Full notes
Full Usurper Reborn update
Read the full published notes in a cleaner layout. The original post stays linked below.
What changed
- Fixes
- Security
- Server
- Gameplay
- Compatibility
v0.60.6 Patch Notes
A small but important hotfix on top of v0.60.5. Headline item is a critical security fix for an account-impersonation bug a player responsibly disclosed; the rest of the patch carries the consequences of that fix and a quality-of-life addition that lets you connect to friends' servers from the Online Play menu.
SECURITY: account impersonation via direct connection
A player privately reported that anyone who could connect to the public game port could send a specially-crafted login line and immediately log in as any account on the server, with no password verification at all. The bug existed since the original implementation of the BBS / SSH relay system: the server treated all unauthenticated connections as if they came from a trusted local relay, but never actually checked that the connection was, in fact, local.
The fix: the server now verifies the connection is from a loopback (127.0.0.1 or ::1) before accepting any unauthenticated login. Every external connection must go through real password verification. All legitimate paths still work (SSH gateway, web terminal, desktop and Steam clients with passwords, MUD-client interactive login). Every blocked attempt is logged with the source IP and the impersonated username for post-incident review.
If you ever logged in to play.usurper-reborn.net via SSH or the web terminal or any client that requires you to type a password, your account was always safe. The bug only affected the no-password trusted path, which existed for legitimate local-relay reasons but should never have been reachable from the open internet.
Thanks to the reporter for disclosing privately rather than dropping a zero-day. Exactly the right way to do it.
BBS Online Play now uses password auth
The above fix had a knock-on effect: the BBS [O]nline Play menu previously used the same no-password trusted form to log into the public game server, and that path is now blocked at the server. The BBS [O]nline Play menu has been migrated to use the same login / register flow as desktop and Steam clients: pick Login or Register, type a username and password, the server runs real password verification.
For BBS players: if you used [O]nline Play before, your previous "BBS-handle-as-username" identity is gone (it was never authenticated anyway). On your next visit you'll be prompted to register or log in. The username prompt is pre-filled with your BBS handle so you can press Enter to accept it as your game-server username. After that, just remember the password.
For BBS sysops: update your BBS door binary to v0.60.6 (win-x86 build attached to the GitHub release). The new binary's [O] Online Play menu prompts for username + password instead of the old trusted passthrough. BBSes that only run with the --online flag (giving the BBS its own local SQLite-backed shared world for that BBS's players) need no upgrade and are unaffected; the change only matters if your players actually use [O]nline Play to connect to a remote shared server.
Online Play server picker
The [O]nline Play menu used to drop you straight onto the official server. Now it shows a server picker first:
Choose a server: [1] Official server (play.usurper-reborn.net:4000) [2] Connect to a different server (enter host and port) Back to Main Menu
[1] is one keystroke for the common case. [2] prompts for hostname then port (defaults to 4000 if blank, validates 1-65535). After picking, the existing auth flow runs unchanged.
This is the foundation for community-run servers. The minimum viable shape: if your friend hosts a Usurper Reborn server, you can paste their hostname and play together without needing any central registry. A full automatic server-discovery system (where servers phone home to a master list and the client populates it) was scoped and deferred for later. The picker is the immediate win that requires no infrastructure.
Six new localization keys translated for English, Spanish, French, Hungarian, Italian.
Screen reader auto-detect false positives (Steam + BBS)
Two reports of the title screen showing"Screen reader detected. Accessible mode enabled automatically."when no screen reader was actually running:
Sighted Steam player on a clean launch via the default Play.bat (which wraps the bundled WezTerm).
BBS player connecting through Synchronet to a sysop's BBS hosting Usurper Reborn as a door.
The Windows API the game uses to detect screen readers turns out to be stickier than Microsoft's docs suggest: browsers, accessibility tools, and apps that crashed without cleaning up can leave the system flag set. Any subsequent launch saw the flag and turned on accessible mode, even when no screen reader was actually running.
The BBS case was even worse: the API was reading the BBS sysop's Windows session flag and applying it to every player who connected through the door. Players on remote terminals don't share the BBS host's accessibility state.
The fix:
Skip the auto-detect for any BBS / MUD / relay launch. Door modes always run on a host machine separate from the player, so reading the host's flag is meaningless. Door players who need accessible mode have working paths: their MUD client's TTYPE negotiation, the in-game preferences toggle (saved per character), or launching via Play-Accessible.bat with the explicit flag.
Skip the auto-detect when running inside WezTerm. The default Steam launcher (Play.bat) wraps WezTerm; screen reader users on Steam are expected to use Play-Accessible.bat which passes the flag explicitly.
The auto-detect still runs for the standard console launch (non-WezTerm desktop console, direct .exe double-click) where it's the only path a screen reader user has to discover the mode without command-line flags.
macOS and Linux are unaffected, the underlying API returns false on those platforms anyway.
Files Changed
Console/Bootstrap/Program.cs (screen reader detection gate)
Scripts/Core/GameConfig.cs (version bump)
Scripts/Server/MudServer.cs (loopback gate on trusted-AUTH)
Scripts/Systems/OnlinePlaySystem.cs (server picker, BBS auth migration)
Localization/{en,es,fr,hu,it}.json (6 server-picker keys per language)
No SQLite schema changes; v0.60.5 schema carries forward unchanged.
Beta is live. Bug reports and feedback always welcome. Press the! key in-game or type /bug to report. See you in there.
Source
Changelog.gg summarizes and formats this update. How we read updates.
