NetrunnerDB Exploit and How to Protect Yourself

This will be the first thread I make on the Stimhack forums, as I generally prefer to comment in threads from time to time, and it’s rare, to me, that a new discussion needs to be opened. I am posting this information on Stimhack because I do not know a better place for it, although currently, it probably applies to more than just the competitive/Stimhack ANR community.

There is a NetrunnerDB exploit (a predictable one that has been discussed as potentially happening for some time now) that allows an astute user to parse through NetrunnerDB for private decklists that have not been published. This only applies to accounts using the share decklists feature, but has affected a surprisingly broad number of players already. This is not purely hypothetical - I can confirm that the exploit is currently known and being used by one group in preparation for the World Championship in 2017 (maybe more on that later). If you have made decks with this feature on, especially if you are at all a known player, your decks have likely already been pulled. There is currently no other way to share unpublished decks on NetrunnerDB, which is unfortunate, as it’s moved some of us to sharing decks by text-only, and has affected the way others among us share (if you check out @TheBigBoy’s blog, many links now go to hidden decklists).

Anyway, you can still use NetrunnerDB without being affected if you change your account settings. It’s a couple short steps:

Then just uncheck the share box

I’ve been told @Alsciende has been contacted about this and is working on a fix, and a couple stimhack users personally tried to provide a fix (although this proved to not do anything against the tools currently developed). In the meantime, you can just change your account settings.


Netrunner metagames are awesome

Virus attack on jnet, now this. MUCH flavor.


Recommendation to @Alsciende: as soon as possible, dump the “share your decks” settings to a local backup and set it to false for all users until the fix is in place. Then, add a warning to the checkbox in the UI. Then get back to working on a longer term fix.

Ha, jokes on me, no one would consider my decks competitive! But yeah, fun times and shenanigans!

the wheat:chaff ratio is pretty grim for my account


Since a “fun” discussion has been had in the aftermath of this, I want to be clear about one thing: this is cheating. People were using netrunnerdb to share decks with an expectation of privacy, and violating that to gain a competitive edge is cheating. The exploit (utilizing the fact their is a finite number of numbers that can end the netrunnerdb link) to access all decks is functionally equivalent to using a dictionary attack to guess someone password. In both cases the user had an expectation of privacy and did not give you access to their data. The fact one is easier than another does not make it right, stealing a poorly guarded object is still stealing.

Finally, and most importantly this is very damaging to the openness of the community. You could make it so you need to have a separate deckbuilder that you use that no one knows about so you are more secure, but that makes it harder to enter the community when so much is hidden from site. I prefer meteor and do most of my deckbuilding there, I used netrunnerdb when I want to.share lists with people I’m not ready to share with everyone. People using exploits like these make it harder to share, harder to enter the community.

Personally I don’t want people doing it punished, but I do want it to be very clear it was wrong and.will not be tolerated as it damages the community. I would respect a great deal anyone who admitted they did it and they know realize it’s wrong, as it is in an area I can understand why someone wouldn’t think it was wrong. However, it is very damaging to the community and should not be tolerated and is.ultimately cheating.


While I see with your point and agree with most part of it I want to ask if you consider bar or xylophone nicknames as cheating. People hides them in jnet to get advantage afterwards.

I don’t think that it is but continuing your resoning I can see how that occurs to be a bad thing. Question of drawing the line in some place between these things?

PS And I tottally fine with having fun around the game as long as we don’t have money prizes like mtg does. It’s only a game after all.


I don’t think using an alternate alias to mask who you are is comparable to taking deck lists from people who want to share lists with friends without publishing them to the public.


That’s a ridiculous comparison, people playing on smurf accounts on jnet are still playing in public, open games with other players and so are only gaining access to things that are being made public by other players (aka decks that they are playing with on jnet against internet randos). Sure it means that if I play something I’m testing I don’t know exactly who I’ve played it against but I already knew that by playing it on there in a non-passworded game against a stranger it was effectively being made public. Someone skimming something from netrunnerdb that was, effectively, private is far closer to a dictionary attack on a passworded jnet game or spying on someone testing in person than smurfing and joining their games.

I think everyone’s up for having fun around the game, but that doesn’t mean “just do whatever who cares”, a lot of people take this game more seriously than that and while they it may not “matter” financially (at least directly, high level tournament prizes pick up a fair amount of cash if they’re rare) it’s a matter of respect to not blatantly bypass the intent of netrunnerdb deck sharing and abuse that platform to steal something that someone hasn’t ever made public or played publicly.


I’m going to add my own controversial, contrary opinion:

No one should win games because of their deck. Gaming the meta and having ‘spicy’ tech are ideologically the same as exploiting NRDB in this way. Both are exploitative in nature; the difference is that one uses the infrastructure of the game, while the other uses infrastructure outside the game. I understand people being upset about this, but I also don’t think people should be relying on these factors to win games. These NRDB exploiters are in essence skipping the ‘research’ step (gauging the meta) and accessing the data itself. I fully understand the disadvantage of having your deck contents be known, but Netrunner is a system rigorous enough to dissolve much–if not all–of this through gameplay. If you are in a situation where you are severely disadvantaged if your opponent knows your decklist, it’s my opinion that you were seeking to eke out an advantage through deckbuilding. There is no ideological difference to me between brittle jank and ‘meta-gaming’: both are exploitative in their own way. This NRDB exploit is not cheating; it’s merely using technology to simultaneously go to every LGS and JNET lobby in the world to mine data.

1 Like

It is also connecting decks to people though. Random data mining would be completely useless, the problem is that while JNET gives you the option of testing your decks anonymously, this exploit displays it for everyone.

I’m very much unwilling to accept that this does not constitute cheating. Gaining an advantage through deckbuilding is a legitimate thing that has been done forever. Gaining information like this is to me more akin to setting up a camera in someone’s living room.


I certainly understand this stance and it’s held by the majority.

The TL;DR of my opinion is that competitive ANR is cut-throat, whether people admit it or not. There are many egos involved; strata of inclusiveness; and exploitative practices employed before and during tournaments. This is just a new avenue of exploitation (one that likely won’t last long, or make much of an impact). Predators can’t really cry foul at becoming prey.


Hi there. Thank you for bringing this issue to my attention. I’m sorry I didn’t react earlier and more efficiently.

Right now, the author of a private deck doesn’t appear in the html page or in the API. So data scraping can still let a bot get all the new decks, as long as the share setting is “on”, but at least the person behind the bot has to judge the merits of the deck on its own, without the name or reputation of the author to help.

Right now, I can’t do any other fix until I’ve spoken with @necro, because AFAIK has stored myriads of private deck urls.

Of the top of my head, what I could do is deprecate the v2.0 API for /deck, keep it around for the old decks, and going forward, have a new v3.0 API for all future decks with an encoded deck id. A bit of work, at a time where I can’t even manage to find the time to support the new MWL :frowning:


Yes, it definitely is. I try to go about playing ANR in the least cutthroaty way possible, and I can only imagine that some players much better than me do too. While I see your point, I don’t think classifying every day 2 worlds contender (or whatever) as a predator is a tad unfair.


You seem to be arguing, @moistloaf, that anything goes since ‘this is intensely competitive’. Aren’t we better than that? Are there not behaviours that are unacceptable in terms of gaining an advantage, and isn’t this one of them?


No one should win games because of their deck.

I think this is inarguably false. If you build an absolutely terrible deck on purpose, you should lose. If you come up with the most efficient deck possible, and no one else has it, you should win. Part of maximizing win chances is building the best deck against the field, and part of building the best deck against the field is guessing what the field is.

The TL;DR of my opinion is that competitive ANR is cut-throat, whether people admit it or not. There are many egos involved; strata of inclusiveness; and exploitative practices employed before and during tournaments. This is just a new avenue of exploitation (one that likely won’t last long, or make much of an impact). Predators can’t really cry foul at becoming prey.

You had me until “Predators can’t really cry foul at becoming prey.” Of course they can. When someone does a bad thing, that bad thing is still bad regardless of what other bad things the victim does. If someone cheats one week, and then someone cheats against the cheater the next week, we don’t just call it a wash. Both are wrong, and you try to discourage it in every case you notice.


But there does seem to be a distinct and special space delineated by “using the infrastructure of the game” (or, as I like to call it, playing the game).

1 Like

I specifically did not say that people shouldn’t lose because of their deck. I agree whole-heartedly on that point. I disagree on the point of gaming the meta; in my own concept of an ideal landscape, this is not possible. I recognize that many people enjoy this aspect, but it is an exploitative mindset.

@tolaasin My point is more that I strongly disagree with cherry-picking which exploitative practices are acceptable and which are not. The game is rife with them; and yet this is the only thread I can remember being made about one. My guess is that this security breach touched upon the modern privacy taboo.

@moistloaf that many bad things happen is not grounds for not challenging this one.


Yes, but until the community is striving for an ideologically consistent, exploitation free landscape, this behavior is defensible. The landscape has been defined as anything goes; so it makes no sense to condemn this.

My secondary, conceptual argument is that ANR is an exploitative game by nature; and thus it is impossible to create an exploitation free landscape. The landscape became cut-throat due to the nature of the game itself; and any effort to go against that will ultimately fail or be ideologically hypocritical.