I worked on BeamMP[0][1], for 5 years, both as a project manager and lead developer for the server and client. BeamMP is a wildly popular multiplayer mod for BeamNG (1M registered players, always at least 3k concurrent players, also it's AGPL licensed). I left the team this year, but I can tell you: Mods, if they manage to break the sandbox in any way, can do anything, and the BeamNG sandbox will never be perfect. To their credit, the BeamNG devs have hired people from the community who do a lot of security research, and they have found numerous issues and fixed them before they could be exploited.
We have seen prototypes that can make network requests out of the sandbox, call winapi functions, and do anything else with the same privileges as the game, which, worst case, is admin because players like running things as administrator. All of those exploits are fixed, now.
The issue remains one of the largest problems in the community, and sites that are well known for distributing mods with malware (which is pretty common) are at the top of Google search results.
BeamMP allows mods on servers, which causes clients to download and then execute code from those mods. That's a huge attack vector and BeamMP has been working hard to warn users and to come up with ways to prevent problems; but without funding (BeamMP is free) there is a limit on what can be done. The infrastructure costs already are sky high for supporting the crazy amount of users they have.
Sadly, everyone involved loves NDAs - I can only hope that companies start doing writeups, but I doubt it. So that's all the inside info I can give ;)
I'm not familiar with lua, but when it's embedded as a scripting engine is it really just allowed to import whatever packages it wants and have full access to the host computer's resources? If so it seems like a really poor fit for any game that intends to have user-created mods (and yes I'm aware that it's one of the most popular scripting engines in gamedev-land and has been for about two decades).
I remember when FPS games first embraced the mod community back in the late 90s many of them had their own dedicated scripting engines (QuakeC, UnrealScript, later quake 3 arena had "real" c programs but they were compiled to a custom bytecode interpreter) that didn't have free reign over anything but the game state and that seems like a much better way to do things. Games used to have options to let you automatically download requisite mods from servers and it was safe to do so, at least in theory. I have no doubt that at some point in time there was a ROP vulnerability that could've been used to turn this into a devastating malware vector but at least then the scripting engine wouldn't be functioning as designed.
You can lock down Lua, but you need ffi to achieve really good performance. This is what BeamNG.drive does, and that does theoretically open up the sandbox quite a bit. Suddenly you allow Lua to call C++ functions, and naturally vice versa. That could be a problem, and that's not the end of it, the Lua standard library (if you wanna call it that) contains io, command execution, etc. so you need to be selective about what you allow mods to do, while still making it possible for people to make mods.
In short; you need to give Lua power over your program in some way, and that's the weak link. Lua itself can run with zero access to the world, but then you have nothing more than a calculator or config file.
Indeed before online banking and widespread online shopping there wasn't much to care for in computer security. Also before ransomware were invented. I guess the biggest application was stealing passwords (and an occasional credit card #), botnets for DDoSing game servers and such, in which case user wasn't much affected. Nowadays specially with crypto wallets you can get crazy essentially unbounded prizes, maybe millions. Don't do cryptocurrency, kids (unless losing all your funds is the least of your concerns[0]).
[0] Like you're some kind of activist or maybe in an oppressive regime
I don't have anything meaningful to add to the discussion, but just wanted to say "Thanks!" to you, and the work that the Beam people have done to try and keep things as secure as they can. It'll never be perfect, but doing that work is important, and if it's done correctly the end user doesn't even know you did anything at all.
It's also really good to hear such an open and direct description of how things were/are, too. Clarity defeats the risks around obscurity of the unknowns. When the general public is given more info to work off of, they have a better idea of where the risks are, and how they can defend from, or if they are malicious - attack from, accordingly. The sharing of that information simply works to define what the areas of concern are for everyone involved.
Just Patreon, and then there are some deals with hosting providers for servers as well. Essentially, hosting providers will pay some % of their hosting income, and in return they get "natural" advertisement and other benefits. For example, if you ask our support how to host a server, they might mention a list of providers.
This all works because the only expenses are necessary operational costs, for example server costs for the backend.
All developers, support, moderation, etc., which was around 53 people when I left in January, are volunteers and do not get paid. This is mostly because it would not be sustainable, because when you pay people, you have to pay them in accordance with local laws like minimum wage. Nobody, not even the founder, is taking money out for themselves.
I hope that answers your question! And it's great to hear when people use it :)
It sounds like Lua modding might be a bad idea. Factorio also had a few vulnerabilities due to Lua sandboxing not being as strong as initially thought.
We have seen prototypes that can make network requests out of the sandbox, call winapi functions, and do anything else with the same privileges as the game, which, worst case, is admin because players like running things as administrator. All of those exploits are fixed, now.
The issue remains one of the largest problems in the community, and sites that are well known for distributing mods with malware (which is pretty common) are at the top of Google search results.
BeamMP allows mods on servers, which causes clients to download and then execute code from those mods. That's a huge attack vector and BeamMP has been working hard to warn users and to come up with ways to prevent problems; but without funding (BeamMP is free) there is a limit on what can be done. The infrastructure costs already are sky high for supporting the crazy amount of users they have.
Sadly, everyone involved loves NDAs - I can only hope that companies start doing writeups, but I doubt it. So that's all the inside info I can give ;)
[0] https://beammp.com
[1] https://GitHub.com/BeamMP