MMORPG Security: Secret Chat Exploits
Developer's Cave October 16th. 2008, 12:27pmForgive the somewhat sensationalized title. This article does not describe any actual attacks on MMORPG chat systems (e.g., no World of Warcraft exploits). Nonetheless, there is good reason to believe that undisclosed chat exploits exist. This article explores the potential for exploiting MMORPG chat engines, based on related security vulnerabilities that are known to exist, which occur due to common software development practices. Anyone with experience in this matter is encouraged to comment, as there is a lack of community discussion on this subject.
Prior to starting Potential Games, my academic and professional background focused on distributed software security topics. While an online game is more entertaining to play than an enterprise business application, the need for critical security analysis is just as important in both settings.
A potential vulnerability of any software system is injection of malicious data. In an online environment, peers (clients and servers, or nodes in a peer-to-peer network) pass information as a matter of course. Both sides must be especially wary of information being received, which may have been crafted to trigger some undesirable behavior.
This type of attack is old hat in the field of Web browser/server development. Browsers and servers expect messages to be received from a variety of different applications, so they are designed with data validation in mind. Nonetheless, new injection vulnerabilities are frequently identified.
On the other hand, client and server applications for an MMO game are often developed in-house as proprietary software, designed to communicate exclusively. Because of this, the design process might make the simplifying assumption that input data will be formatted as expected. Taken together with constant-crunch-time scheduling, online game software vulnerabilities are sure to be missed.
Improving the software security design process can be discussed in a future article. In the spirit of Cyber Security Awareness Month, the purpose of this article is to raise awareness of potential chat exploits. I have two reasons for choosing this specific topic: (1) Chat messages represent client-to-client communication, which is especially dangerous, and (2) because there doesn’t seem to be much written on the subject.
On the first point, the chat system of an MMO(RPG) provides an open channel for a client application to send data to many other clients. The standard architecture is to relay chat communication through the server, subject to game rules, such as character proximity in the world. If the content of the chat message is not carefully sanitized by the server, clients could be fed malicious data, which was crafted by a hacked client (or simply cut-and-pasted as a chat message). The situation could be particularly dangerous if the software designers of the game client made the simplifying assumption that data from the (proprietary and trusted) server is safe. For these reasons, it seems that in-game, player-to-player chat engines would be particularly vulnerable to attack.
On the second point, I haven’t been able to find much information on actual chat-based exploits. A centralized server architecture provides an obvious location to sanitize chat messages. In practice, the state-of-the-art in MMO game systems may already avoid chat exploits. However, in the generally more open (and therefore inherently more secure) environment of Web browser and server software, vulnerabilities based on the same security principles are regularly uncovered. For these reasons, I must conclude that chat exploits are more prevalent than is openly discussed.
Despite the tingling of my security senses, these problems are either (a) already solved, or (b) are known by insiders who don’t want to talk about them, or (c) are known by outsiders who don’t want to reveal them, or (d) are lurking in the darkness waiting to be discovered. Most likely, the answer is (e): (b)-(d). Since the insiders tend to ignore problems that are presumed unknown, and the outsiders have more to gain by concealing the exploits they do know, open discussion is the best way to proactively address security issues.
Anyone with further reading or insight is encouraged to comment. Here is an excellent article describing an Age of Conan chat exploit: Age of Conan hyperlink exploit vulnerability fixed.
November 5th, 2008 at 8:21 pm
Hey Nyhm, thanks for dropping by. I’m glad you found my post interesting. And wow, you’re developing your own MMORPG? That’s amazing! :)
November 5th, 2008 at 10:12 pm
I’m working on it rampantly, Andrew! Thanks for taking the time to leave a comment.
November 7th, 2008 at 5:31 pm
Another good example of why building your own code is often much better than trying to use 3rd-party code. Most of the chat systems I tried out in SSW had terrible built-in security or load-handling problems. I ended up rolling my own eventually, just so I knew it properly sanitized and authenticated transactions and could handle load without dropping messages.
November 8th, 2008 at 12:01 am
Munk, I’m glad to hear from someone else writing their own game code. From your link, your game looks great. Congratulations on making it into beta! I’m still implementing gameplay features in alpha myself.
June 23rd, 2009 at 12:16 am
Thank you and good luck with your own game (:
I think the lack of documentation is probably a result of:
(b) are known by insiders who don’t want to talk about them
The insight you’re looking for is probably just buried in the bugreport logs, and generally nobody publishes those. My experience suggests that hackerish types will try even harder to break a game than they would a normal business website, often because finding and reporting bugs is commonly *encouraged* by game masters, who reward found exploits with special in-game items that provide a strong motivation for people to hack ethically, while banishing those who exploit without reporting.
If you’re interested in seeing the stuff that got caught in SSW’s code (heh, nobody’s perfect), the bug reports (all 2254 of them) are searchable as long as you’re logged in.
June 30th, 2009 at 5:06 pm
interesting post, will come back here, bookmarked your site