Update (Feb 26, 6:20am PST): Zwift’s CEO Eric Min just posted the following on the forum thread related to this topic:
I would like to personally issue an update on a situation that has escalated over the last 48 hours, concerning a ban imposed on a Zwift community member.
Having been brought up to speed, it is clear to me that this situation could have been better handled by both parties. The performance increasing exploit was until now, relatively unknown both within Zwift and outside, but this is no excuse to not have addressed it. The exploit is detectable, and we have the ability to look back and identify those to have used it. That said, our priority is not to look back, but to look forward, and fix this as a matter of priority in one of the upcoming game releases.
For this reason, we have taken the decision to lift the 30-Day shadow ban issued to Luciano. For clarity, a shadow ban does not prevent a Zwifter from using Zwift, they simply do not show to others.
Neither party had ill intent and I can only apologise to all involved, but in particular to Luciano himself. We have an obligation to the community to address exploits on the platform and will fix this particular exploit as a matter of priority.
It is important for us to uphold our terms of service as they exist to protect the enjoyment of the majority of Zwifters. Rather than share information on how to exploit a performance bug, we would always encourage members of the community to come forward to Zwift with performance exploits they find. The process on how to bring such issues to the attention of Zwift hasn’t always been clear, so in order to improve this, we plan to introduce a bug bounty program that will not only make it easier for Zwifters to highlight issues but will also reward them for doing so. We will need time to develop this program but will share information in due course.
Thanks,
Eric Min
Co-founder & CEO
We’ll talk more about this in coming posts, I’m sure. Especially the good news about the bounty program! But for now, I wanted to share that Luciano has been freed. 😊
This week a bit of a kerfuffle has arisen in the Zwift racing community. I feel it’s right to document the key parts of the story, at least from my perspective. I’ll finish with a few thoughts of my own.
The Story Begins
On Wednesday, February 16, Luciano (who writes the hilarious Lucianotes series here on Zwift Insider) contacted me via Facebook Messenger, asking for my thoughts on a potential Zwift racing exploit.
(I’m not going to detail what the exploit here, but let’s just say it’s an easy exploit to execute, and could massively affect race results.)
Neither of us thought the proposed exploit would even work. It was too easy, too obvious. But Luciano said he would test it the following day (I was traveling and unable to do any testing for a few days). We figured it would make for an interesting Zwift Insider post: “I tried to cheat in a race, but it didn’t work.”
The next day Luciano pinged me again:
He explained how he tested the exploit, and what the results were. Here’s my reply:
We put together a plan for Luciano to compose a Google doc containing details of how he tested and verified the exploit, then I would share that with ZwiftHQ to make sure the right eyes saw it, when I was back in the office. That was on Friday.
The following Tuesday, Luciano shared the basics of the exploit on a private team Discord server. It became apparent to him that other teams/racers already knew about the exploit, that ZADA had been informed of the exploit, and that Zwift had been told about the exploit years ago.
So on Wednesday, February 23, I woke up to the news that Luciano had published the exploit’s details on a free WordPress site he spun up for just that purpose. He then shared that post on the Zwift Racers Facebook group and Zwift’s forum. He tried to share it on WTRL’s Facebook page (because his main concern was that the TTT and ZRL were not affected) but that post was rejected because it promoted cheating.
And that’s when the %#&! hit the fan.
Shadowbanned
As the Zwift Racers and forum posts started blowing up, Luciano’s post was shared on Reddit.
Then a few hours later, things took a surprising turn. Zwift put Luciano’s profile into “Watopian in Review” mode.
Anyone who has read Luciano’s posts here on Zwift Insider knows he obsesses over Zwift racing – particularly the Thursday TTT. He and his Coalition team had planned a big TTT the next day, at WTRL’s TTT Worlds. He asked me, “May I race being Watopian in Review?” I didn’t know. But I had my doubts.
On the Zwift Racers Facebook thread, one rider posted #FreeLuciano when they heard his account was locked/banned. This hashtag would begin showing up everywhere, including the comments of Zwift Community Live’s Thursday TTT stream.
WTRL posted on their Facebook page, referencing Luciano’s post without actually naming him. They subsequently took the post down, but here it is:
I immediately reached out directly to Zwift via a private Slack channel to find out what was going on, because Luciano had received no communication from Zwift at this point. I was told that Luciano had received a 30-day shadowban due to his publishing/promoting a Zwift racing exploit.
What’s a shadowban, you ask? On Zwift, this basically means you can see others, but they can’t see you. You also don’t show up in race results. It’s a way of removing bad actors from the game experience, while still allowing those riders to use the game.
I explained to the Zwift folks I was chatting with that Luciano was a well-intentioned dude who only published the post because he knew other racers knew about it and Zwift had been told about it long ago, with nothing was being done. But they held the line – he had violated Zwift’s Terms of Service and the ban was justified. Specifically the cheater catch-all section 5.vii:
“Use our Platform other than for its intended purpose and in any manner that could interfere with, disrupt, negatively affect or inhibit other users from fully enjoying our Platform or that could damage, disable, overburden or impair the functioning of our Platform in any manner;”
It became clear that he wouldn’t be making that race. I pinged Eric Min via Facebook to make sure he knew about the issue, and to express my disappointment at Zwift’s handling of the situation.
Messages Fly
Luciano hadn’t received any notice from Zwift about his account being under review, so he reached out to support. That poor support chat host eventually forwarded Luciano to another team (I think it’s fair to say Luciano had turned into a “special case” at this point). Eventually Luciano received a more complete email explaining his ban, and the need for him to take down his post:
Luciano sent this in reply:
Hi Nick,
Thanks for getting back to me. I was not aware of what a shadowban was.
Could you please refer which articles of the TOS I have specifically violated so I get the context and I do not repeat the mistake in case I eventually decide to remain a Zwifter?
As you point generically to the terms of service but no point in particular, I see nothing on performance metrics nor reporting functional issues. I am not exposing anything relating to the code (I have no such technical capacity) nor vulnerability of the platform… just a functional issue. An easy and obvious functional issue that you and many already knew about and not preventing you from running races and competitions without any problem.
That mentioning publicly functional issues is sanctionable with any type of ban is news to me, and I don’t see it mentioned anywhere. The same regarding the fact that such situations should be exclusively reported through a support ticket.
I would be also grateful If you could also let me know where I can find the different sanctions or bans applicable to Zwifters, as the notion of customer associated to the one of sanction is rather an illogical one from my perspective.
Performance wise I don’t see how I can be considered to have benefitted in any aspect. The test was done during an Individual Time Trial, with no draft, therefore no influence on the race, and I made sure I would not be eligible to any Zwiftpower points as I explain very clearly in the video.
On the second point. The cheat was reported in many occasions to Zwift, including ZADA and many users, and also through tickets, as many other Zwifters have now reported to me. WTRL facebook post (https://www.facebook.com/WTRLracing/posts/1133810887356502) acknowledges this is a well-known cheat for two years, so I don’t understand at all how my post has any impact on the capacity to cheat. It is surprising that you define it as a guide to cheat while at the same time you acknowledge it is there for years, and publicly written still in Zwiftpower forums.
If anything, I feel Zwift has ignored the previous reports and failed to ensure the basic functionalities in order to try to prevent such an easy cheat that it had known for a long time.
I want just to show how ridiculous the situation is.
Anyhow, I am really surprised about the way all this is handled. I think I have been a very active member of the community and the platform for almost two years now, encouraging many people to join, providing a lot of support to different clubs and teams and even writing tons of articles on how fun Zwift is both in Zwift Insider, on Facebook etc…
Today was an eye-opener of the very little that you care about your users overall, and obviously a breach of trust and faith as an until now delighted customer.
There are other alternatives to Zwift in the market, that I like way less than Zwift I am not going to lie, but are good enough so I don’t have to be compromising on basic things as feeling valued as a customer and as a human being.
Obviously, at this point in time, I don’t see any possibility that I delete the wordpress post. I will just voice my opinion on this topic with the same intensity that I have been promoting Zwift until now. I will see in a month from now where I stand and I understand you will make the decisions suiting the best Zwift corporation interests.
No worries, I am not going to refer to an overutilized freedom of speech concept that has nothing to do here. It is just a matter of personal ethics. I would like to be able to finish saying Ride On.. but that ship has passed.
Have a great day.
Luciano
Disappearing Posts, Re-Appearing Issue
Then the posts started disappearing. The Zwift Racers topic went away. The Zwift forum topic disappeared. And WTRL took down their thread as well. (These post removals weren’t a surprise, as Zwift has never allowed discussion of specific cheating/exploits in their forums or Facebook groups.)
But the Zwift community had caught wind of what was happening, and James Eastwood, ever the stalwart advocate for fair Zwift racing, created a Zwift forum post which didn’t detail the exploit, but asked Zwift to let the community know the status of a fix. See that post here >
The initial posts had been removed, but the Zwift community was sharing the perceived injustice of Luciano’s shadowban to the world. Mass media reporters began contacting Luciano about the situation, the Reddit thread was alive and well, and James’ Zwift forum post took on a life of its own with hundreds of replies and several posters (including James Eastwood himself, as well as Zwiftalizer’s Mike Hanney) posting that they were pausing their Zwift accounts to protest Zwift’s handling of the situation.
Thursday morning Luciano unpublished his post and wrote to tell Zwift support he’d taken it down. And Zwift finally replied to James’ forum thread with their point of view:
Friday morning road.cc published a post about the situation.
Luciano tells me that as time goes on, he’s hearing from more and more Zwifters who have seen this exploit used in races. Including one very prominent race organizer who reported the issue to Zwift four years ago.
And that brings us to where we are right now.
My Thoughts
Here’s what I posted in the Zwift forum thread on this topic. I think it explains how I feel about this ugly and avoidable situation:
Just to go on record here, since my reply in Zwift Racers was deleted with the rest of the thread…
First, let me say this: I think Luciano could have handled this better by reaching out to Zwift with the issue, perhaps even telling them he would take it public on X date even if it wasn’t fixed because he was concerned that it’s actively being used by cheaters. Then if Zwift didn’t respond, he would have a stronger case for publicly posting the hack.
So I’d say he jumped the gun a bit. Which is hard to fault him for, when he had multiple people telling him Zwift already knew about the exploit, and race teams knew about it too. That’s hard information for a rabid Zwift racer to just sit on.
Since Luciano went against Zwift’s ToS, Zwift has the “legal” standing to shadowban him or do whatever they’d like with his account. They’re within their rights to do so. But that doesn’t make it the BEST decision on their part, and I’ve tried to communicate this to ZHQ this via private channels in no uncertain terms.
I would have loved to see Zwift take this approach with Luciano’s WordPress post:
“Hi Luciano,
We just saw your post about the Companion exploit. While we don’t like seeing Zwift exploits shared publicly, we know by the content of your post that you did it in order to clearly demonstrate the hack to us and get our attention so it would be fixed. It worked!
Since your post demonstrates how to cheat in Zwift races, we’ve taken what we hope is a temporary disciplinary measure and shadowbanned your account, which is our standard practice in these cases. We request that you take the post down immediately so more Zwifters don’t learn about the exploit. Once you do so, we will reinstate your account.
On our side, this exploit has been moved near the top of the list of bug fixes. We anticipate at least a temporary fix rolling out in the month of March.
Ride On”
Some of you are bugging me to do a Zwift Insider post about this topic. I’m still not sure what that’s going to look like, but I’ve been in near-constant contact with Luciano during all of this. We’ve joked about how many parts this series of posts is going to have, as the saga continues way past what Luciano foresaw. All that to say, I’m sure this will be talked about on ZI… I just can’t promise exactly when and how.
In the end I, like many of you, wish Zwift had handled this differently – in a way that showed they value Luciano as a person. He may have jumped the gun, but Zwift could have easily taken the high road and come out of this sparkling clean. Now it’s just sort of… ugly all around. And that bums me out. Heck, I got my Zwift Insider kit in game finally this week, and I haven’t even ridden with it yet because I’ve had a bad taste in my mouth for two days.
I’m not leaving Zwift like some of you. I’m just annoyed to see this script playing out again. I hope Zwift learns from this and does better next time.
Whew… that was cathartic.
Ride on, my friends.
Wrapping It Up
What began as Luciano’s attempt to reveal a game exploit has turned into a story about how Zwift handled Luciano’s revealing of the exploit. But it didn’t need to turn out like this.
I’m sure this isn’t the last we’ll write about #FreeLuciano… or about the exploit in question. But I think it’s enough for today. My hope is that this post does a good job of telling the story fairly and truthfully up to this point, while also sharing my position on how things unfolded.
And I hope ZwiftHQ can take a step back, look at how this situation spiraled, change their processes to avoid it happening again… and #FreeLuciano.
Your Comments
I’m sure some of you will have thoughts on this topic. Feel free to share below, but keep it civil. Thanks for reading!
Interesting that this gets so much publicity and Julia’s ban virtually none….
Julia’s ban? What ban?
Julia Schallau. She got banned for cheating in some Zwift races last year. Might’ve been using this exploit even.
That’s the thing though… she got banned for “questionably high values” there was no proof of any wrong doing… She even has tests done by German Cycling Federation, on UCI WC race equipment, that proved her values on zwift.
Pretty much that ban was “we don’t think a woman is capable of 6.0 w/kg”.
Julia’s numbers have been discussed to death in a private discussion group. Her outdoor power numbers match her indoor ones, but her outdoor times do not. She therefore must be the least aero person imaginable on flat roads and also has a 30kg bike on climbs. Also yes, the fastest women in the world across all endurance disciplines seem to be about ~12% slower than the fastest men. So a woman doing 6.0w/kg is similar to a man doing >6.7w/kg. Furthermore, not only did her power increase by 35% in less than a year, but she achieved her personal record… Read more »
The stupid thing about her case was, if she hadn’t fought the initial violation, no one would have looked back and noticed all the other problems. She would have lost the results of one race and everyone would have moved on. Instead, she got herself a ban and infamy.
A local rider reports 5.1-5.2wkg for 20m efforts in Zwift races and outside. His improvements are similar, both this and last year, improving >30% in 3 months. And yet when he’s pitted against well known local riders outdoors he comes up quite short. His 400W is easily matched by a rider putting out 260-270W with a 10kg reported weight difference, despite the lower powered rider being on the side of cross wind (this was a ride the two did together). His supposed 20m power of 390W indoors/400W+ outdoors got him a 3 minute slower time in a local 25km TT… Read more »
No, it’s fully documented on Beastmodes’s Insta page. Julia has the full backing of the German cycling authorities.
https://content-cdn.zwift.com/uploads/2022/01/ZwiftPerformanceVerificationDecision-2022-01-Schallau-REDACTED.pdf
Fully documented on her team’s page, very independent they are too.
Schallau’s Strava has gone private recently. Perhaps she doesn’t want people correlating her real-life speeds vs reported power because they don’t make sense. So much for transparency.
It’s really, really simple. An independent party should observe her going all-out up a 30min climb. If a 30min climb is not available, even a 20min, 15min or 8min climb would provide some insight into her aerobic capabilities.
Her numbers are plausible with about 5-6kg more mass which would be close to the mass she used to start Zwifting with.
My guess is Julia isn’t clever enough to discover how to cheat alone…she’d been coached. All of these sanctions have been the result of cheating so poorly and obviously that Zwift has no alternative but to do something about it. Anyone who is remotely proficient with technology or familiar with athletic performance/metrics wouldn’t cheat to this extent. If you are on the cusp of being an “elite Zwifter,” then you only need to turn the knob up 5%, at most 10% to start winning nearly everything in sight. No one goes from 4.5w/kg to 6w/kg in the span of 8… Read more »
Tobin stop please, there is and was never a cheat in use! this is just BS. It’s simple she is just capable of doing way more watts while standing and this is not a phenomenon that is new. Even i am able to replicate that on the roller!!! She did test with one of the most trusted cycling scientists here in Germany. If someone knows anything and sees a problem in the numbers he would have told here. I know him for 10 years now and if he tells me she is doing these numbers i am full on it.… Read more »
Suppposedly cheating …
Julia Schallau Beastmode
Like the WTRL password debacle, this shows how much Zwift has to learn about Public Relations. For some reason they are completely tone deaf to how their response sounds in the real world. It’s like they’re living a Matrix-like world where the rest of us are in game all the time. I don’t understand how these kind of things happen with a company having a capital value over $1Billion. It is truly amazing.
Hope they finally see reason soon before this continues exploding in their face.
WTRL password debacle?
The gist of the issue was WTRL asking for the users Zwift password which is against about any reasonable online security protocol and the fallout afterwards with users getting banned and general BS on the part of ZHQ and WTRL. https://forums.zwift.com/t/wtrl-now-part-of-zwift/573651
The way it was handled from the beginning to the end is a textbook example of how not address a public f*ckup. Never seen anything like it. Until this one…
Thanks for the reply. I appreciate you taking the time to write that up.
Thank you for posting this up Eric. Like your post in the FreeLuciano thread on the Zwift Forum, very well written and captures the essence of the issue very well and concisely.
#freeluciano
Zwift is blessed with a active passionate and creative player base. Many of the best features in the game came from the communities creativity. It’s sad that Zwift often squashes this than promotes it. To me it feels like Zwift is more worried about the customers it doesn’t have than the ones it does.
#freeme
😀 😀 😀
Hey! Want me to utter other than polite words about a certain virtual cycling company when I am in and riding around? I’m composing a list for just in case.
Luciano/Eric, I tested this this morning, but there is a way (programmatically) to trace this behaviour during an event. I don’t know if I should mention it here how to, but you can trace it during a live event…
Through Zwiftpowerlive, yes.
That is perhaps possible, but also through a non public api
Dear Zwift,
Please ban the people who are actually exploiting this (or any) cheat in races and NOT talking about it, instead of the people who are trying to shine light on the dark, gloomy underworld that is ‘Zwift Cheating’
You are sending the message that PR and your public image is more important than the actual integrity of your game (it’s NOT).
Agree 100%
It’s not ugly all around. It’s ugly on Zwift
Nick L.
Hi Eric, Agree with your comments. In cyber security, when an exploit is detected : 1) Verify 2) Notify the product developer. 3) Allow them to validate 4) Pay out the bug bounty 5) Publish a fix. and give the discoverer all due credit If they do not react or address the situation in 30 days, you have every right to go public. Is this situation still salvageable for Zwift, certainly … If Zwift were to say : ” Yes, our ToS were violated, it was an honest mistake. Someone though they were acting with the best intent violated them.… Read more »
Zwift had been notified of the bug since years though already from other means. Someone needed to go public or zwift was never going to do anything.
Shuji’s closing forum post statement says it all for me “Longer-term we have a plan… And they wonder why we’re frustrated.
I’m disgusted, Zwift is clearly not listening to their customers. Also, the power Zwift has to just suspend accounts is not cool, I’m only a few bad experiences away from quitting.
What? Of course they have that power, it’s their platform. This is true for every platform ever. I’m sure Eric could IP-ban you, and you could circumvent that, just like you could circumvent a Zwift ban with a new account.
Someone has explained and showed an exploit on the ban! Shown to me how to gain back my actual account without the ban!!! But there are some advantages to be a Watopian in Review I am not sure I want to waive immediately 🙂
ive been one for a time or two, and the same zwift staffer in charge of your ban, wasnt going to unban me even after 30 days, (it ended up being around 50-60 after i asked why he wasnt unbanning me) – his answer was he was hoping i would apologize to HIM who had nothing to do with the simple incident of calling someone fat! Nick L. is a TOOL!
oh, and you can do all sorts of crazy shit unseen 🙂 ~ as well as affecting race outcomes.
Yes, any service provider can ban anyone or shut the whole thing down at any moment, but when people decide to use a service they want those things to be done in a reasonable manner, not arbitrary or silly. So just to say that zwift has the legal ability to do this is silly, zwift exists because it has customers and customers have expectations. Zwift could also close every world except Paris if they wanted, it’s their legal right to do so, but I bet a few people would be unhappy about that.
Thanks Eric for the post. Nailed
#freeLuciano
As Zwift is a fast growing company I am well aware that things can run out of control easily. From my own experience I know that customers are not interested in this and expect always perfect handling while your employees are running the extra mile internally. On the other handside you always should take things seriously that affects your core of business your so called “reason why”. Changing weight within a race is already not allowed in the game, even changing bike without a stop. So clearly changing weight in a race via Companion app is an exploit. Zwift should… Read more »
#FREELUCIANO
#freedeadpool
hahahahahaa
“What’s a shadowban, you ask? On Zwift, this basically means you can see others, but they can’t see you. You also don’t show up in race results. It’s a way of removing bad actors from the game experience, while still allowing those riders to generate revenue for Zwift.”
Fixed it for you. 😉
I left Zwift after the WTRL password debacle – they never did apologise. I do not believe they will apologise this time either, someone high up in that organisation is obviously too arrogant to admit to mistakes.
I was expecting to return to Zwift at some point. I will not do that now – this is the third time in a very short time span, that they have disappointed me this much.
I like Zwift, the product. I love Zwift, the community. I can no longer in any way support Zwift, the company.
I’m sorry you didn’t get an apology – I did and it was actually a very emphatic one over the password debacle – in that instance it was a mess of someone else’s making.
This time Zwift is very much front and centre to the storm.
Sadly lessons have not been learned, so it does not bode well for the future. I would imagine platforms like RGT are rubbing their hands with glee. They are some way off becoming serious competitors but a lot of team and event organisers are expanding horizons from “zwift only” to “zwift first”.
Hope your back soon Luciano, with a full apology.
#FreeLuciano
Well put Eric 👏🏼
Stopped my subscription for the first time in over 4 years until Luciano is unbanned.
#freeluciano
Hello JD, It is unbelievable the support I am receiving from all the community. I cannot thank enough all the Zwifters who have backed me during the last two days. You all rock. I have seen the #freeluciano tag all around in Watopia and it has even won some races. Not joking. Two B races were won today with guys changing their name to #freeluciano 🙂 Now, I don’t think you guys should cancel your subscription because of this. I love Zwift community and I wish I had my account back. Sorry if I sound cheesy in the next lines.… Read more »
Luciano, Zwift has freed you, and rightly so. Glad to have you back, if you come back.
Both Zwift and WTRL need to learn, understand, and internalize the concept of *rewarding* white-hat “hackers” and not punishing them. This is not the first time, and certainly won’t be the last.
Most high-tech companies have bug bounty programs (i.e. https://bughunters.google.com/). If Zwift really wants to grow, compete and develop as a modern high-tech company, they need to accept that “well-known” exploits cannot continue to exist while reliance on them not being known is the “solution” (in the security community, this is known as “security through obscurity”, and it always, 100% of the time fails).
A white hacker doesn’t post an exploit on public sites. At no point did he inform Zwift and give them a chance to respond. He took the words of others that Zwift already knew rather than going to Zwift (and through Eric he had the option of more direct access into Zwift than most of us). Instead he went fully public. Even if, as I’m prepared to believe, his intention wasn’t malicious, it was foolish. If you want to quote the example of Google bug hunters then I’ll assume you’ve read the their terms and conditions. Its not tell the… Read more »
All fair points.
He didn’t hack anything. No code was altered, nothing was injected, no malware involved. He literally changed a setting while riding. Anyone can do this.
A white hat hacker was the comparison used, so don’t nit pick.
It appears you didn’t read the article, or any of the information relating to it.
Mark G. was responding to the comment by Marko, not commenting on the article. Sad that you couldn’t figure that out.
Zwift had been informed since years ago. This is on zwift. Zwift is lucky no one went public sooner. If no one went public it would never be fixed.
I agree with you. I am not a white hat. I did not really know what were the rules here. However I was able to check that the issue was reported in many occasions to Zwift by other members before posting and nothing was done. At the time we posted I had evidence it was reported at least in Jan 21. Now I know for a fact the issue is known since 2018. I am also being told by everybody that a 90 day delay is the time normally given to companies by white hackers to solve and fix the… Read more »
As a software architect with a fair bit of experience and accountability in cybersecurity, it is always my assumption that a “0-day” exploit has been known in the wild for a long time. Anyone thinking otherwise is a fool. 90 days is 70-80 too many, and far more grace than I would ever give. For the record, if someone published an exploit like this for a product I’m responsible for without first reaching out to me and offer a grace period in which I can address it, I would be absolutely furious. And once I calmed down I would have… Read more »
Except that’s not the situation we are in. What would you have done if you had been presented the exploit and your company didn’t fix it for years and then someone posted about it publicly?
I’m confused about which of my two points you refer to. But to clarify my position: 1 – It is a good assumption that 0-day exploits are known and in use before your company ever gets the bug report 2 – If your company ever gets a bug report that has serious impacts for a large user base (security, cheating, etc.), it is your obligation to address on priority 3 – If a company ignores a bug impacting a large user base for months/years, public disclosure is appropriate While a defensive reaction may be expected thanks to human nature, it… Read more »
So to summarize you volunteer to tell us all about what you would have done if someone publicized an exploit for your product that your company didn’t know about. I ask what you would do if your company knew about the exploit, because that is actually relevant to this situation. To that you reply that you don’t want to theorize. But it does seem like you want to theorize from your first comment. Not much point in continuing if you’re gonna say “x” in one comment and “not x” in the next comment.
In re-reading my comments, I can see I wasn’t explicit in either one. I tried to imply the position I talked about is same as Zwift (i.e. my company knew about the exploit), but clearly I did not do a good job. Placed in the same situation as Zwift, my reaction would be to organize and help the engineering team close the hole as fast as realistically possible. My help may mean me personally fixing it, me prioritizing it as a show-stopper, etc. Once the process is under way to appropriately address the ability to cheat, I’d move onto asking… Read more »
Hi Mark, In this case, the issue was reported years ago to Zwift and they didn’t fix the issue. It was due time someone made this issue public, to put pressure on ZHQ to actually fix this.
Although he could have handled it a little better by giving Zwift a couple of weeks notice, I still think that if a company sits on a bug for over 2 years, they have it coming. They should implement a Coordinated Vulnerability Disclosure proces extended to bugs that could lead to cheating. And they should be transparant about it!
Karel
We (we were three deciding on the protocol) are not at all bug hunters, and we don’t want any reward, just the thing to be fixed so we can enjoy Zwift Racing again without being thinking that people are exploiting a hole in the system to cheat. It’s not even a problem of performance in sports, it is about fun. I don’t play poker or monopoly with cheaters either. Just because it is not fun. Now, as much as I did not want a reward, I did not expect either to be banned to be honest. Would I have known… Read more »
It is widely assumed that cheating is rampant in Zwift (or at least it is in my circle). As they’ve done little to address it over the years, I see no reason to believe they will now or to give them more benefit of the doubt. Sometimes a fire needs to be lit to get the team moving.
Alas, as Yoda once said, in terms of exploits, “there is another”. Harder to do but enough to completely change the dynamics of a race. It’s been taking place for some time in the ZRL. WTRL have known about it since at least late last year, but to my knowledge have no plans to act on it. If Zwift and others want to take race organisation / enforcement away from the Community, they need to step up to the plate faster than this.
Sorry, I’m an just not a fan of excuses for why people should take efforts to ease the blow to large companies so they can save face for problems that have existed for this long. Much less existed AT ALL. I know you have relationships to maintain so that colors your response in some way. But I have NO sympathy for a billion dollar company that is offering decreasing value over time. I’m less and less confident Zwift will be a long term part of the sports community. I hope they just took a tough nosedive during Covid despite the… Read more »
#FREELUCIANO
Zwift somehow did something about this when doing the change using the in-game Zwift settings.
When playing with autohotkey changing weight was greyed out after lots of changes. I did the pretzhell and changed it a lot during the event.
I got some trouble with it as I ended with a way too low weight 😂
see, YOU are the type of person Zwift should ban, not someone like Luciano. Luciano wasn’t cheating. You clearly were (or are).
I am watching you 🙂
That was silly Luciano. You had good intentions but I don’t understand why you thought it’s a good idea to share the details. It may be well-known (whatever that means) but of course many many more know it now too. I don’t agree with the hard stance by Zwift (#FreeLuciano), especially if they say they can detect it anyway, but you didn’t know that and i’m just a bit perplexed why, after Eric tells you that he can’t publish that, you publish it everywhere. Hope it gets resolved quickly, Lord knows there are more important things happening right now, and… Read more »
I love your positioning. Specially on way more important things happening 🙁 I perfectly understand you may disagree. The question we asked ourselves at the moment of publishing were exactly the ones everybody has, and for some of them we came out with different answers. For example, to the one “many others will know know” for us the answer was quite straight forward. Now that you know, will you cheat? When I was made aware, would I cheat? And we believe that if you were planning to cheat anyhow, you would. If not, you would not… As simple as that.… Read more »
Okay, i see your reasoning. For me it’s a risk not worth taking, both on the community not abusing it (you are right that the majority will not become a murderer now, but the murderrate probably didnt decrease either) as well as on your end not getting punished for it. Wish you would’ve taken Erics proposed route but maybe your actions and the fallout lead to a better handling of these exploits. That this was possible for so many years is pretty unbelievable.
Ride on!
Nothing makes me believe Zwift would have acted on the report had you submitted it in some alternate fashion. If they hadn’t in the past several years why would they now? Of course, they’ll say otherwise, but you either take cheating/security seriously or you don’t …
I think I lost 3kg just reading that!
I have some suggestions on how to translate that through companion app, you can DM me 🙂
#FreeLuciano
What do I know? But this strikes me as a situation where Zwift got caught looking really bad, and made it worse by punishing the person who shined the bright light on their own failure. It seems really disingenuous for Zwift to say, he should have reported this through proper channels, when it’s clear that people had been doing that for years. If he had used “proper channels” again, chances are that still nothing would have changed, and the exploiters of this would have continued. Instead, it’s become quite the dust-up, and Zwift is now in a position to where… Read more »
Well… I’ m pretty sure u r all aware that there’s Rouvy, Fulgaz,Bkool etc ready to take your money ( less btw) than zwift. These apps feature real roads and not some cartoon madeup sh#t
If they’ve known about it for years already and not made the fix, it must be difficult or impossible so I wouldnt expect it to change anytime soon. But if it DOES get fixed quickly now that everyone is watching, then it’s almost worse because they’ll essentially be admitting that it could have been done long ago but fair racing just wasn’t a priority. Zwift’s response that it’s the community’s responsibility to catch cheaters is SO weak. We can’t be racers and refs at the same time.
I bet it is VERY easy to fix. Program it so that you cannot alter game critical profile settings while riding. A programmer should be able to do that quite fast. This is programming and not rocket science.
Spoken like someone with no programming experience. Unless you’re intricately familiar with the code in question, your opinion is useless.
As for rocket science, quite literally it would be impossible without programming 😂
I don’t know what the internal zwift code looks like or how it’s structured but we can look at similar changes they have made in the past to estimate. It used to be possible to swap bikes without stopping until they fixed that. So they’ve done similar fixes in the past, so it can’t be _that_ hard.
Unfortunately you cannot infer one from the other for many reasons. Different modules will have differing levels of complexity and we have no idea if the two are similar. We also don’t really know how the cost of the bike swap fix. Do I think it is complex? No, I doubt it would take that much effort. But the original comment implied it is “VERY easy to fix”, which is arbitrary. Do I think they should fix it? Absolutely, they should have done so long ago. I think they should have had a fix out by now even assuming they… Read more »
So I can’t even try to do some informed guessing using facts and known things about Zwift about how much effort a fix is but you are allowed to say that they should have had a fix out within a few days. Seems like you have one standard for what you say, and a different standard for what everyone else is allowed to say.
May wanna be careful with your condescending tone. (https://en.wikipedia.org/wiki/History_of_rockets)
You’re absolutely right, I took offence at the original comment and reacted poorly (This is programming and not rocket science). I’ll let the OP educate themselves about complexities of “programming”.
To sum it up. We couldn’t be bothered to fix this in four-plus years how dare you to publicize it. That was the policy generally in the Internet infrastructure community until about 10 years ago. But that has evolved somewhat. Generally, companies know that they need to respond quickly to reports and to actually fix things. They also know that it is generally a bad idea to shoot the messenger even when they may violate terms of service etc. Really progressive companies even have bug-bounty programs to reward people for reporting them etc. Possibly Zwift should review some policies like… Read more »
Is the WordPress blog still up?
#FreeCheatingInstructions
@Rob Bane I hesitate to post this, and this comment will probably get removed, but:
https://web.archive.org/web/20220224130813/https://zweight241477032.wordpress.com/2022/02/23/the-ultimate-undetectable-weight-cheat-to-win-all-races-on-zwift/
No it’s not, but some people retrieved it from webarchive. After the word was out and it was clear that it raised the attention of Zwift (the ban was a clear indication they were taking it seriously) I have decided to take it out. Cost/benefit analysis…. Initial aim was reached.
OK, I was agreeing with Eric that you should have gone through proper channels with this… until I finally took a look at your page to see what the exploit was. I am firmly in the LP camp now, this is completely on Zwift. Such a stupid easy fix to this and they knew for years, they should be ashamed of themselves. I’m sorry for ever doubting you.
I am one of Luciano’s teammates, and I am appalled at how Zwift has handled this. It is a fumble in user support and integrity at best, reckless and damaging at worst. Zwift needs to look at this with open minds and eyes. That said, this exploit should be less difficult to fix than most. There are a number of paths (most of them would be time-consuming), but eliminating the alteration of trigger data during events will stop the exploit and should be a code snippet that is fairly easy to implement. Back to Luciano’s status…Zwift has the power to… Read more »
Love! Love! Love!
Well written article Eric and your thoughts are on-point. I can only hope sane voices at ZHQ take the reins before this spirals beyond the point that they can recover their dignity. I am usually Zwifts biggest fan – but whoever was responsible for this on their end needs to be rapidly escorted from the building.
You would think Zwift invaded Ukraine based on the faux outrage in these comments. The guy promoted a way to cheat.
HTFU and #BanLuciano
I am already banned 🙂
And yes, this is ridiculously superficial given what is happening in Eastern Europe.
Judging on your nickname probably you are one of the persons who think that Mother Teresa was a good person.
I will still be watching your videos even if I am not racing… Please keep the music 🙂
There is simple solution to fix that, just block the ability to use exploit in companion app during race events. Easy fix. Can be done in second. I wish to someone check race results on zwift power and highlight cheaters, all power data is there. No mercy for cheaters.
That should be priority now for zwift programmers.
More people will be aware how to use this exploit now, and they gonna use it for sure.
This is amazing, do you know their IT architecture? Which bits of code need changed?
Simple like that:
If race started x value change is not possible.
Or if changed it will affect game from next started activity.
Don’t tell me this thing requires weeks of rewriting code.
Simple rule set:
If race started x value is not editable.
“can be done in a second”. If you have any experience coding in the real world, you would know that changes are rarely as simple as they might appear at first glance. Then there is testing and the fact that devs are working on other things.
I am a programmer. To fix this particular cheat it would be enough to block the abililty to change your profile in the companion app during any ride. Including testing this should not take more than one day for someone familiar with the code.
Chris. I also thought this when we launched the post. I am not a developer. By now I have been explained in detail that the companion app fix is super easy but it would not resolve the whole thing. Seems more complex. Without wanting we pointed at something complex. Zwift responsibility to solve it, and they had plenty of time, not mine. But it is not as easy
If it is possible to do from the companion app, it is possible to do .. period. Security issues cannot be resolved from client side, only made less convenient, that’s the challenge here.
No excuse though, if they don’t take cheating seriously, how will they handle a real issue?
I just ride & race for the fun of it. Cheaters kill the fun!
Stop the cheaters!
#freeluciano
I should copy paste your line instead of giving all kind of justifications why we did this or that….
In this tragic drama, Zwift plays the part of Missouri Governor Parson and Luciano the part of the journalist alerting the government to embarrassing issues. Not happy to be publicly embarrassed, Zwift Parson abuses power against the gadfly.
See also “The Emperor Has No Clothes”.
I’m happy that Luciano exposed that, unfortunately racing community is ignored by Zwift for years, how long sandbaggers had a chance to destroy racing experience for many people.
#freeluciano
There are other exploits….I will not post the details…but
Zwift just taught their user base that if you find exploits and want to make them public to do so anonymously. This is not even an exploit, its just using the functionality they provide in crappy dishonest way. Their response is how you get a bunch of bored nerds to find ACTUAL exploits and publish them publicly. I sure hope there is racing with wtrl level participation on some other platform by next winter. They have shown themselves to not be a company I want to give money to in dozens of ways for years.
Pssh. It isn’t an “exploit”. It is a bug. It is part of the typical profile that every user must edit. “When” they edit it is entirely up to the UI design team at Zwift. Blaming the public and users is just childish.
I bet less than 100 lines of code in all need to be changed … just get it done Zwift.
How dare he want a fair platform..😜 Well I am now wondering if this was the method used in the ANZAC Day ride last year by a certain female.. I reported this high profile personality and next minute got shadow band for 30days.. I asked what the reason was for the ban and got a automated response about I breached the terms and conditions. I returned for a week then got banned again. During the first ban I asked lots of others what they thought of this persons ZP and they also reported her.. I ended up just leaving and… Read more »
for anyone wondering, here’s a link to the article:
https://web.archive.org/web/20220224130813/https://zweight241477032.wordpress.com/2022/02/23/the-ultimate-undetectable-weight-cheat-to-win-all-races-on-zwift/
Boy, am I glad that I’m a D racer (427 “races,” ZwiftPower tells me. Let’s make that 250, when you subtract the group rides I’ve led.) I just obsess over the races in front of me, rather than what other people are doing. Can’t control them. First, as a former professional journalist, I salute Eric for surfacing this when Zwift is, well, the focus of ZwiftInsider. Sometimes, you’ve gotta bite the hand that feeds you. Second, to Luciano, Dolt! Whatever Zwift, ZwiftPower and WTRL’s failings, what were you thinking? Did you bother to check the repercussions of publication? What amazes… Read more »
Stripped all my formatting. Bad, Eric. Bad. Bad.
Maybe Zwift should have fixed this sooner, so they don’t have to rely on catching people using the cheat. However, the way Luciano handled it was absolutely wrong and does not reflect well on his character. It sounds like you guys had the right approach at the start and planned to share the testing with ZwiftHQ and “make sure the right eyes saw it”. Was it that Luciano’s “rabid”/”obsessive” nature meant that he couldn’t follow that plan and had to tell the world right away? He sounds like your friend or at least you like the guy, so naturally you’re… Read more »
Is it fair to race against cheaters?
Problem was highlighted long time ago.
Zwift devs ignored that. Luciano opened Pandora box, looks that this is only way to force them to fix that.
“Is it fair to race against cheaters?” No and that’s a stupid question. Why are you asking it, when I did not suggest anything of the sort.
“Zwift devs ignored that” – not true, if apparently Zwift has a way to detect this method of cheating and have DQ’d people who tried it. With that in mind, it’s easy to see how someone would put the “fix” as a lower priority. That’s not “ignoring it”, when you have 1000 other changes requested.
There might be a easy quick-fix for this particular exploit, but it also reveals an underlying design problem with Zwift as a competitive online multiplayer game… There is no server validation! The client is responsible for almost everything. The most obvious hack would be having the client tell the Zwift server that you’re outputting 100W, weights 100kg but are still going at 100km/h (or mph for that matter) while ascending a climb :/ This would look quite weird and suspicious, but what about always having “full draft” or always extra powerful power-ups? Deciding which power-up to get might actually be… Read more »
this. exactly is already rumoured to be used….
Does the client actually specify speed?
Thank you for this. Shame at zwift response to someone trying to improve things. They seem to be losing the plot. #freeluciano
Thanks for this post Eric. #FreeLuciano
so frustrating Zwift is blaming the messenger instead of focusing on the real problem.
I know you have to craft some kind of “both sides” narrative because of your position but even your suggested way for Zwift to have handled this as you outlined in the email you’d have liked to see Zwift send is stupid, ever heard of the Streisand effect? https://en.wikipedia.org/wiki/Streisand_effect When you try to block or ban something on the internet is has the opposite effect, the content gets shared even more widely. So although zwift claims their goal is to prevent more people of learning of the exploit, their own actions have caused many more people to become aware of… Read more »
We should all post how to do this weight cheating (it’s too easy even call it a hack, I’ve seen it being used) on every forum, Discord server and Facebook. This would leave Zwift in a spot where the only way out is fixing this absolute and utterly dumb issue. What else are they gonna do? Shadowban every racer?