While Capcom is trying to find new ways to prevent piracy after Resident Evil 7 was cracked in record time, DRM provider Denuvo is having a similarly bad week of its own, with their website left unprotected over the weekend and lots of sensitive information allowed to leak out. Parts of Denuvo’s website didn’t have effective user permissions set on the server, and everything from access logs, to emails left for Denuvo developers, to internal company slides and sample software was made available. While the leak doesn’t financially impact Denuvo at this time, it is a bit embarrassing, and it included some hints about upcoming games that are currently in development, as well as who’s likely to use Denuvo DRM in the near future.

The leak originated from a thread on 4Chan, where someone scanning the server for vulnerabilities noticed that several of the hidden pages were not password protected. There were user access logs stretching back to 2012, as well as publicly readable email stored unencrypted on the server. The email portion was part of their “Contact Us” page, and messages were left for them from disgruntled users, would-be phishing attempts, a few social engineering attempts to gain access to executable files that didn’t contain Denuvo, and some legitimate emails from developers.

While the 11MB email file is extremely long, users on 4Chan and Reddit had already combed through it in a matter of hours, extracting this list of developers that had contacted Denuvo:

Notable:

  • Jun Matsumoto of CAPCOM Japan and Jon Airhart of CAPCOM USA as well as Tim Roy from CAPCOM talking about a “PC game title in 2016 for x64 for Win 10 UWP”
  • Vishnu Vijayakumar of TaleWorlds Entertainment making Mount & Blade II: Bannerlord
  • Graeme Jennings and Ed Kalletta of Microsoft about Halo Wars
  • Dominic Matthews from Ninja Theory on Hellblade
  • Nicolas Sérouart of Dontnod Entertainment about a demo of a game
  • Andy Messner of Rooster Teeth about RWBY: Grimm Eclipse
  • Matthew Labunka from ATARI about an upcoming Unity 5 game
  • Rebellion Interactive for future products
  • Evan Icenbice of 505 Games about ADR1FT
  • Mike Fitzgerald of Harmonix Games
  • Som Yau of Relic Entertainment
  • Uwe Roth of Kalyspo Media
  • Ray Tran of CCP Games about a Q1 2016 game
  • Christian Grunwald from Astragon about their Simulator games
  • Ivan Belousov of Hype Train Digital about The Wild Eight
  • Joon Park of Lanze Games about Pixel Princess Blitz
  • Evren Ozguner of Old Moustache Gameworks about No70: Eye of Basir
  • Gustavo Rios about Enigma Prison
  • Oleh of 2ByteStudios about Mars Citizen
  • Thomas Truax from Vorpal Games
  • Martin Wright about a “new special needs game which has been developed in Unity”
  • Pirozhok on Life is Hard 
  • Christopher Redden on Warring States Tactics
  • Rolf Moren of Zordix AB
  • Nihad Gondžo of MAD SoftworksDavid Woo
  • David Percival of Codemasters
  • Bulkhead Interactive with a general query
  • Peter Armstrong of Encore Games
  • Kuba Trzebiński of Playway about Car Mechanic Simulator
  • Haikal Izzuddin of Prototype Studios
  • Thomas Kubena and Elliot Grassiano of Anuman Interactive

Not Exactly Vidya:

  • Ed French of GameSessions
  • Benjamin Villhauer from GameForge
  • Jan Newger from Google

A lot of these games have either been released already, since the email list is so old, or they’re still in development, like Mount and Blade II: Bannerlord. The other surprise inclusions were Capcom, who started leaving messages in February 2016 while Resident Evil 7 was still in development, and Microsoft asking about including Denuvo into a Halo Wars title a few days after Capcom, still in the month of February. Since RE7 has been cracked now, perhaps we’ll see a delay for some of these titles due to the leak, because there’s a lot of public pressure put on developers to not use Denuvo at all. Rebellion Interactive recently updated the Steam store page for Sniper Elite 4, and behold, it now includes a warning that the game uses Denuvo.

There are others that aren’t game related that are similarly interesting. Google, for example, was looking into using Denuvo to protect some of their application software, possibly as a means to lock down the ability for anyone to side-load an APK that has been cracked already. Mitsubishi Motors is also in the list of leaked e-mails, as is GameForge and GameSessions. There’s also a slew of taunts from internet users whenever a new game was cracked that had Denuvo DRM, notably Lords of the Fallen on 27 July 2015, with some of the groups responsible for the hacks taunting Denuvo to reset their day counter (a counter that was on their site that was basically ” [X] days since last hack”).

The contents of Denuvo’s site has, by now, been mirrored over a dozen times.

Aside from the e-mails, there were some other, more serious leaks that came out of this. One was the internet address and user-accessible port for Denuvo’s server which does online logging of game activations, and it’s possible that with hackers knowing the address and a bit more about the infrastructure, that they’ll try to target it. There was also a configuration file for Denuvo’s account on Amazon Web Services. Had that been left open in a similarly lackadaisical manner, I would instead be reporting today that all Denuvo games had been left unplayable because of a DDOS attack and Denuvo losing access to all of their servers and online backups. It was a risk to keep that information on an internet-facing server.

There is also a very ominous file nearly 500MB in size that looks to be software that Denuvo gives to developers to trial their service. The zipped folder was encrypted and protected – of ALL the things they could have chosen – by Securom. That was cracked within minutes, but the software itself is still under lockdown. It’s unlikely that this will help any of the groups that are in the business of cracking Denuvo’s software, but it’s interesting that this was left there in the first place. Along with this is an Android APK that might be sample code for how Denuvo’s software could protect Android apps.

Denuvo hasn’t publicly commented on the situation yet, but this is likely to blow over very quickly. Any information that hacker groups like CPY needed to get around Denuvo’s software is already in their hands, and none of this really helps them at this point. It gives a lot of ammunition to the anti-DRM league, however, and may lead to more boycotts of games that use it.

Source: NeoGAF, Reddit, TorrentFreak

More stuff like this: