Forum Academy Marketplace Showcase Pricing Features

Warning - Rocket CAD User Privacy & Security Vulnerabilities

Rocket CAD / MDT Vulnerability and Privacy Warning:

The “RocketCAD” from Modern Solutions has been responsible for user privacy leaks, highly insecure API calls, and leaked Discord tokens.

I tried bringing these issues to the developers over a month ago to no avail. I’m hoping this can at least shed some more light on bad scripting and user privacy practices. I know a lot of communities around here use this program.

First off, their system has leaked over 900+ emails in a recent “billing” notice.

Their site’s API easily exposes your community’s private data as well. Here’s an image showing webhook private tokens being revealed in an HTTP POST:


Anyone can view your community’s webhook tokens and send anything they want to it.

Their in-game scripts from their GitHub also highlight multiple security vulnerabilities:

By using their FiveM scripts, you are installing an HTTP listener on your server that has no authentication checks. All API calls made from your server also lack any form of authentication or a unique/private API key/token.

While I can not confirm this, I did come across this message earlier as well:

It’s important to not install insecure scripts on your game server and to follow at least some basic security practices. By leaving everything open, all communities using their service can easily be exploited, sent bogus data, have their private webhooks taken, etc.

I’m hoping that this can bring more public light to using better practices. Their exposed APIs need to be locked down, and they greatly need to improve FiveM script vulnerabilities and user privacy handling.

3 Likes

Thanks for sharing!

Uhh, yeah that’s pretty scary sounding.

Wow! :hushed:

I will be sharing this around throughout my servers, I appreciate this information! This is the first time Anyone has stood up to these guys!

Damn! Isn’t this the system used by the SA’F community?

Fun you say that, mr “overseer grabs IP addresses” when customers click on the overseer cad
Don’t act brand new when your “stolen” community cad grabs up addresses.