Why is the prefs.cs file in C:\Program Files (x86)\Steam\steamapps\common\metaldrift\game\clien t

and not in %APPDATA%\BlackJacketStudios\MetalDrift\client

where it is supposed to be?

putting it in the steam common files is a bad idea

oh nice it's got my password in there! In a publicly accessible place!
URGENT SECURITY ISSUE!

It's not publicly accessible, it's accessible only on your machine. So it's only a problem if someone else using your machine wants to steal your Metal Drift password. The worst they could do would be to play the game and level the game up for you ;)

I play on public computers (my uni computer science department) often and because that value is stored in steamapps/common other user's settings overwrite those settings.

Having other people's settings overwrite your own gets annoying FAST! Especially in the environment of "l33t" hackers that compsci provides.

Surely moving the settings to app data (where Microsoft intended it to go) is A) Not too hard, and B) A good plan anyway?

You should also remember to use the environment variable %APPDATA% instead of a direct URI.

I play on public computers (my uni computer science department) often and because that value is stored in steamapps/common other user's settings overwrite those settings.

Having other people's settings overwrite your own gets annoying FAST! Especially in the environment of "l33t" hackers that compsci provides.

Surely moving the settings to app data (where Microsoft intended it to go) is A) Not too hard, and B) A good plan anyway?

You should also remember to use the environment variable %APPDATA% instead of a direct URI.

1. You sound like a 5yr old, personally. Take that as you will.

2. If anyone wanted to hack, they would do so regardless of shortpath commands (%appdata% %temp% %userprofile% C:\Progra~1\ etc) or even if it were in C:\ProgramData, who cares. If you're worried about hackers, why are you suggesting only another directory path for the preferences file? That won't enhance security. Who cares where the directory is, anyone who wanted to hack you or something related to that game would find it regardless

If you play on a public computer, aren't you more worried about spyware being installed on it instead so on so forth?


Back to 1.

3. Create a quick cmd script and copy your set preferences file to your USB.

It's not hard to learn how to use copy/xcopy/robocopy/w.e within CMD to copy a preferences file to the steam common directory, pause the cmd command, launch the game, then continue the cmd command after exiting the game to then delete the preferences file (or if it continues to save more info that you need, then copy it back to USB again, then delete the file)

A script automates this too easily. You sound like you want to be IT, because clearly you aren't now. So make a script and do something yourself instead of being dependant on a third party (ie. the game devs in this case) and forget about what the preferences directory is because it won't stop anyone.

Then you'll just come back saying the pref file should be encrypted, yea alright, but then the devs have to work out how to throw it into their engine to decrypt and re-encrypt every launch/exit I'd assume.

I'm sorry, I don't really see how graingert "sound[s] like a 5yr old". I think he raised a very valid point.

Saving individual preferences and plain text passwords in the common folder is simply wrong and it does create usability and security issues!

I'm not going to suggest that especially your second point makes you sound like a toddler but it does make you sound like you have no idea what you're talking about. On a properly secured multiuser-system - common in most public places like universities and at work - users other than the admin do not have access to other user's personal directories. Storing personal config files outside of these designated personal directories is a security and usability issue (since it can be accessed and is read and/or overwritten by people that use different profiles). This should be addressed.

It's an indie game for a hardly recognized multiplayer til today. If someone wanted a password, they'd get it regardless of where a file is placed or where the password/id is placed.

It's an indie game for a hardly recognized multiplayer til today. If someone wanted a password, they'd get it regardless of where a file is placed or where the password/id is placed.
What's your point? It's not a security issue because "stuff can always be hacked"? WTF?

Would you give me your Steam password if I asked for it nicely? Because, if I really wanted it, I could probably hack you anyways ...?

On a multiuser system the game gives everyone else access to the password of the previous user, on a silver platter, in plain text, if they want it or not.

And that's not a security issue ... because the game isn't popular?


And on a multiuser system the game uses and overwrites other users preferences for the same reason, that's not a usability problem because ...?

2. If anyone wanted to hack, they would do so regardless of shortpath commands (%appdata% %temp% %userprofile% C:\Progra~1\


Using the shortpath means that the path is not hard-coded to drive C: the %appdata% directory might not be in the same place on each machine, %appdata% is changed if the applicaiton data directory is changed


Then you'll just come back saying the pref file should be encrypted, yea alright, but then the devs have to work out how to throw it into their engine to decrypt and re-encrypt every launch/exit I'd assume.

If the file is in %appdata% I can use the operating systems' encryption tools, if it is in steamapps common, encrypting it will make it unusable for other users of the game.


Back to 1.

3. Create a quick cmd script and copy your set preferences file to your USB.

It's not hard to learn how to use copy/xcopy/robocopy/w.e within CMD to copy a preferences file to the steam common directory, pause the cmd command, launch the game, then continue the cmd command after exiting the game to then delete the preferences file (or if it continues to save more info that you need, then copy it back to USB again, then delete the file)

A script automates this too easily. You sound like you want to be IT, because clearly you aren't now. So make a script and do something yourself instead of being dependant on a third party (ie. the game devs in this case) and forget about what the preferences directory is because it won't stop anyone.


This is way to complex for what would be a <1 line fix for the devs.

I agree the path for individual preferances should be kept in the personal profile areas. Devs: When will this change?

As for iKai suggesting worksarounds, they are not warranted here. Hacking aside a profile is already a secure area to block other users on the same system. Simply, the developers need to learn & write more appropriate code for the platform they developed on.

I would like to know if any developers read these posts and if there will be a fix. I hope so because I'm upset that there is no mention of a separate required login on the Store Page and for that I'd like to return it before even playing it. Not signing up for every service that is presented in front of me helps keep those hackers away.

If the file is in %appdata% I can use the operating systems' encryption tools, if it is in steamapps common, encrypting it will make it unusable for other users of the game.

Makes sense. Sure the devs didn't know this either. I also assumed from the start you were using a one login based computer.

Although next I feel I'll hear you complaining that anyone could uninstall the game since it's a "public computer".

I still stand by the spyware issue on public computers regardless of where the file/etc is.

Devs didn't consider public computers, I wouldn't either.

It's not publicly accessible, it's accessible only on your machine. So it's only a problem if someone else using your machine wants to steal your Metal Drift password. The worst they could do would be to play the game and level the game up for you ;)


Wow, that's the answer from a company representative? No appreciation towards the user who pointed out this security flaw? There is a reason more and more software (i.e. Chrome, Dropbox, ect) choose to use the %AppData% path rather than a locally accessible area of the disk. They don't want to assume the user's security policies, but respect it instead.

I would like to think that most developers would take their user base's security seriously than that. This is what got Sony into trouble and this is one of the reason the Mac OS gets praises while Windows keeps hitting a wall of criticism over and over again. You give devs too much control, then you will run into such issues.

I was ready to purchase this game and went to the forums to check out what others was saying about it, but this particular post doesn't make me feel good about contributing to this company.

Guys, there is no security issue here. If someone gets your password the only thing they can do is login and play as you. That's it - they can't change your account settings, change your password, get your email or anything else. If someone does get your password, then you can get a new one sent to your email in a few seconds.

It's not even remotely like the Sony situation. The password just reserves your handle so we can keep track of your stats. Once you are registered, nobody can take your handle/nick, even if they get your password. Literally all they can do is play as your handle until you reset the password.

I'm more concerned with supporting multiple settings for multi-user machines than I am protected the password, so I'll give it some consideration in the next patch. Thanks for the feedback.

It seems negative EXP is possible at the moment and as such people can use your account and lower your score

Literally all they can do is play as your handle until you reset the password.

This is what I mean by short sighted and what is wrong with developers today.

What if a user, and I'm sure there are many of these users, happens to use the same password for this as they do for Steam, gMail, eBay, PayPal, ect.

The indie developers of Altitude (http://store.steampowered.com/app/41300), as an example, happen to do this properly and still can track stats and reserve nicks without compromising security of the end user.

You may want to inform users that their password isn't stored is a secure manner and that the user should make sure that their password is unique.

This is what I mean by short sighted and what is wrong with developers today.

What if a user, and I'm sure there are many of these users, happens to use the same password for this as they do for Steam, gMail, eBay, PayPal, ect.

The indie developers of Altitude (http://store.steampowered.com/app/41300), as an example, happen to do this properly and still can track stats and reserve nicks without compromising security of the end user.

You may want to inform users that their password isn't stored is a secure manner and that the user should make sure that their password is unique.

I don't believe you can set a custom password, I have not found a change password feature yet

It seems negative EXP is possible at the moment and as such people can use your account and lower your score

That was fixed as of today, was able to patch the back-end servers so at least your EXP won't be rolled back. Still looking into the game server negative exp issue.

I don't believe you can set a custom password, I have not found a change password feature yet

This is correct, the passwords are generated randomly by our server, so password re-use is not an issue here. If there was any possibility that there was an exploit, then I would have at least encrypted it in the prefs file. Think of it as a key to your stats rather than a traditional password.

It's not even remotely like the Sony situation. The password just reserves your handle so we can keep track of your stats. Once you are registered, nobody can take your handle/nick, even if they get your password. Literally all they can do is play as your handle until you reset the password.

If you are the/a dev why did you require a login but not post it as a requirement on the Store Page? I feel games that trick customers like this build a negative image for the developing company. Can you remove this ability for a single player kind of mode or tap into Steam's capabilities to bypass the requirement to generate a login?

I personally am tired of mangaging every "identity" of me out there on the Internet. So I'm moved into something larger, Steam, that can handle/manage all of that hassle but I'm disappointed every now and again when I run across a game on Steam that makes me create a login. Do you think yuo can tap into Steam capabilities, offer a guest account, or remove the user account creation altogether?

My vote for many reasons is to individulaize the user experience by storing all game files in the users profile area. I personally like %HOMESHARE%\My Games\[<company Name>\]<Game Name>. It makes it easier for the user to change machines which is the case that I fall into. Please seriously consider updating the code. Option #2 would be to put it into Steam's Cloud but I urge you to make sure there is a backup we can revert to because other games have had problems.

The reason that there is a separate "login" in Metal Drift is so that we can release the game on other platforms such as Direct2Drive. It was the only way that we could do it and still have players from different platforms be able to play each other.

Sorry for the inconvenience there, we tried to make the registration process as smooth as possible by only asking for an email address.

The reason that there is a separate "login" in Metal Drift is so that we can release the game on other platforms such as Direct2Drive. It was the only way that we could do it and still have players from different platforms be able to play each other.

Sorry for the inconvenience there, we tried to make the registration process as smooth as possible by only asking for an email address.

This thread has gone off topic a little.

My vote for many reasons is to individulaize the user experience by storing all game files in the users profile area. I personally like %HOMESHARE%\My Games\[<company Name>\]<Game Name>. It makes it easier for the user to change machines which is the case that I fall into. Please seriously consider updating the code. Option #2 would be to put it into Steam's Cloud but I urge you to make sure there is a backup we can revert to because other games have had problems.

it's %USERPROFILE% and not homeshare. and yes %USERPROFILE%\My Games\com\metaldrift\saves\ should be the save data - but not config data. that is %APPDATA%

I would like to add something.

A lot of people use the same password everywhere. For example I have the same password for all my games... if someone gets my pass from this game, they can steal my starcraft account for example and a bunch of others, which are important to me.

I understand the person has to use my machine, but I suggest you fix this problem because some people can get some nasty surprises. I have a single password for gaming, some people have a single password for everything... imagine if someone's email get hacked and stolen because of this, through email they can in turn hack hosting accounts, bank accounts, and all the info that is sitting in the usual email archive.

I would like to add something.

A lot of people use the same password everywhere. For example I have the same password for all my games... if someone gets my pass from this game, they can steal my starcraft account for example and a bunch of others, which are important to me.

I understand the person has to use my machine, but I suggest you fix this problem because some people can get some nasty surprises. I have a single password for gaming, some people have a single password for everything... imagine if someone's email get hacked and stolen because of this, through email they can in turn hack hosting accounts, bank accounts, and all the info that is sitting in the usual email archive.

*sigh* Again, that's not an issue here as the game assigns you a password; you cannot set your own.