?

I missed this at the time and I am literally staring at the screen lost for words. It is almost impossible to describe what a spectacularly bad idea this was.

Jings - what were they thinking?

I’m just thinking through doing the same myself. I don’t want to go in to ‘bye Felicia’ mode. My team has 6 riders in the World Championships this weekend. A big community of dedicated riders and I want to support them. I’ve put a lot of effort in to helping Zwift avoid a different PR disaster with their category enforcement work. However when the community as a whole is treated with such disdain it makes you ask what’s the point.

From a personal training perspective I really don’t need it, if anything it gets in the way. I think I’ll probably cancel it too and see if I can find someone to look after the race series with bare minimum admin and support the teams from afar until next winter, when hopefully there have been some big changes. Or even better, some competition appears. With such gaping holes in the setup hopefully someone else realises the commercial opportunity.

Ciao for now zwift.

How about providing a per user graph on ZP allowing anyone to view someone else’s weight graph (and how about height while they’re about it).

This idea is so good you’re probably going to be banned for it

Sadly, it’s highly unlikely Zwift would be keen on implementing that.
Don’t forget that it was only eleven months ago that ZHQ wanted to make all height and weight data invisible there, due to alleged harassment in the community and thus to protect users’ mental wellbeing:

That got walked back pretty quickly after the reactions here and elsewhere, but it suggests that getting more openness and visibility isn’t on the cards.

Well FVCKIN’ H3LL! This is a less than optimal turn of events. I’m hopeful there will be something coming down the pike to fix this one.

I truly hope there are some after hours meetings going on at Zwift World Headquarters addressing this FU.

Unfortunately, I’ve said in the past: Hope should not be considered a viable course of action. In this case, it’s all we got…

This response is just plain wrong. This is a clear case of the whistleblower (who was very clearly trying to help) being punished instead of the cheaters being caught and dealt with AND/OR fixing the actual problem. And you’ve doubled down on the initial ludicrous response (banning the whistleblower) by publicly and poorly trying to explain yourself and hoping the uproar will all go away. This is the worst PR move you could possible have made. Reversing the ban and fixing the problem quickly is the only acceptable solution going forward.

“Section 5, subsection vii forbids “Use our Platform other than for its intended purpose and in any manner that could interfere with, disrupt, negatively affect or inhibit other users from fully enjoying our Platform or that could damage, disable, overburden or impair the functioning of our Platform in any manner;”

Hey Zwift, what are you going to do about these people? 30 day ban for all of them I presume?

4000×2250 512 KB

it’s a joke. the ZP F&&kers never get banned. they shouldn’t even be allowed, and if they are allowed should be invisible to everyone else

I reported this in a ZwiftPower forum post (back when those were still active and useful) over a year ago. Zwift should ban me too.

I remember in the days of yore when Zwift had recently taken over ZwiftPower and they wanted to eliminate a public display of a user’s weight because a very small percentage of users were upset that this category was displayed.

The community responded overwhelmingly that doing so would lead to more cheating and hiding this metric was completely unnecessary, especially considering that if it bothers any particular user(s), they could customize the data that’s shown by deselecting the column on their ZwiftPower profile.

Zwift responded quickly to the issue and didn’t continue to implement the change, having realized that they made a mistake trying to appease a small percentage of users that overlooked how detrimental this change would be to the community as a whole.

I’m unsure what the hold up is with this particular issue. The Zwift and cycling community has responded overwhelmingly in favor of Luciano. It seems that a simple fix of addressing the bug, apologizing, unbanning Luciano, and maybe reconsidering who at Zwift should be in charge of making decisions regarding suspensions, as well as reevaluating the process of what bugs to address first, would be an easy fix.

#freeLuciano

Just to go on record here, since my reply in Zwift Racers was deleted with the rest of the thread…

First, let me say this: I think Luciano could have handled this better by reaching out to Zwift with the issue, perhaps even telling them he would take it public on X date even if it wasn’t fixed because he was concerned that it’s actively being used by cheaters. Then if Zwift didn’t respond, he would have a stronger case for publicly posting the hack.

So I’d say he jumped the gun a bit. Which is hard to fault him for, when he had multiple people telling him Zwift already knew about the exploit, and race teams knew about it too. That’s hard information for a rabid Zwift racer to just sit on.

Since Luciano went against Zwift’s ToS, Zwift has the “legal” standing to shadowban him or do whatever they’d like with his account. They’re within their rights to do so. But that doesn’t make it the BEST decision on their part, and I’ve tried to communicate this to ZHQ this via private channels in no uncertain terms.

I would have loved to see Zwift take this approach with Luciano’s Wordpress post:

"Hi Luciano,
We just saw your post about the Companion exploit. While we don’t like seeing Zwift exploits shared publicly, we know by the content of your post that you did it in order to clearly demonstrate the hack to us and get our attention so it would be fixed. It worked!

Since your post demonstrates how to cheat in Zwift races, we’ve taken what we hope is a temporary disciplinary measure and shadowbanned your account, which is our standard practice in these cases. We request that you take the post down immediately so more Zwifters don’t learn about the exploit. Once you do so, we will reinstate your account.

On our side, this exploit has been moved near the top of the list of bug fixes. We anticipate at least a temporary fix rolling out in the month of March.

Ride On"

Some of you are bugging me to do a Zwift Insider post about this topic. I’m still not sure what that’s going to look like, but I’ve been in near-constant contact with Luciano during all of this. We’ve joked about how many parts this series of posts is going to have, as the saga continues way past what Luciano foresaw. All that to say, I’m sure this will be talked about on ZI… I just can’t promise exactly when and how.

In the end I, like many of you, wish Zwift had handled this differently - in a way that showed they value Luciano as a person. He may have jumped the gun, but Zwift could have easily taken the high road and come out of this sparkling clean. Now it’s just sort of… ugly all around. And that bums me out. Heck, I got my Zwift Insider kit in game finally this week, and I haven’t even ridden with it yet because I’ve had a bad taste in my mouth for two days.

I’m not leaving Zwift like some of you. I’m just annoyed to see this script playing out again. I hope Zwift learns from this and does better next time.

Whew… that was cathartic.

Ride on, my friends.

the post should stay up and the exploit should be fixed. it’s been around for years. it’s been around so long that i learned about it, forgot about it, and was reminded it exists by mister luciano. for some insane reason i took the liberty of assuming they’d patched it out at some point ages ago

Excellent post there EricS. Pretty much covers it. There’s one true takeaway from this current mess: ZHQ absolutely needs a Public Relations Person. They need someone to field these things and knows how to handle them. Obviously there’s not The One PR Person at the controls so these tempests in teapots rapidly spiral out of control. This was handled just like the WTRL password debacle last month.

Maybe they don’t see this as important since the forum a very small subset of subscribers so our ire is not more than a pebble on the Road to Sky. I think it can be surmised this is the case with the continual dismissal of the feature requests and ongoing bugs brought up here. We are literally a zit on the ass of progress to them. Wish it was different but I must bow to the evidence in front of my face.

Let’s be real, ZHQ is now being driven by the venture capitalists. The only thing that really matters is getting a big exit for the investors, either IPO or another HUGE funding round. Customers are just an annoying necessity for them.

By definition, pretty much any ZPower rider that enters a race is violating Section 5, subsection vii. LoL

I signed up here to just to say some things.

I’m a product executive in tech. If my team handled the situation this way, i would be very concerned. We’ve seen examples of poor product excellence standards from z in the past, but gave them excuses. This is inexcusable.

1. Ignoring a glaring exploit for years means they don’t have a grasp of user experience nor their product/ engineering backlog. I can think of a few very simple processes that would have helped avoid this issue altogether.

2. Zwift’s initial reaction and subsequent response is glaring apathy toward the customer base and a lesson in how not to communicate. This is a sign of poor leadership and customer-antagonistic company culture.

I cancelled my account. There’s plenty of competition.