I stated yesterday that I was aware of the issue. Can’t guarantee timelines, but it’s being looked at.
2 Likes
Does this also apply if you change your weight via the web interface as opposed to the Companion app i.e do they use the same update API or is Companion getting some kind of direct access that the web profile interface does not have ?
Cool.
-
Being aware of something or ‘looking at it’ doesn’t mean it’s being addressed.
-
Timelines - why exactly can’t these be guaranteed? Something stopping the Team from addressing the issue? This should be top of the priority list.
Get on with it slackers.
3 Likes
I’ve just sent this, marked FAO Eric Min
Dear Mr Min
I am a long term user of Zwift and a vocal advocate.
I am also a senior enterprise software Product Manager, responsible for the response to bug and security disclosures.
For both of these reasons, I feel particularly shocked to see the correspondence today between Zwift and Luciano Pollastri.
I read Luciano’s article yesterday, and while I’m sure Zwift would have preferred a more private disclosure, I see nothing but a good-faith analysis by a keen user of Zwift. To ban someone for such an article is surely nothing short of retaliation: the kind of retaliation that most legitimate companies would consider unacceptable for any concern raised by their own employees in similar good faith.
This impression is only further compounded by the subsequent revelation that the exploit has existed for a significant amount of time, and has been communicated to Zwift before by “proper” channels. Given that it still exists, public disclosure is completely legitimate.
This is incredibly poor practice on Zwift’s part, and comes across as mean and toxic. It is also bad practice from a point of view of game integrity and even security.
Please could you take steps to restore this situation to a more acceptable response? I hope that the response was localised in your services group and does not reflect a retaliative policy towards white-hat whistleblowers. The article by Pollastri was considerately worded, well-researched, and took the form of a call to action by Zwift, rather than a “cheat code” revelation intended to enable bad-faith practice.
I will decide on my own future with Zwift depending on the response to this issue.
Thanks
Jon
26 Likes
Good one Jon.
I propose we copy this text, cut out the personal bits, and sent as well. What email addresses have you used?
1 Like
Being able to change your weight via Companion is not strictly necessary, so just disabling the whole thing in the backend should be step one. An app update also removing the functionality step two, and a more permanent fix step three.
The Companion profile edit function is a bit of a zwiftshow in general: if you have specified your weight with decimals (as is required e.g. in the PD), simply viewing your profile in Companion will remove the decimals without even asking or notifying the user about saving changes.
5 Likes
Fair enough, but as stated elsewhere, that post seems to have got deleted. It was deleted for a fair reason, but now I don’t know what you said. So, please do keep us updated. And I am talking about more detail than “it’s being looked at”. We don’t need lots and lots of detail, but something like “this is at the top of the priority list,” “we expect a couple weeks due to code complexity,” or “unfortunately, we need a client-side fix for this, so it will take a month or so.”
Remember, we can’t quite tell what Zwift is thinking. And because of Zwift’s track record on the issue, we aren’t willing to assume that this is being taken seriously. I grant you that even clearer communications would probably get a negative response, but it’s better than terse communication.
Edit: in the cached Google version of the original thread, James said
Just acknowledging that I’ve seen this.
Again, this is good, but it also doesn’t tell us how strongly Zwift is prioritizing this. I acknowledge that this affects a minority of Zwifters, but it’s also a loophole you can drive a truck through.
3 Likes
Yes, I have no longer access to Zwift Racers. So I don´t know what is happening there. In any case, as things seem to be way more noisy than I anticipated (I thought WTRL would publish and answer they are looking into it and rug it under the carpet), and some people are getting uncomfortable, I just unpublished the original wordpress post. People who had to know know anyhow.
2 Likes
@James_Zwift I really feel Zwift need to step in here and fast.
Even if Zwift do not agree with the way that this issue was raised, and even if Zwift want information about the exploit removed whilst it is worked on, personal attacks by banning a person who highlighted in what appears to be good faith an exploit so it could be fixed is really terrible form.
What sway do Zwift have in Zwift Riders and WTRL facebook groups and why are people being removed and silenced?
2 Likes
This appears to be nothing more than Eric kissing the ring.
Seems like a pretty fair statement for me, considering he relies on Zwift for a lot of content and could have said nothing at all.
2 Likes
I can’t even …
Seems pretty fair with Zwift giving him work he has to watch what he says but at least did try to get a proper response and question the reasoning of it.
But it does bring up the similar situation on where he posted about sticky watts and Zwift took no action to ban him so I wonder why they are now picking on the whistle blower when they should be thanking them for trying to make racing fairer.
4 Likes
I propose you rewrite the article to remove any links to your profile and post it here and Reddit - where the issue is also being discussed.
2 Likes
FWIW I started that thread, and wasn’t notified when it was deleted or why. It’s understandable that they don’t want the exploit made any more public than it already is (banning the whistleblower doesn’t help…) but they could have just edited out the link to the article in question. The majority of discussion in the thread was about how the issue could be resolved, so I didn’t think it was untoward.
10 Likes
#FreeLuciano
11 Likes
#FreeLuciano
20 Likes
#FreeLuciano
6 Likes
#FreeLuciano
6 Likes