Encrypted avatar ID or disallow downloads from api.vrchat.cloud to prevent avatar theft
complete
Zinnia
At this point, it is rather ridiculous how easy it is to steal someone's avatars. If you can get someones avatar ID, which you can easily do through a variety of ways be it through the API or just looking through logs, you can easily download their avatar prefab through the api.vrchat.cloud site which will give you a VRCA. Usually these would be pretty difficult to unpack, but people nowadays have methods of easily unpacking these which give the person the avatar prefab file that they can easily re-upload through unity under their account with little to no work needed to fix the avatar as it uses your avatars prefab that is made when you upload to the servers.
Honestly, would it be that difficult to either disallow unauthorized downloads of avatar files through the site or just encrypt avatar IDs to prevent theft?
Log In
Fax
complete
gonsodany
What I'm proposing is adding a feature to the SDK and game itself that, when uploading an avatar (on avatar processing) it adds some kind of metadata or hash or information of some kind that links the vrca file being created when processing the avatar to the account uploading it. Then either add an authentication step to the uploading process that checks if the vrca being Uploaded already has this information and it's already linked to a different vrchat account, and it is it blocks that vrca from being reupload to a different account than it was original uploaded to, or make the avatar not load in game if it reads the avatar file and the information and it sees that the uploader of that avatar doesn't match the "original uploaded" (the account in the vrca data)
~Megu~
3 years ago , still no fixing
G
GlitchyBeta
I suggest AES encryption of avatar files on upload. AES has no known vulnerability at the moment if the attacker doesn't know the key. Ripping from the API would be useless since all the files would be encrypted. That wouldn't prevent GPU ripping, but at the very least the attacker wouldn't get access to unencrypted and easily uncompressed vrca files.
xxx_red_xxx
But I've used api.vrchat.cloud to recover some of my avatars after a hard drive failure. What am I supposed to do if that happens again?
Also I have a feeling that URL is used by the game to download the avatars ingame so blocking that URL would break avatar loading completely.
Aizlluna
xxx_red_xxx: I mean how it could work is it only lets you download the file if youre the owner of the Avatar ID. Which could be done by requiring a log in
xxx_red_xxx
Aizlluna: That would be acceptable
Zarniwoop
Aizlluna: How would anyone else ingame see your avatar if only the owner of the AvatarID can download the files? That's how the game client views other peoples avatars.
The solution would have to be more involved than that.
Blubbll
Zarniwoop: cloudrendering all the games content could work
Zarniwoop
Blubbll: Got any examples of games or apps that uses that tech to protect themselves from asset ripping?
Also from what I can tell, it's a render engine. Not a game engine?
Blubbll
Zarniwoop: i meant if the game would run in a vm on a server and only the visual data would be sent to thr client, it would solve this problem. so kinda like those fancy cloudgaming providers have clients of.
GotoFinal
Blubbll: sure but that costs a fortune to run and is unusable for anyone not living close to datacenter. (and probably 100% unusable for VR unless you plug directly into a datacenter, as latency would be horrible for VR)
Blubbll
GotoFinal: yeah no, i dont think there would be another way, as everything clientside can be sniffed if you try hard enough. Maybe Starlink will help in the future idk
M
Michael18751
xxx_red_xxx: Back up your files.
xxx_red_xxx
Michael18751: to what? My other nonexistent hard drive?
Zarniwoop
xxx_red_xxx: OneDrive, Dropbox, OpenDrive, IDrive or any of the numerous online backup services that exist.
Or just buy a drive or a USB stick, that's plenty for storing avatars on.
xxx_red_xxx
Zarniwoop: my unity project was 30+ GB in size when the failure occurred. I'm too cheap to get an extra hard drive. I would have to make 3 or more accounts and somehow split the project data between them cause most online services only offer 10gb.
GotoFinal
xxx_red_xxx: then no one should care if you lose your data. You can also use backblaze for 6$/mo, then you have unlimited backup space for single PC with 30 days of file history
xxx_red_xxx
GotoFinal: 6$/mo < free
GotoFinal
xxx_red_xxx: then dont complain about loosing data and not being able to recover it
xxx_red_xxx
GotoFinal: but I'm not losing data, google drive and 3 accounts can hold my entire project, it's just inconvenient to deal with.
Torinyaaa
Zarniwoop: it will be a lot different ammount of work to restore and setup gpu rip, than just unpack ready to use package.
GotoFinal
> Honestly, would it be that difficult to either disallow unauthorized downloads of avatar files through the site or just encrypt avatar IDs to prevent theft?
How many platform/games you know that are protected from ripping content? Currently the only way for games is to stream them, like google stadia or geforce now if you would only to be able to play game via it. (and some other theoretical ways that so far are not fast enough to be used)
They could only make it harder, but will it be really worth it? For sure it won't be free, like slower avatar loading, bigger download size, additional delays when doing certain actions. And at the end it takes one person to create a tool that will break this and allow for ripping again.
It will be as effective as using il2cpp to stop clients, yea, few of them disappeared for 2 weeks and then appeared again.
And because all content is user generated its even bigger issue, as they would need to spend a lot of money for additional servers to apply these protections to avatar. Unless it would be done by sdk, but then it would be even easier to learn how it work. + would require them to support different avatar formats forever.
So maybe in 10-20 years where maybe there will be better way to do this.
Quinix
GotoFinal: Why even breath if you could die tomorrow anyways right? Why use space suits if long term exposure gets you radiated anyways. The answer is simple; same reason we live. Suggesting to just give up on it because workarounds are made anyways soon after is NOT a solution to any issue. And in my personal view, making anything harder, will make an impact. Even if it is small, that's how battles are won.
Kush Meyer
Quinix: The problem here is that it's making huge inconveniences to the user experience just to slow down rippers for a couple months. It's tons of time, money, effort, and player goodwill down the drain for nothing.
Most people don't give a shit that avatars are easily ripped since most people don't upload avatars. All this would do is make people complain about the game getting worse.
Quinix
Kush Meyer: A proper game/platform ALWAYS has a team of professionals to deal with security. That's the responsibility of VRC. One they have not taken serious in the slightest, even if they claim they do, as clients are still a thing. And this is something that could lead to their downfall one day. In other words, if they have the time and money to make UDON and such a thing, they have time and money to do a security patch every x amount of months. User experience would NOT change what so ever, i don't know where you got that idea from? A security patch on your PC doesn't change anything either besides making the PC more secure or am i wrong?
And now to get to your oddly one sided idea of people not uploading most of the time anyways: Where do you think their cloned avatars come from? Creators are what makes this platform grow. And without them, i suppose you could enjoy the default avatars VRC supplies, and the home word/vrc hub as your home word and chill place. Ripping is a serious matter, and all of the people i know that had their content ripped, either took it down or eventually stopped making public things all together. If that is a future you prefer, then agree all you want. In the end the creators get nothing but their hard work and time stolen, even if the content is not made from scratch, its time they cannot ever get back, for an ungrateful community in return.
TL;DR: Dont assume your opinion to be fact, and don't put words in peoples mouths. Creators are suffering from this, and VRC is lacking care about all of it. And that, in fact, is quite pathetic.
GotoFinal
Quinix: Do you have any experience programming? If they would secure avatars using some additional encryption and obfuscation it would slow down the code and add a lot of code they would need to now update, so each update to new unity version would be harder or any other larger changes. So avatars would load slower and updates will be slower.
And then after 2 days someone would crack this, and they would need to do this again, while still supporting old method for compatibility.
And after a year half of the game code would be old avatar decryption methods that would need to be maintained by someone.
As I don't see any other way to "protect" stuff then just making more complicated format on upload and then decrypting it after downloading.
So unless you have some working idea that could actually help here without issue described above... its just pointless.
Quinix
GotoFinal: I have no clue how to respond to this as it is oversaturated and just wrong. I would like to see support for your claims, as this sounds as its been made up entirely. Besides that it also takes away from the point that is being made. Avatar stealing is a serious issue, and there is a lack of care about it. It should not be resolved by the users, but prevented by the platform. If a dumb game like IMVU can do it, and second life is dang hard to rip from what i have heard from people i trust, then what's stopping VRC? And if I'm completely honest, i don't think there is a single creator out there that picks their content being nicked over a increase in loading times.
GotoFinal
Quinix: VRChat is way more open with content creation, allowing much more tools to be used, as you have access to a lot of unity components and tools. And this makes protecting stuff much harder and expensive. And also models are a lot bigger/heavier so harder/more expensive to do any operation on.
And no, these games can't do it. The only difference might be how many people are interested in this. I feel there is more tech people in vrchat because VR is still a new thing (and more young and toxic people) + many avatars are just pretty complicated and much more detailed, making them more interesting target. Like I would not want a second life avatar even if someone would give it to me for free, as most of them just looks like some random sims model. But you can find tools for ripping either from these games, or just general tools that don't care about game and just rip whatever is coming to GPU. (ofc then more data is lost)
> single creator out there that picks their content being nicked over a increase in loading times.
but players are, we already struggle with lags at loading time. And not sure if I can count as creator if I only make models for myself, but yea, I don't care at all if its protected, as ripping it will be anyways possible.
> I would like to see support for your claims, as this sounds as its been made up entirely.
How? You would first need to understand how computer graphic works and how game engine works. In short in simplification: The data at the end must go to the GPU, and unity is well known engine that everyone interested in ripping already know enough to be able to find any data they need to recover the model. The only problematic parts are shaders - because unity have own shader system but finished upload models contains compiled versions for various graphic cards/drivers (depending what they support). But it still can be ripped, just some additional data might be lost because compilation process might remove all the things that are not necessary for a model to work. (like unused options of shader or settings are just inlined - not sure here how exactly it works and how much data is removed, as I'm just a programmer, never needed to care about these details)
But still such ripped model is usable.
Ofc you can ask if something like that could not be done for other parts of avatar... but it already is, just due to simplicity of mesh/texture its harder to notice and much easier to either reverse or ignore. As all your avatar materials are usually also compressed, so people don't get your original 4k png 0 compression texture, but a compressed one according to your build process settings - so exactly how it looks in game. People are not ripping your full creation, just the parts you gave them.
So making this harder would only stop if for few days, just like obfuscation of code and compiling to native did "stop" client users. For like 3 days.
xxx_red_xxx
GotoFinal: idk why anyone cares about people ripping avatars which were already ripped to begin with.
Torinyaaa
GotoFinal:
Well its a nice manthra about mythic possibility of ripping asset from any game.
Yes, any 3d application assets can be ripped with professional debugging tool. But at this point you recieving messed unusable asset that you need to fix alot and restore most of features. Literally you need to rebuild normal infomation, some uvs, restore Tpose and reweight charachter. Literally asset will be just worse.
Actually right now VRCHAT just allows to download ready to use package, that can be unpacked and used by anyone without any skills, witch makes really scary side databases that just allows you to download ready to use avatar.
Making rypping alot harder will just prevent MOST of hackers from stealing, because they will need some actual knowledge and skills, and model still will be worse than original.
Actually this is a problem that touches original creators, no one needs unique commisioned model that will be just "cloned" just with simple download
Torinyaaa
Kush Meyer: this minority of actual creators actually do game attractive. if game will lose this auditory that makes content - it will be ruining event.
Ruukoto Presents
What's the point in preventing ripping of something that's ripped to begin with?
Asheru Swiftwind
Ruukoto Presents: Not everyone rips models out of other media some of use make our own models and would like to see them a bit more protected.
kookster
sadly this isnt really fixable, if someone can view your avatar it means they can download it. Even if they came up with their own proprietary means for avatar files that would still eventually be reverse engineered and rippable.
a
angryuser
As soon as you go to any map you just download any model on the world, someone with advanced knowledge can decrypt those files and turn into .fbx... they should change this.
SAADHERO
angryuser: the less people who can do it the better true if its on ur vram and ram it can be stolen but making it hard is good idea
Torinyaaa
SAADHERO: yes it is. right now it is super easy to get ready model. GPU\RAM ripping gives much worse results that need alot of work, and due imperfection of process lots of original quality is lost
A
Anonymous Tim
This needs more attention
Load More
→