Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Online Gaming's Seamy Underside

New book reveals the black market for hacks and cheats, popular methods for cracking online games, and a warning for IT and security pros

You're playing an online game in which players are warriors who can only walk, jump, or run. Suddenly, another player appears out of nowhere, draws his sword, and hacks you to bits.

Game over. But were you really beaten by a superior player? Or did a hacker or cheater simply rig the game? A new book that will be published tomorrow suggests that in the gamers' world, the cheaters often win.

In Exploiting Online Games, which is scheduled for release by Addison-Wesley on Friday, authors Greg Hoglund and Gary McGraw paint a revealing picture of the vulnerabilities in massively multiplayer online role-playing games (MMORPGs) -- and the attackers who exploit them.

"Gamers need to know that others are cheating," says McGraw, who is also CTO of Cigital. "But there's an even bigger issue here, because the interactivity we see today in these games is a lot like the interactivity we see just starting in the world of Web 2.0 and SOA. The security problems we see in gaming right now could be a harbinger of what's to come on the Web in the future."

Like the mainstream security research market, the gaming world has spawned a growing black market for cheats, hacks, and malicious exploits, McGraw says. "There is real money to be made by selling 'virtual assets' -- the stuff you need to play these games -- and hackers are learning that they can make money by getting those assets or helping others to get them." He points to IGE, a $400 million company that operates a marketplace for buying and selling virtual items.

The result is that many hackers are now plying their trade in the world of MMORPGs, discovering new ways to defeat the barriers laid out by the online game software and its associated network. "You can buy a bot that will play the game for you automatically," McGraw observes, "Or you can hire a sweatshop worker in China to do it for you. You can buy an exploit that will let you go beyond the boundaries of the game and do things that other players can't."

Many hackers currently are exploiting the gap between "state" and time which exists in a group of computers interconnected over the Web, McGraw says. Because all of the computers in a game are not synchronized in real time, many game servers distribute a common "state" to all players' computers to create a joint playing field.

But changing the state of all the computers in a network is a serious -- and potentially dangerous -- practice that can be exploited by hackers to gain access to or damage the players' machines, McGraw warns. "When you break off a piece of something fundamental like state and pass it around -- you can see the potential for security problems."

But what's even scarier is that this practice is now being applied to mainstream Web applications that employ wide interactivity -- including many Web 2.0 environments, McGraw says. "We're already seeing some of the issues that have occurred with Ajax and Java. But future clients will look a lot like the gaming clients that are out there today -- and they'll be subject to a lot of the same vulnerabilities."

Application developers need to take a hard look at the state-and-time vulnerabilities being exploited in online games, which are closely related to the "race-condition" vulnerabilities being discovered in Web 2.0 applications, McGraw says. "Developers need to build in protections during the design phase."

And gamers? "They should do a simple Google search to find out how many hacks or cheats there are available for the game they're about to play," McGraw advises. "If there are a lot of them out there, you might want to consider whether you really want to play that game or not."

— Tim Wilson, Site Editor, Dark Reading

  • Cigital Inc. Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    HackerOne Drops Mobile Voting App Vendor Voatz
    Dark Reading Staff 3/30/2020
    Limited-Time Free Offers to Secure the Enterprise Amid COVID-19
    Curtis Franklin Jr., Senior Editor at Dark Reading,  3/31/2020
    Register for Dark Reading Newsletters
    White Papers
    Cartoon Contest
    Current Issue
    6 Emerging Cyber Threats That Enterprises Face in 2020
    This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
    Flash Poll
    State of Cybersecurity Incident Response
    State of Cybersecurity Incident Response
    Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2020-04-06
    An issue was discovered in the Linux kernel through 5.6.2. mpol_parse_str in mm/mempolicy.c has a stack-based out-of-bounds write because an empty nodelist is mishandled during mount option parsing, aka CID-aa9f7d5172fa.
    PUBLISHED: 2020-04-05
    An issue was discovered in libgpac.a in GPAC 0.8.0, as demonstrated by MP4Box. audio_sample_entry_Read in isomedia/box_code_base.c does not properly decide when to make gf_isom_box_del calls. This leads to various use-after-free outcomes involving mdia_Read, gf_isom_delete_movie, and gf_isom_parse_m...
    PUBLISHED: 2020-04-05
    PRTG Network Monitor before allows remote unauthenticated attackers to obtain information about probes running or the server itself (CPU usage, memory, Windows version, and internal statistics) via an HTTP request, as demonstrated by type=probes to login.htm or index.htm.
    PUBLISHED: 2020-04-05
    The Search Meter plugin through 2.13.2 for WordPress allows user input introduced in the search bar to be any formula. The attacker could achieve remote code execution via CSV injection if a wp-admin/index.php?page=search-meter Export is performed.
    PUBLISHED: 2020-04-04
    3xLOGIC Infinias eIDC32 2.213 devices with Web 1.107 allow Authentication Bypass via CMD.HTM?CMD= because authentication depends on the client side's interpretation of the <KEY>MYKEY</KEY> substring.