Due to a security flaw with community repository NetrunnerDB, decks that were otherwise intended to be semi-private were scraped by notables within the west coast Netrunner community, who had admitted and apologized for doing so over Stimslack.

The exploit involved the Share function on NRDB. Decklists that were not otherwise formally published for general access can still be shared by exchanging the URL linking to the private list. However, the ID for each list was not randomly assigned, meaning that unintended parties could access the list by changing the values until they found one corresponding with a known player. While the option can be turned off, preventing decklists from receiving an URL designation, it is commonly used among online test groups to facilitate their preparations.

To clarify, the SF “Glass House” group had accessed these lists without prior permission from their account owners. As described in their apology:

joseki [3:09 PM]

we have a bot that printed the decklists to text and put them in a thread under the deck url inniscor [3:08 PM]

To be clear — the implementation involved a scaled query for newer and newer lists and a “white list” of users whose decks we would then store in their entirety (at the time of query) vs just storing the URL.

It had an inherent weakness in that we lost all updates so that’s why we’d actually have to go check them from time to time manually cause we didn’t want to scan and rescan in fear of the API raising alarm.

A full list of accounts tracked was provided by joseki, who claims to have led the Glass House effort, alongside westonodom who programmed the scraping bot. The affected accounts are as follows:

Calimsha

Cerberus

triorph

tmoiynmwg

Circadia

Ajar

Anachron

Ebrey

FoilFlaws

Halarith

Manticore

Milk Jester

Paranoid31

Sanjay

Seamus

Shmeguy

SimonMoon

Swiftie

TheBigBoy

Tr33Beard

Vikk

Whiteblade111

aandries

amavric

bblum

colinphanna

dodgepong

gejben

grogboxer

leburgan

Beyoken

Lopert

lpoulter

mathandlove

mike.summers

nmh

OmniJeff

ramus

raphaeln

robotmascot

Rotage

snek

shanodin

spags

thebigunit3000

themeanlady

itsbigfoot

tstack

tzeentchling

webster

wesselal

x3r0h0ur

yeoda

echo/

Vicarin

JakeHelms

tugtetgut

wyrm

DonutTaganes

WhackedMaki

josh01

Nemamiah

d1en

sirris

evilgaz

Josh01 had provided temporary instructions for how to prevent this from occurring further, though a more permanent solution is still in the works by the site administrator.

Though the transgressing parties have willingly identified themselves, the competitive community is currently concerned with the extent of the damage, and what to do about it. Many of the west coast aligned players, while apologetic about the concerns their actions have brought forth, do not believe it to be a major transgression. Others, including those on the list above, feel much in contrast.

ajar [3:12 PM]

Here’s the reason why I’m mad: I had OTHER PEOPLE’S decks in my NRDB. I NEVER EVER EVER share other ppl’s tech without their explicit consent and you all have totally violated that. dien [3:36 PM]

All I have to say is this: when initially I heard about this happening I tried not to get upset; this is not the first time I’ve been hacked, DDoS’ed, any of these shenanigans. I locked my account after to prevent further snooping only to be informed that they thought I was part of a group doing it. To even be lumped in ethically with that notion depressed and frustrated me more to think not only that my peers thought of me that way, but thought of others that way and viewed this as ethically correct. I prided myself in being in a thoughtful community and it’s shit like this that makes this all so frustrating to be part of

Stimslack participants have suggested that the participants in the decklist scraping recuse themselves from the cut at the upcoming Worlds event. Not all have agreed to do so at this time.

The 2017 Netrunner World Championship is scheduled for the first week of November. Participants still have a month to prepare, with knowledge that their online lists may be compromised.