Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

Online Gaming's Seamy Underside

New book reveals the black market for hacks and cheats, popular methods for cracking online games, and a warning for IT and security pros

You're playing an online game in which players are warriors who can only walk, jump, or run. Suddenly, another player appears out of nowhere, draws his sword, and hacks you to bits.

Game over. But were you really beaten by a superior player? Or did a hacker or cheater simply rig the game? A new book that will be published tomorrow suggests that in the gamers' world, the cheaters often win.

In Exploiting Online Games, which is scheduled for release by Addison-Wesley on Friday, authors Greg Hoglund and Gary McGraw paint a revealing picture of the vulnerabilities in massively multiplayer online role-playing games (MMORPGs) -- and the attackers who exploit them.

"Gamers need to know that others are cheating," says McGraw, who is also CTO of Cigital. "But there's an even bigger issue here, because the interactivity we see today in these games is a lot like the interactivity we see just starting in the world of Web 2.0 and SOA. The security problems we see in gaming right now could be a harbinger of what's to come on the Web in the future."

Like the mainstream security research market, the gaming world has spawned a growing black market for cheats, hacks, and malicious exploits, McGraw says. "There is real money to be made by selling 'virtual assets' -- the stuff you need to play these games -- and hackers are learning that they can make money by getting those assets or helping others to get them." He points to IGE, a $400 million company that operates a marketplace for buying and selling virtual items.

The result is that many hackers are now plying their trade in the world of MMORPGs, discovering new ways to defeat the barriers laid out by the online game software and its associated network. "You can buy a bot that will play the game for you automatically," McGraw observes, "Or you can hire a sweatshop worker in China to do it for you. You can buy an exploit that will let you go beyond the boundaries of the game and do things that other players can't."

Many hackers currently are exploiting the gap between "state" and time which exists in a group of computers interconnected over the Web, McGraw says. Because all of the computers in a game are not synchronized in real time, many game servers distribute a common "state" to all players' computers to create a joint playing field.

But changing the state of all the computers in a network is a serious -- and potentially dangerous -- practice that can be exploited by hackers to gain access to or damage the players' machines, McGraw warns. "When you break off a piece of something fundamental like state and pass it around -- you can see the potential for security problems."

But what's even scarier is that this practice is now being applied to mainstream Web applications that employ wide interactivity -- including many Web 2.0 environments, McGraw says. "We're already seeing some of the issues that have occurred with Ajax and Java. But future clients will look a lot like the gaming clients that are out there today -- and they'll be subject to a lot of the same vulnerabilities."

Application developers need to take a hard look at the state-and-time vulnerabilities being exploited in online games, which are closely related to the "race-condition" vulnerabilities being discovered in Web 2.0 applications, McGraw says. "Developers need to build in protections during the design phase."

And gamers? "They should do a simple Google search to find out how many hacks or cheats there are available for the game they're about to play," McGraw advises. "If there are a lot of them out there, you might want to consider whether you really want to play that game or not."

— Tim Wilson, Site Editor, Dark Reading

  • Cigital Inc. Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    How to Better Secure Your Microsoft 365 Environment
    Kelly Sheridan, Staff Editor, Dark Reading,  1/25/2021
    Attackers Leave Stolen Credentials Searchable on Google
    Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2021
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon Contest
    Current Issue
    2020: The Year in Security
    Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
    Flash Poll
    Assessing Cybersecurity Risk in Today's Enterprises
    Assessing Cybersecurity Risk in Today's Enterprises
    COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2021-3326
    PUBLISHED: 2021-01-27
    The iconv function in the GNU C Library (aka glibc or libc6) 2.32 and earlier, when processing invalid input sequences in the ISO-2022-JP-3 encoding, fails an assertion in the code path and aborts the program, potentially resulting in a denial of service.
    CVE-2021-22641
    PUBLISHED: 2021-01-27
    A heap-based buffer overflow issue has been identified in the way the application processes project files, allowing an attacker to craft a special project file that may allow arbitrary code execution on the Tellus Lite V-Simulator and V-Server Lite (versions prior to 4.0.10.0).
    CVE-2021-22653
    PUBLISHED: 2021-01-27
    Multiple out-of-bounds write issues have been identified in the way the application processes project files, allowing an attacker to craft a special project file that may allow arbitrary code execution on the Tellus Lite V-Simulator and V-Server Lite (versions prior to 4.0.10.0).
    CVE-2021-22655
    PUBLISHED: 2021-01-27
    Multiple out-of-bounds read issues have been identified in the way the application processes project files, allowing an attacker to craft a special project file that may allow arbitrary code execution on the Tellus Lite V-Simulator and V-Server Lite (versions prior to 4.0.10.0).
    CVE-2021-26276
    PUBLISHED: 2021-01-27
    ** DISPUTED ** scripts/cli.js in the GoDaddy node-config-shield (aka Config Shield) package before 0.2.2 for Node.js calls eval when processing a set command. NOTE: the vendor reportedly states that this is not a vulnerability. The set command was not intended for use with untrusted data.