Please Klei, hot fix the chat message exploit that crashes servers

[konijnenmoed]

Official dedicated Klei servers and other public servers are being crashed because of a new exploit which seems to be related to spamming millions of chat lines to freeze and reset servers. I'd like to ask devs to prioritise this issue and hopefully hot fix it as soon as possible, before this issue goes into the same direction as the Balatro cards a few weeks ago.

It seems that this exploit is now being used by multiple different accounts and not just by one person/player. 

Some of the related bug reports can be found here or by searching the official Discord server:

[GuardDuty]

The answer might just be spending more money to beef up those Amazon servers, but the best plan is to just shut down the cheap public servers and put that money into community-hosted servers instead. DoS impact is calculated by the lost value when users can't access the service - so in this case, probably zero, lol.

Still, this is what running a real business looks like. Just because you're an "indie" game studio (with a $100 million in valuation, haizz) doesn’t mean you get a free pass. If you're doing business online, you need an actual cybersecurity plan. That means a proper communication strategy with an incident response plan, hiring real experts to review your code, and finally treating this like a professional operation, not a hobby project, you’re talking people’s money and install a piece of software on their computer to provided services, so you have a responsibility.

It’s kind of unbelievable how long this has dragged on with barely any response. The guy who found these exploits and install the proof of concept malware didn’t have bad intentions because if he did, you’d be screwed. Imagine if he realized he could potentially install bitcoin miners on every customer server. (Canada, it's "only" ~CAD 100,000 per cybersecurity violation)

Here’s some actual advice: once actual hackers realize you're not spending bloody anything to protect your stuff, don’t be shocked when the incidents start piling up and turn into full-on breaches, and you will end up paying way more in fines than it would’ve cost to hire some professionals to secure your systems, instead of relying on your overlord devs.

Edited May 30, 2025 by GuardDuty

[JazzyGames]

I do realize that DDoS attacks are very serious and the threat of them deserve immediate attention, but these comments feel a bit more dev shame-y than they need to be. Would setting a global cooldown on in-game messages fix this exploit?

Edited May 30, 2025 by JazzyGames

[RetRunt]

Why doesn't Klei do something about their own servers, similar to what Meow servers have, for example? Some QoL mods, the ability to save and load worlds, some built in protections against griefers and such? That would be simply amazing for everyone who enjoys playing on Klei public servers!

However, if Klei doesn't care, then maybe they should just shut down their own servers, instead of letting these people continue exploiting and crashing not just the servers, but the game as well, potentially causing other issues.

Edited May 30, 2025 by RetRunt

[TheDistinguishe]

i love pubs, its all i play, i hope they dont shut down. it would be nice if a bunch of stuff got fixed but shutting them down is not a solution for me

[GuardDuty]

4 hours ago, JazzyGames said:

comments feel a bit more "dev shame-y" than they need to be

If I were their consultant, I wouldn’t talk to them like this, lol, need the sweet paycheck. But I’m not, I’m a customer. At least my separate game account data is here. As someone who's actually made money helping company secure their stuff though, I have to say: the company deserves to be shamed. I’m not shaming the devs individually, but the whole operation feels like it’s run like a mom-and-pop shop, with developers stuck in an echo chamber, hyping themselves up and avoiding doing real work.

I doubt anyone in this echo champers will ever read this, but hey, I’m on vacation time, and it’s kind of fun to see how this all plays out in the future.

Here’s a version of the situation that most business owners would understand:

1. DoS impact like this is measurable: You calculate it based on how long the service is down, how many users are affected, and the cost in both money and man-hours. For example, if a server costs $100/month and it's down for a month, that’s a $100 base loss. Add to that the staff time spent fixing it, and the potential churn from users who can’t access the service. Even if these servers are “free” or a “nice gesture,” now have net negative value, hurting the company’s image and user trust.

2. Remote code execution on users’ machines: Oh boy, can't even, but keep f around and find out. A single RCE exploit like that could be worth $5k–$10k on the market. If there was an actual impact and it got reported to authorities, especially in the EU, you’re looking at potential fines of at least $40k or more. Canada is similar, though a bit laxer toward businesses. China depends entirely on your government connections, so zero, lol. The guy literally did a whole-ass favor for this company and got his account banned lol.

3. At least I’ll give you this: Within your budget, you probably can’t hire top-tier full-time talent. The game industry is notoriously lax on security, since their customers will practically hand over their computers to hackers via just phishing. But that doesn’t mean you, as a business, get a free pass. Best plan? Hire a short-term consultant with a strong background in AppSec, especially someone familiar with C and Lua, and make your dev team work with them. Securing your infrastructure isn’t rocket science, but it does take real effort. Either choose to pay hefty fines or choose to leave your ego behind and fix your stuff.

Edited May 30, 2025 by GuardDuty

[konijnenmoed]

5 hours ago, JazzyGames said:

I do realize that DDoS attacks are very serious and the threat of them deserve immediate attention, but these comments feel a bit more dev shame-y than they need to be. Would setting a global cooldown on in-game messages fix this exploit?

Yes. That's the exact same solution I thought of as well, and might be the best way to hot fix it as soon as possible.

[Uedo]

1 hour ago, GuardDuty said:

If I were their consultant, I wouldn’t talk to them like this, lol, need the sweet paycheck. But I’m not, I’m a customer. At least my separate game account data is here. As someone who's actually made money helping company secure their stuff though, I have to say: the company deserves to be shamed. I’m not shaming the devs individually, but the whole operation feels like it’s run like a mom-and-pop shop, with developers stuck in an echo chamber, hyping themselves up and avoiding doing real work.

I doubt anyone in this echo champers will ever read this, but hey, I’m on vacation time, and it’s kind of fun to see how this all plays out in the future.

Here’s a version of the situation that most business owners would understand:

1. DoS impact like this is measurable: You calculate it based on how long the service is down, how many users are affected, and the cost in both money and man-hours. For example, if a server costs $100/month and it's down for a month, that’s a $100 base loss. Add to that the staff time spent fixing it, and the potential churn from users who can’t access the service. Even if these servers are “free” or a “nice gesture,” now have net negative value, hurting the company’s image and user trust.

2. Remote code execution on users’ machines: Oh boy, can't even, but keep f around and find out. A single RCE exploit like that could be worth $5k–$10k on the market. If there was an actual impact and it got reported to authorities, especially in the EU, you’re looking at potential fines of at least $40k or more. Canada is similar, though a bit laxer toward businesses. China depends entirely on your government connections, so zero, lol. The guy literally did a whole-ass favor for this company and got his account banned lol.

3. At least I’ll give you this: Within your budget, you probably can’t hire top-tier full-time talent. The game industry is notoriously lax on security, since their customers will practically hand over their computers to hackers via just phishing. But that doesn’t mean you, as a business, get a free pass. Best plan? Hire a short-term consultant with a strong background in AppSec, especially someone familiar with C and Lua, and make your dev team work with them. Securing your infrastructure isn’t rocket science, but it does take real effort. Either choose to pay hefty fines or choose to leave your ego behind and fix your stuff.

This is all really surface level and such a weirdly worded post

[GuardDuty]

40 minutes ago, Uedo said:

This is all really surface level and such a weirdly worded post

I agree, it is all surface level, not supposed to solve anything without paying and actually get people hour rate to get work done. Just this company’s running on this mom-and-pop, fan-labor feedback loop through some social media-style platform, which is sooner or later someone gonna call people racist for just feedback. 

As for the server issues, it’s not a DDoS, more like a plain old DoS. Since they’re on Amazon and accessed through Steam, they’re mostly protected from scale distributed attacks aka DDOS. Cloud services can handle that. What they don’t protect against, though, are problems like bad configs, poor resource allocation, bugs, or inefficient code.

In this case, it's chat overload. Fix it then the next one could just as easily be giant log files generate via client mods, or user events dumping more data than the server can handle. Eventually, it just chokes. Not because it’s under attack, but because it’s underbuilt, and the answer is just money to increase server loads.

Throwing cloud money at the problem doesn’t really help either. It’s way more expensive than it should be and if your system is already inefficient, you're just burning cash. At that point, you’re paying more and still not getting protection. So yeah, if they want to keep offering "free" servers, they’re gonna have to rethink how they build secure and scale everything.

Edited May 31, 2025 by GuardDuty

[Bumber64]

7 hours ago, GuardDuty said:

The guy literally did a whole-ass favor for this company and got his account banned lol.

AFAIK, he uploaded malicious copies of popular mods to the workshop? (Pretty sure this breaks Steam ToS.)

The exploit he described involved downloading (potentially private?) mods from servers. Yet there are public ones on Steam.

You can't stop people from writing undesirable Lua code, because you can't define undesirable. (E.g., what if I want a mod that resets the world?) Any Lua error also terminates the server without saving.

If there were an exploit that allowed read/write access outside the mods directory, that'd be one thing, but that's not what happened.

Now there's a bug that crashes the server using messages. It needs to be fixed, but is fundamentally not much different from triggering any other crash.

Edited May 31, 2025 by Bumber64

[GuardDuty]

1 hour ago, Bumber64 said:

AFAIK, he uploaded malicious copies of popular mods to the workshop? (Pretty sure this breaks Steam ToS.)

The exploit he described involved downloading (potentially private?) mods from servers. Yet there are public ones on Steam.

You can't stop people from writing undesirable Lua code, because you can't define undesirable. (E.g., what if I want a mod that resets the world?) Any Lua error also terminates the server without saving.

If there were an exploit that allowed read/write access outside the mods directory, that'd be one thing, but that's not what happened.

Now there's a bug that crashes the server using messages. It needs to be fixed, but is fundamentally not much different from triggering any other crash.

Yeah, what the guy did was gray hat stuff. The company already deals with that and there’s nothing wrong, by the book, with banning him either.

When I said he did them a favor, I meant it, credit where it’s due. He wasn’t trying to cause actual harm or make them lose a significant amount of money. But when something goes wrong because of your software, even if someone else is misusing it, it's still on your business. That’s the whole point of data protection laws and regulations to force business to protect everyone and just not selling your data. And in most modern countries, a violation like that can easily lead to fines, around ~$40k per incident. That’s if it even gets reported or noticed by the authorities, of course. Still, when you look at it like that, there’s a whole lot more incentive to actually secure your stuff.

That’s also why I called it a “proof of concept.” It wasn’t malicious, yet. But let’s be real, no one’s going to spend unpaid time building a full-on usable exploit unless they’re either trying to get a bug bounty or planning to actually use it. They don’t even remember they have a security.txt file to redirect people too. And yeah, potentially downloadable malicious code via the internet, to all users, on exposed servers? That alone could bring in a hefty fine.

At the very least, create a separate security tag for handling security bug reports: if it’s a security tag, it should be private. Right now, crash bugs (aka DOS) are visible to the public, which is great, everyone saw that and can choose to use it if they like. Get someone to come up with a solid way to triage and prioritize these reports and stick that right at the top of Jira board (or whatever board). Got a security.txt file? don’t just ignore it. Tell people to use the email listed in security.txt, or VDP program or whatever, even if you’re not planning to reply. Even if you haven’t spent money on proper protection yet, at least you can argue with the authority that you "care" and just "unfortunate".

[kipper0k]

Oh, I should note that some time ago I reported a bug that allows you to run powershell commands directly from the game, so combining that bug with an infecting mod could be something terrible

[Uedo]

17 hours ago, GuardDuty said:

I agree, it is all surface level, not supposed to solve anything without paying and actually get people hour rate to get work done. Just this company’s running on this mom-and-pop, fan-labor feedback loop through some social media-style platform, which is sooner or later someone gonna call people racist for just feedback. 

As for the server issues, it’s not a DDoS, more like a plain old DoS. Since they’re on Amazon and accessed through Steam, they’re mostly protected from scale distributed attacks aka DDOS. Cloud services can handle that. What they don’t protect against, though, are problems like bad configs, poor resource allocation, bugs, or inefficient code.

In this case, it's chat overload. Fix it then the next one could just as easily be giant log files generate via client mods, or user events dumping more data than the server can handle. Eventually, it just chokes. Not because it’s under attack, but because it’s underbuilt, and the answer is just money to increase server loads.

Throwing cloud money at the problem doesn’t really help either. It’s way more expensive than it should be and if your system is already inefficient, you're just burning cash. At that point, you’re paying more and still not getting protection. So yeah, if they want to keep offering "free" servers, they’re gonna have to rethink how they build secure and scale everything.

I mean - Sure, but it's an easy fix. We don't necessarily have to have chat interact with the infrastructure directly, it can always be exported on a marginal delay (literally unnoticable), verified against rules (simple one being char limit and access) and be exported to the chat overlay with the correct player ID's and a user wouldn't notice that any of that's happening under the hood. 

This is an internal structure issue and anything additional is that, additive, it's not a solution at all. You're creating a maid to ensure the house stays clean, it would be better if the house never became dirty - simple metaphor but my point is that not every solution works in every situation and DST is known for having issues with infrastructure (So much so it was cleaned up a lot in the past).

TL;DR this is an issue where the infrastructure is manipulatable, security isn't needed, tightening of how inputs interact with it is. 

(You can absolutely add a way to limit the amount of inputs registered in a period of one time from a user too, before you go into packet overloading and stuff like that)

Edit: Ah I re-read and I think I misunderstood, we're on the same page. Yeah I can't say why they haven't to be honest, maybe they are, sometimes things are bound in red-tape - i'm not sure.

Edited May 31, 2025 by Uedo

[Frosty_Mentos]

Some of the hacker guys here kinda do have a point on these issues needing to be addressed. While their ways they do it causes unnecessary issues, I feel like we also should have gotten some kinda word from Klei themselves to address this as important thing to resolve than sticking to silence.

I get that you wanna keep playing elusive when it comes to general communication but some words would be appreciated to know if this is being worked on or not. If it'll take time it's fine, saying few words as to give some damage control I feel like is a job of some of the staff at Klei.

[Echsrick]

On 5/31/2025 at 12:24 AM, RetRunt said:

Why doesn't Klei do something about their own servers, similar to what Meow servers have, for example? Some QoL mods, the ability to save and load worlds, some built in protections against griefers and such? That would be simply amazing for everyone who enjoys playing on Klei public servers!

i dont think official klei servers sould use mods, they are supposed to be the vanilla experince, and save load alsol just seems rather unreasonable, the inbuild one however is a good one...all it needs is just...just be like the meow servers and its hidden mods

[Tranoze]

7 hours ago, Echsrick said:

use mods

It will no longer be a mod if it's official. So klei can do what ever they want with their pub server. It just they are too lazy(or not worth the time as they called it) to do anything.

Server reset on update is not vanilla experience.
Server reset on crash is also not vanilla experience.

Edited June 1, 2025 by Tranoze

[FluffyBun]

On 5/31/2025 at 2:44 AM, JazzyGames said:

I do realize that DDoS attacks are very serious and the threat of them deserve immediate attention, but these comments feel a bit more dev shame-y than they need to be. Would setting a global cooldown on in-game messages fix this exploit?

It's DDOS, there is no counter that you can implement by changing the game's binaries OR lua.

You really need a professional securing your stuff. Imagine a wire, and now imagine some guy basically blasting ones and zeros on that wire. Yeah, that's the problem.

Klei literally exposes their server's IP to whoever want to DDOS them, so if the server is weak, you can't do ****. Typically, the workaround uses a beefier things to vet connections and stuff.

Edited June 1, 2025 by FluffyBun

[00petar00]

Do you really think klei wants to invest money into server infrastructure for pubs? They are already paying the bare minimum because all data is lost on any crash/restart.

DST is becoming more of a game that requires endless server because of how much late game content there is.

What is interesting is that there are quite a few servers from different communities that don't have that many players but can support as many as klei pubs have and not lose any data but are often empty because they aren't official servers and usually have a mod or two that doesn't have much impact on gameplay.

Official pubs haven't brought anything positive for the company, I don't understand why they are still hosted. The way DST is designed is that griefers have a lot of power and without moderation there isn't much fun to be had, I think the main reason people play on official pubs is to interact with other players and this would still be possible on moderated community servers If players decided to play there. Players that do this on moderated servers usually get banned pretty quickly.

Edited June 3, 2025 by 00petar00

[wolf5395wolf]

This game isn't made for half of this mods this is why your game can crash at any moment

So just don't join to a world with more than 6 slots

[konijnenmoed]

6 hours ago, wolf5395wolf said:

This game isn't made for half of this mods this is why your game can crash at any moment

So just don't join to a world with more than 6 slots

This is not because of mods.

[konijnenmoed]

It happened again just now (see screenshot after trying to rejoin the server), I'll add it to my bug report too – but this clearly needs some attention before servers get unplayable.

It seems they now join with two accounts to bypass the vote kick. If one (or more) player(s) don't vote, they can crash the server during the waiting time for the vote timer to end. 

For the purpose of informing moderators of group servers, I'll add the link to the profiles of the – in this case – two exploiters who joined at the same time with the same name (as 'Apch'):

https://steamcommunity.com/profiles/76561199835427864/
https://steamcommunity.com/profiles/76561199516455145/ 

client_chat_log_2025-06-05-15-42-57.txt

[RetRunt]

This keeps happening Klei. Why aren't you doing something? You keep letting these lunatics crash your own servers and your own game. Do something, or just shut down your own servers if you can't be bothered to fix them.

This is unacceptable and quite a dangerous situation as well. 

Edited June 5, 2025 by RetRunt

[konijnenmoed]

1 hour ago, RetRunt said:

This keeps happening Klei. Why aren't you doing something? You keep letting these lunatics crash your own servers and your own game. Do something, or just shut down your own servers if you can't be bothered to fix them.

This is unacceptable and quite a dangerous situation as well. 

I'd like to add that when I talked about this on Discord I got at least one private message about an incident, where this seemed to have happened to a self hosted public server too. This could be something that will spread to other servers, not just official Klei servers.

[Bleksmits]

On 6/3/2025 at 4:58 PM, 00petar00 said:

Official pubs haven't brought anything positive for the company

Not played enough on pubs seems. It's a good place where to get positive company, it depends only on who you are.

[00petar00]

2 hours ago, Bleksmits said:

Not played enough on pubs seems. It's a good place where to get positive company, it depends only on who you are.

I don't have as many hours on pubs as some players but I did put in like 50-100 years ago. My argument isn't that pubs are not playable or that it is always going to be negative situation for everyone but that it is a subpar server and a worse experience overall.

I said that it doesn't bring anything positive for the company, I should've been more specific and said that it isn't good PR and griefers can do anything they want which isn't a normal experience of the game on community or private servers.