Dark Reading

You're playing an online game in which players are warriors who can only walk, jump, or run. Suddenly, another player appears out of nowhere, draws his sword, and hacks you to bits.

Game over. But were you really beaten by a superior player? Or did a hacker or cheater simply rig the game? A new book that will be published tomorrow suggests that in the gamers' world, the cheaters often win.

In Exploiting Online Games, which is scheduled for release by Addison-Wesley on Friday, authors Greg Hoglund and Gary McGraw paint a revealing picture of the vulnerabilities in massively multiplayer online role-playing games (MMORPGs) -- and the attackers who exploit them.

"Gamers need to know that others are cheating," says McGraw, who is also CTO of Cigital. "But there's an even bigger issue here, because the interactivity we see today in these games is a lot like the interactivity we see just starting in the world of Web 2.0 and SOA. The security problems we see in gaming right now could be a harbinger of what's to come on the Web in the future."

Like the mainstream security research market, the gaming world has spawned a growing black market for cheats, hacks, and malicious exploits, McGraw says. "There is real money to be made by selling 'virtual assets' -- the stuff you need to play these games -- and hackers are learning that they can make money by getting those assets or helping others to get them." He points to IGE, a $400 million company that operates a marketplace for buying and selling virtual items.

The result is that many hackers are now plying their trade in the world of MMORPGs, discovering new ways to defeat the barriers laid out by the online game software and its associated network. "You can buy a bot that will play the game for you automatically," McGraw observes, "Or you can hire a sweatshop worker in China to do it for you. You can buy an exploit that will let you go beyond the boundaries of the game and do things that other players can't."

Many hackers currently are exploiting the gap between "state" and time which exists in a group of computers interconnected over the Web, McGraw says. Because all of the computers in a game are not synchronized in real time, many game servers distribute a common "state" to all players' computers to create a joint playing field.

But changing the state of all the computers in a network is a serious -- and potentially dangerous -- practice that can be exploited by hackers to gain access to or damage the players' machines, McGraw warns. "When you break off a piece of something fundamental like state and pass it around -- you can see the potential for security problems."

But what's even scarier is that this practice is now being applied to mainstream Web applications that employ wide interactivity -- including many Web 2.0 environments, McGraw says. "We're already seeing some of the issues that have occurred with Ajax and Java. But future clients will look a lot like the gaming clients that are out there today -- and they'll be subject to a lot of the same vulnerabilities."

Application developers need to take a hard look at the state-and-time vulnerabilities being exploited in online games, which are closely related to the "race-condition" vulnerabilities being discovered in Web 2.0 applications, McGraw says. "Developers need to build in protections during the design phase."

And gamers? "They should do a simple Google search to find out how many hacks or cheats there are available for the game they're about to play," McGraw advises. "If there are a lot of them out there, you might want to consider whether you really want to play that game or not."

— Tim Wilson, Site Editor, Dark Reading