[This was originally published on the OSVDB blog.]
Does the nature of a product determine vulnerability status? Without giving much thought, most people would classify a ‘game’ as nothing of concern. No way it could possibly pose a security threat to you.. besides, it’s fun! In reality though, games are just as likely to bite you in the ass as any other software including your web browser or blog software.
Luigi Auriemma is probably the most prevalent researcher for finding vulnerabilities in game software. For over a year now, he has found serious vulnerabilities in a wide range of games including Doomsday, X-Doom, Alien Arena, the Cube Engine, Monopd, Freeciv, FlatFrag, Glider, Scorched 3D, World Poker, Race Driver, Sacrifice, NetPanzer, Stronghold, Terminator, Warrior Kings, Halo, Yager, Star Wars Academy … oh, yeah, I’ll stop now. And yes, the list goes on for many more pages. These vulnerabilities include trivial crashes, remote denial of service, remote overflows, format strings and more, including some fairly unique testing that many researchers tend to ignore. Running your favorite game one minute, getting owned by someone across the world the next. Laugh all you want, but they are just as important to be concerned about as any other vulnerability, if not more so.
This leads to a natural question for VDBs, what constitutes a vulnerability in a game? Obviously, remote exploitation that allows privileged access or trivial denial of service counts. But what about inside a game? As prompted by my recent digging into the Empire game, some of the changelog entries made me think of this. Consider the following:
- Don’t reseed the PRNG in commands, it hurts randomness and could be abused by crafty players.
- Fix major bug in transport that allowed two cooperating countries to duplicate items.
- Close major loophole in drop that allowed players to determine whether an arbitrary sector is sea, allied land, or other land.
- Close loophole in bomb that allowed players to find all sanctuaries.
So, do any of those qualify as vulnerabilities? It is easy to dismiss these as in game ‘cheats’ or giving one player an ‘advantage’ over another. In other systems, manipulating data or disclosing sensitive information is a serious risk, but is it the same for games? One may argue ‘no’, it’s just a game, so what if someone cheat a little bit. Other’s may argue ‘yes’, you are abusing the system and negatively impacting the gaming experience for others unfairly while increasing your own privileges without authorization. Finding a middle ground, what about games that are not so casual, and are methods for making money? How about games you pay to play? Is it an “advantage” or a “vulnerability” that someone can duplicate in-game currency at will before turning around and selling it online for real money?