Question Rainbow Six Siege - Exploiting Image HTML tags in Ubisoft Names for IP Grabbing

[John Parser]

Has anyone tested this yet? Seen a few people bringing this up recently.

Looks like a major oversight by Ubisoft, which is honestly typical at this point. It sounds like they are injecting HTML tags into the username field, and the game client is blindly rendering it as if it's legitimate UI content. If the client is actually pulling the image from an external source via that tag, then yeah, your IP is getting logged the second the request hits the server hosting that image.

Honestly, surprised they haven't patched the sanitizer for the username string input yet. It's probably just a lack of proper validation on the backend or client-side rendering engine.

1. The Exploit: Injecting tags into the Ubisoft username field.
2. The Risk: IP logging via external image server request + potential client-side RCE if the rendering engine has other holes.

If you're playing Siege, I'd suggest disabling player names or just being careful who you're queuing with until they drop a fix for this. Seems like a massive security flaw for a "competitive" title. Has anyone actually seen this in-game or is it just another "paste" rumor floating around?