TLDR: RiiConnect24, a WiiConnect replacement service, is refusing to address its blatant, simple security issues, some since the start of the project, including issues that could expose personal information. Wii.guide is entirely authored by two developers of RC24, KcrPL and Larsenv; the guide is insistent on the use of RC24 to the point where they will not allow an alternate, non-competitive service to appear on the guide.
My name is TheMrIron2. I am a developer of Disconnect24, a new WiiConnect24 revival service founded in January focused on security and efficiency. I haven't been on GBAtemp much since I joined about 8 months ago, around the time of the Pokeacer incident. However, recent experiences with RiiConnect24 and wii.guide have made me come here to talk about them.
I joined RiiConnect24's Discord server around December 2016. I was mildly interested in the idea and there were one or two cool people, so I stuck around. I was gaining an interest in programming at the time. There was no real issue with anyone there, nor did I take an issue with RC24's code and workings. I became interested in working on RiiConnect24 after a while. I became friends with a developer at the time, Spotlight. I was banned once or twice for different, stupid reasons - one time, Larsen took it as a sign of hostility and banned me when I asked whether Pokeacer was a script kiddie, as I was told - but I returned. Skip forward to around August 2017, and a user called "fluffy" discovered that the developers had unprotected access to Wii Mail. Fluffy was banned for mentioning this in public. It was so easy to get that even fluffy got his hands on the mail. He later deleted it -and was subsequently unbanned - but it was actually never fully fixed.
Skip forward to the excitement of the Everybody Votes Channel release! Everyone was excited that EVC was being revived and was being worked on. But it was not ready. It worked, but it wasn't ready. Just a day before the release of Everybody Votes Channel, Spotlight and a user called Diema publicized an elementary issue with the system - as per most of the rest of the project, nothing was really verified. Spotlight tried to get Larsen and co. to remedy this but was ignored. Diema talked about it publicly, saying that a script kiddie could overflow the server, and Larsen reluctantly patched the issue shortly before release. But even after release, it wasn't ready - months afterwards, EVC was spammed with votes from a few users on computers. The servers didn't even check if it was a Wii sending the requests, so it accepted whatever vote was given. Needless to say, it was a landslide victory to one side.
If this wasn't enough to frustrate many people, there was a lot of discrimination - largely from developers, ironically. A member by the name of Seriel came out as transgender, and even after a few weeks Larsen was calling Seriel "he", even when people were using "she" or "her" or other female pronouns to refer to her he would (intentionally?) say "he" - this got so out of hand that Billy revoked Larsen's VPS access until he apologised to her and used the correct pronoun from that point on. Another member, MCNX, came out as transgender. She was in contact with Larsen in DMs one day, and Larsen said "We need more girls in the server tbh". MCNX replied "I'm a girl" - then Larsen replied, "BIOLOGICAL girls" - which he deleted later, and a small group almost wrote a whole "Damn Larsen" GBAtemp call-out post as a result of that and his sometimes questionable attitude.
After many disagreements, Spotlight decided to make his own WiiConnect24 service at the start of 2018, called Disconnect24. I was finally settling into some programming, and I joined the development team, hoping to make the "Disconnect24 Channel" - a hub for everything DC24-related with the ability to install it without any PC patching. As it says on their first blog post on the DC24 website, they did not want competition with RiiConnect24 and wanted a peaceful relationship:
You see, wii.guide is the biggest, most complete and up-to-date Wii hacking guide there is. It's the go-to resource for new Wii homebrewers and hackers. But there's one catch; it's written entirely by two RC24 members, KcrPL and Larsenv. One look at the website could tell you that it was written by RiiConnect24; it was suggested right from the homepage, and is one of the first things mentioned on the guide after successfully installing the Homebrew Channel. (This has since been partially rectified with "RiiConnect24 is optional" on the homepage)
I wanted to clean up some of the blatant bias on the guide, as well as make Disconnect24 an option. I didn't want to remove RC24 from the scene, but I wanted users to be able to choose between the developing, secure DC24 or the complete but insecure RC24. I made a pull request cleaning up a few pages and adding a basic Disconnect24 page. Larsen rejected the pull request because of a nitpick with the DNS I mentioned, then later told me in DMs that - surprise - he wasn't happy with Disconnect24's inclusion on the site. After about an hour of discussion he eventually allowed the pull request to go through with Disconnect24's page - it wasn't even mentioned or accessible from the homepage yet, it was a placeholder if anything, though I later found out that it was to make me "stop bitching" about the bias. I tried to talk to him about making it so that both RiiConnect24 and Disconnect24 are optional add-ons for your Wii experience, but his only response was "But I already accepted the pull request". He blocked me after a bit of this discussion as well as a conversation about rewriting the guide to be more user-friendly and allow both services to live in harmony. He talked to Spotlight about how I was bothering him:
Now, any large-scale callout needs proof.
Security has long been an issue with RiiConnect24. An issue that has been turned a blind eye to entirely. So to prove what an issue this is, I'm going to demonstrate, with one line of code, what you can do:
curl -X POST https://mtw.rc24.xyz/cgi-bin/receive.cgi --data-urlencode "passwd=passwords_are_ignored_by_rc24" --data-urlencode "mlid=w<16 digit friend code>" --data-urlencode "maxsize=1000000000000000000"
This line of code will allow you to access anyone's Mail inbox when you insert their friend code where <16 digit friend code> is. This isn't "not very secure" - this is outrageous, and it's about time attention has been shone on it. I hate to do it the hard way, but the easy way didn't work. In fact, this line of code has been pointed out to the team several times, but all they said was they would promise to add authentication later. This code still works, and authentication development has actually all but stopped since Pokeacer left the team.
You can find proof of what the guide is (or was, if reading at a later date) at the site itself - or if you want to see what it looked like before changes were made, or if you want to see my pull requests to change things, you can check Pull Requests and Commit History on the github repository.
Finally, Spotlight wrote his own blog post about RiiConnect in September 2017, and as a second source with screenshots of some of this information [ie. the discrimination] correlates with this post (and much more information that hasn't been expanded upon here) with what has been said here - you can find that here.
I didn't write this with the intention of one massive hate letter to the team. I do hope they can fix their act. Security holes can be fixed, and guides can be rewritten. But they need to pull themselves together, because if they continue to act as they do - well, they won't get away with it after this post, hopefully. I just hope this post has made people aware of the bare reality of the Wii scene's situation. Thanks for reading, and I'm sorry this is a bit of a long post, but I did my best to summarise about a year of this.
You need to be logged in to comment