A few days ago we received a report that an old version of one of the scripts was being distributed for free by someone other than its author.

We checked this information, and it really turned out to be an exact copy of the script. Not a custom-made similar script, but exactly a copy.

The reasons for this could be the following:

• A source leak on the developer's side.
• Obtaining the source using the developer's account on the site.
• Obtaining the source using a possible vulnerability on the site.
• A possible crack of the compiled application.

Understanding what exactly happened several months later is quite difficult. So we wrote to the person distributing the cracked application, posing as a user who wants to crack another script, and offered a solid sum for it. At the same time, all possible logs were enabled on the server to understand which steps exactly he takes.

As a result of the correspondence, the crack was never performed — he simply stopped responding to messages. At the same time the person said things that do not allow us to consider him competent in this matter. In fact it took the cracker more than a day just to launch the script.

Example:

As for the server logs, the authorization data provided to the attacker was used only 2 times to run the script for 1–2 minutes.

As a result, if we assume option 3) or 4), then it is unclear why the attacker did not want to get the money without much effort? Why is the version of the script distributed for free so outdated? Why did he not even try to perform the crack?

From all this I can assume that cracking the BAS protection in this particular situation is unlikely. Unlikely, but still possible. That is exactly why a set of measures to strengthen the protection will be taken immediately:

• A patch will be released soon that moves part of the security-related things to the server.
• A reward for found vulnerabilities will be announced (https://community.bablosoft.com/topic/12484/).
• We will order an audit of the protection system from a third-party company.
• Most likely, the protector will be changed.
• The ability to get the code of your own script through the personal account is disabled (Already done).

All these measures will be taken in the very near future, literally days and hours. Right now BAS version 23.0.0 is already fully ready, but its release is postponed in order to deal with the possible problems described above.

We value our developments in the field of protection and will not tolerate theft on our platform, which is exactly why the user who demonstratively distributed someone else's work was banned. And so it will be with everyone, regardless of status, number of users, etc.