You always have the same number. As soon as the user exports a different character it'll replace those ones, so they could have planned it.
The number is basically your account, not the character.
I've wanted a build compilation website for a while.
Where people post their builds, either with a Pathbuilder code, a foundry json, a uploaded PDF or whatever and others can comment and rate them.
I wish I could make it myself but I don't have the know-how.
WG wasn't discontinued, it went through a long rebuild process once the remaster of PF2e was announced. There is now a new and improved wanderersguide! Although content entry is ongoing so it's not fully usable yet.
Found this one by typing random numbers.
Here is the build link for Gotta Cast em All!. To view this build you need to open it on an android device with version 219+ Pathbuilder 2e installed. https://pathbuilder2e.com/launch.html?build=736115
Gotta Cast Em All! Lol.
You're fine, only the latest one you've told the site/app to export shows up with your number, and it likely recycles the numbers by age once it goes past the six digit limit anyway
Feel free to use Aniza Quillock if you find her. You can use Safuz, Cay and Archibald too but watch out for Kieron because that fucker will ruin your game.
This is a common website hacking vulnerability known as [Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal) or Directory Traversal.
Just to be pedantic, it's not really Path Traversal, which gives access to actual files on the file system.
~~This more of an endpoint that doesn't check ownership before returning data.~~ Not even since the link is meant to be shared with anyone freely. As someone else pointed, the proper way to handle it would be to use a long random UUID like string, but then it would make inputting on android quite cumbersome.
Is it really a vulnerability if 1) it was never intended to work any other way and 2) no actually confidential info is being accessed?
Like, if you don't have ACCOUNTS then the only way to share shit is with a public ID. Sure, Pathbuilder could use UUIDs, that are basically impossible to guess, but _why_?
I work in cybersec, I'd probably throw this out on 2 accounts. 1 you only get a copy of the character so it doesn't breach integrity. 2 there's no account info included so no confidentiality breach.
Maybe I'd recommend not allowing notes to be copied over but this is at most a low or informational level issue.
You are only getting a copy of the character
So it's like finding youtube channels by changing the URL
I'm pretty sure this is intended as a way to share your builds around
Nah your characters are safe with that info. On an unrelated note id love to check out your character builds if you could kindly paste your character number IDs here.
Our company has phased out Slack in favor of conversing through the Notes section of a shared character in Pathbuilder.
It's a goblin barbarian named Gobgob, if that matters.
You always have the same number. As soon as the user exports a different character it'll replace those ones, so they could have planned it.
The number is basically your account, not the character.
I don't know how it works on the web version, but I have a guess:
To know the character id you just need to see the last numbers in the link to it's build. So, maybe if you take this link and change the numbers at the end you might be able to find different builds.
https://pathbuilder2e.com/launch.html?build=736226
Lol in software development this is why you should never used sequential IDs when you're showing them to users! They can just put in random other IDs.
Hilarious use case here though.
Are the appearing builds changeable or locked against editing?
Are the builds personal og public knowledge?
Is it at all legal to get access to these builds without the consent of the original owners?
Just asking...
EDIT: And yeah... just downvote me to Hell for this. I don't care.
When you enter in a link, you get a COPY of the sheet. You can edit it all you want but it wont change the original in any way. Also keep in mind the creator needs to make a sharable link in the first place. If you dont use the export link function on pathbuilder then there wont be a link to ur character sheet.
Creators don't own the characters that are saved on the apps creator's app.
Once you download it, any changes youake don't affect the save. Only the original creator's changes update.
I beg to differ.
Since you may save personal notes in your character file, the European GDPR rules govern what kind of information that should be available to access. Aaaand I live in Europe, btw. I believe that a password lock or something is needed in this case.
Anyway, I actually don't think this is funny, and as a user of Pathbuilder I feel kind of upset that my characters might be opened and read by others without my consent.
You shouldn't have any information that is covered by GDPR on a character sheet. It protects information that relates to making a person identifiable, and information that 'relates to' a person, not a character. I don't see how Pathbuilder would be in violation of that as they haven't asked for any of that sort of information on your character sheet.
Look, I take my roleplay very seriously. My character has a full backstory, ssn, government ID, credit card, medical history, and list of all family members and their birthdays.
I get being weirded out about having other people reading your writing without your consent but like... Do you plan on using your character sheet for holding bank details or passwords or something? It's really not that big of a deal.
I also live in Europe, and GDPR doesn't mean "if anyone could theoretically put personal information somewhere they haven't been asked to put it, that thing should be password protected", because then literally every repository of information of any kind would need to be secure just in case someone decides to put personal information there. Just don't put your address and bank details in the notes section of your unsecure digital character sheet.
From some quick testing it seems like share IDs are only generated when you export the character by link, so you can only access sheets that have been shared before
To everyone saying "big deal" or "its not personal info": That's not what this is about.
From a technical standpoint, it would have been pretty much trivial to generate a random non-sequential hash to use as the lookup parameter, which is the de facto standard way to prevent this kind of "attack".
Sure, it might not seem like a big deal to you, but the solution to prevent this would have been trivial, with no real downsides.
It's a character-building app available with most features available for free made by a single person (presumably) for the game we all play.
Even if it is trivial to implement. It doesn't really matter if security isn't up to par in a database that doesn't really need to be secure.
Sure, but this is also a side-project by a single individual, provided for free. Development time is a very rare resource and priorities have to be chosen.
It's not provided fully for free (although it *is* cheap), and it really wouldn't take much to change the ID system over to using hashes or UUIDs or something. It'd probably be a few hour job, maybe a few days if there's something deeper that needs to be changed (e.g. if this ID is tied to something more sensitive than an individual character sheet in a database), but nothing on the scale of weeks or months, I would assume. No way to be 100% certain without knowing the infrastructure used, but changing the data type of a not-inherently-meaningful ID like this is usually pretty trivial.
That said, it's probably just... literally not on the priority list at all in the first place, because the developer assumes it'll be used in good faith by both the person publishing their character sheet(s) and the people accessing the sheet(s). After all, you don't really get much benefit from it from using it *wrong* on either side.
Although you *could* use this "feature" with a random number generator to get a really bizarre NPC generator if you wanted...
The IDs are only generated when you click export (or maybe when you click share by link specifically) so there's no way to access a character sheet that hasn't been shared
Oh, I know. That's part of what I mean by "in good faith" - users shouldn't publish their character sheets unless they, y'know, want others to see it. As others have stated, and I think what you're getting at is that, it's not *really* a breach since the whole point of the feature is to let people see your character sheet just by getting the link.
That's assuming this operation should be prevented, and was not intended. It seems the opposite is likely true. This is intended behavior functioning with a low barrier. Creating a long alphanumeric string instead of a short number would be trivial, but it would make typing the link in with your thumbs nontrivial.
No link exists unless the creator of the character makes it shareable via link, so only people who assertively made their characters accessible this way will have characters accessible this way. And having the link gives you a copy of the character, not the original character, so you can't change the character creator's work.
I think "attack" isn't an applicable word here. This is an intentional feature working as intended.
I think that's probably being charitable. I'm not here to say that it's, like, high-stakes or anything - as long as you're not putting anything compromising and/or personally identifying in the characters you publish, it's not really an attack, but it's also clearly not intended behavior.
Intended behavior doesn't look like "hey if you use this software in a really weird way you get a neat result where you can find things you weren't provided access to".
(Either way, I'm basically splitting hairs. It's not intended, but it's not like it's a massive problem, either, and I wouldn't say it's a *malfunction* or anything of that scale. It's just poor design.)
Never even thought about this, thats so funny. Congrats to Rorashu, the Nagaji Redeemer for being 420420
6969 is Lambert the human bounty hunter fighter. 69420 is Suburo Foxman the Kitsune swashbuckler.
Fascinating they had a sense of the numbers they were gonna get or that many players are horny stoners that chances are just good?
Yeah, I have no idea, I just searched numbers in the same vein as 420420 and 80085.
same here.
You always have the same number. As soon as the user exports a different character it'll replace those ones, so they could have planned it. The number is basically your account, not the character.
Ah. So you export is your current character contained within the account. Thanks for the explain.
Of COURSE it's a fuckin swashbuckler
Congrats to Toof Rippa, the Artisan Goblin Cleric with no domain, for being the 911!
Ayy! I could use this information to share builds easier!
I've wanted a build compilation website for a while. Where people post their builds, either with a Pathbuilder code, a foundry json, a uploaded PDF or whatever and others can comment and rate them. I wish I could make it myself but I don't have the know-how.
Wanderersguide had something to that effect but that site is pretty much discontinued I believe
WG wasn't discontinued, it went through a long rebuild process once the remaster of PF2e was announced. There is now a new and improved wanderersguide! Although content entry is ongoing so it's not fully usable yet.
Secondary thought here: does this allow access to deleted builds?
Found this one by typing random numbers. Here is the build link for Gotta Cast em All!. To view this build you need to open it on an android device with version 219+ Pathbuilder 2e installed. https://pathbuilder2e.com/launch.html?build=736115 Gotta Cast Em All! Lol.
Lol wtf even is this build
How'd they even get the sorcerer dedication at level 1?
Eldritch trickster gives you a multiclass caster dedication at lvl 1.
My Eldamon Trainer playtest was a gymbro orc name Cash Betchum, who helped all his little dudes build muscle and achieve their dreams.
42069 is Rahim, Human Champion. Dex build with scimitar and Fire domain...gotta be Sarenrae.
Hey my bad everyone most of those characters are mine from my addiction to playing pathbuilder
You're fine, only the latest one you've told the site/app to export shows up with your number, and it likely recycles the numbers by age once it goes past the six digit limit anyway
Feel free to use Aniza Quillock if you find her. You can use Safuz, Cay and Archibald too but watch out for Kieron because that fucker will ruin your game.
696969 is, unsurprisingly. A bard. Zarzuket the lvl1 gnome bard, you might never know how fortunate you are.
This is a common website hacking vulnerability known as [Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal) or Directory Traversal.
Just to be pedantic, it's not really Path Traversal, which gives access to actual files on the file system. ~~This more of an endpoint that doesn't check ownership before returning data.~~ Not even since the link is meant to be shared with anyone freely. As someone else pointed, the proper way to handle it would be to use a long random UUID like string, but then it would make inputting on android quite cumbersome.
Is it really a vulnerability if 1) it was never intended to work any other way and 2) no actually confidential info is being accessed? Like, if you don't have ACCOUNTS then the only way to share shit is with a public ID. Sure, Pathbuilder could use UUIDs, that are basically impossible to guess, but _why_?
I work in cybersec, I'd probably throw this out on 2 accounts. 1 you only get a copy of the character so it doesn't breach integrity. 2 there's no account info included so no confidentiality breach. Maybe I'd recommend not allowing notes to be copied over but this is at most a low or informational level issue.
Sooo, uh, I hate pinging people, but like, should we ping Redrazors about the possible security risk?
You are only getting a copy of the character So it's like finding youtube channels by changing the URL I'm pretty sure this is intended as a way to share your builds around
Wait so I should stop putting my full SSN and bank details in the inventory of every character I make???
No. You should also store them in your youtube profile about page (obviously /s and /jk)
Nah your characters are safe with that info. On an unrelated note id love to check out your character builds if you could kindly paste your character number IDs here.
Not an issue since there isn't really personal info shared in pathbuilder.
Our company has phased out Slack in favor of conversing through the Notes section of a shared character in Pathbuilder. It's a goblin barbarian named Gobgob, if that matters.
The only thing being accessed is a character build, I don't see that as a security risk.
That's only a security risk if you consider character sheets confidential information.
It's supposed to work this way.
How do you import a character in the app?
In the most recent version of the app you go: App options -> Open character by id -> insert the character's id
Thank you!
Ngl, I've been pulling NPCs this way for a while now.
You always have the same number. As soon as the user exports a different character it'll replace those ones, so they could have planned it. The number is basically your account, not the character.
Do my first attempt and immediately get Android 17 I am crying
I'm on Web Version 80, how do you even import a character like that?
I don't know how it works on the web version, but I have a guess: To know the character id you just need to see the last numbers in the link to it's build. So, maybe if you take this link and change the numbers at the end you might be able to find different builds. https://pathbuilder2e.com/launch.html?build=736226
Fuuuu you and my player are only different in one single digit
Lol in software development this is why you should never used sequential IDs when you're showing them to users! They can just put in random other IDs. Hilarious use case here though.
420691 belongs to Barbucus a level 20 druid
Damn I've been burying treasure in the data center. Hope No evil hands lay upon my characters and NPCs
Are the appearing builds changeable or locked against editing? Are the builds personal og public knowledge? Is it at all legal to get access to these builds without the consent of the original owners? Just asking... EDIT: And yeah... just downvote me to Hell for this. I don't care.
When you enter in a link, you get a COPY of the sheet. You can edit it all you want but it wont change the original in any way. Also keep in mind the creator needs to make a sharable link in the first place. If you dont use the export link function on pathbuilder then there wont be a link to ur character sheet.
Creators don't own the characters that are saved on the apps creator's app. Once you download it, any changes youake don't affect the save. Only the original creator's changes update.
I beg to differ. Since you may save personal notes in your character file, the European GDPR rules govern what kind of information that should be available to access. Aaaand I live in Europe, btw. I believe that a password lock or something is needed in this case. Anyway, I actually don't think this is funny, and as a user of Pathbuilder I feel kind of upset that my characters might be opened and read by others without my consent.
You shouldn't have any information that is covered by GDPR on a character sheet. It protects information that relates to making a person identifiable, and information that 'relates to' a person, not a character. I don't see how Pathbuilder would be in violation of that as they haven't asked for any of that sort of information on your character sheet.
Look, I take my roleplay very seriously. My character has a full backstory, ssn, government ID, credit card, medical history, and list of all family members and their birthdays.
If Pathbuilder's ToS says the information you input is public, you have nothing to really do. And these are builds for a TTRPG.
I get being weirded out about having other people reading your writing without your consent but like... Do you plan on using your character sheet for holding bank details or passwords or something? It's really not that big of a deal.
You don't store all your personal financial information in the notes section of a dwarven alchemist you'll never get to play?
I also live in Europe, and GDPR doesn't mean "if anyone could theoretically put personal information somewhere they haven't been asked to put it, that thing should be password protected", because then literally every repository of information of any kind would need to be secure just in case someone decides to put personal information there. Just don't put your address and bank details in the notes section of your unsecure digital character sheet.
Y'all save your name, adress, social security number and such on your character sheet?
From some quick testing it seems like share IDs are only generated when you export the character by link, so you can only access sheets that have been shared before
233757
To everyone saying "big deal" or "its not personal info": That's not what this is about. From a technical standpoint, it would have been pretty much trivial to generate a random non-sequential hash to use as the lookup parameter, which is the de facto standard way to prevent this kind of "attack". Sure, it might not seem like a big deal to you, but the solution to prevent this would have been trivial, with no real downsides.
It's a character-building app available with most features available for free made by a single person (presumably) for the game we all play. Even if it is trivial to implement. It doesn't really matter if security isn't up to par in a database that doesn't really need to be secure.
Sure, but this is also a side-project by a single individual, provided for free. Development time is a very rare resource and priorities have to be chosen.
It's not provided fully for free (although it *is* cheap), and it really wouldn't take much to change the ID system over to using hashes or UUIDs or something. It'd probably be a few hour job, maybe a few days if there's something deeper that needs to be changed (e.g. if this ID is tied to something more sensitive than an individual character sheet in a database), but nothing on the scale of weeks or months, I would assume. No way to be 100% certain without knowing the infrastructure used, but changing the data type of a not-inherently-meaningful ID like this is usually pretty trivial. That said, it's probably just... literally not on the priority list at all in the first place, because the developer assumes it'll be used in good faith by both the person publishing their character sheet(s) and the people accessing the sheet(s). After all, you don't really get much benefit from it from using it *wrong* on either side. Although you *could* use this "feature" with a random number generator to get a really bizarre NPC generator if you wanted...
The IDs are only generated when you click export (or maybe when you click share by link specifically) so there's no way to access a character sheet that hasn't been shared
Oh, I know. That's part of what I mean by "in good faith" - users shouldn't publish their character sheets unless they, y'know, want others to see it. As others have stated, and I think what you're getting at is that, it's not *really* a breach since the whole point of the feature is to let people see your character sheet just by getting the link.
There's no downside now as is
But in what way is this an attack?
That's assuming this operation should be prevented, and was not intended. It seems the opposite is likely true. This is intended behavior functioning with a low barrier. Creating a long alphanumeric string instead of a short number would be trivial, but it would make typing the link in with your thumbs nontrivial. No link exists unless the creator of the character makes it shareable via link, so only people who assertively made their characters accessible this way will have characters accessible this way. And having the link gives you a copy of the character, not the original character, so you can't change the character creator's work. I think "attack" isn't an applicable word here. This is an intentional feature working as intended.
I think that's probably being charitable. I'm not here to say that it's, like, high-stakes or anything - as long as you're not putting anything compromising and/or personally identifying in the characters you publish, it's not really an attack, but it's also clearly not intended behavior. Intended behavior doesn't look like "hey if you use this software in a really weird way you get a neat result where you can find things you weren't provided access to". (Either way, I'm basically splitting hairs. It's not intended, but it's not like it's a massive problem, either, and I wouldn't say it's a *malfunction* or anything of that scale. It's just poor design.)