The State of Security in MMORPGs

Anonymous writes "Security researchers Greg Hoglund and Gary McGraw poked around in World of Warcraft and other online games, finding vulnerabilities and exploiting the system using online bots and rootkit-like techniques to evade detection. Their adventures in online game security became fodder for the book, Exploiting Online Games. McGraw discussed with securityfocus the state of security in modern video games, cheating and anti-cheating systems, how the market for cheats, exploits, and digital objects is growing, what we could learn from the design of these huge systems, and how game developers react to submissions of security vulnerabilities."

Just ask regular players....

[Ian McBeth]

Just ask regular players about the security of the MMORPG's that they play.
Most are regular hack fests.

Ultima Online: Scripting in the number one player complaint, but EA doesn't give a rats ass, they never ban, despide their TOS saying otherwise. Other cheats include ways to make players drop items, and using bots to monitor certain parts of the game for the sole purpose of knowing exactly when to raid, and then there is all the speed hacking (EG movement hacks) that goes on.

Lineage II: I played for 6 months, and never met another player, just about 4000 different bots.

LOTRO: Besides the game missing something, it had its share of bots.

WoW: I get spammed with cheat site URL's every time I login, regardless of realm.

Of all the above WoW seems to have it the most under control, but that doesn't mean they don't have room to improve.
Cheating is so rampant in Ultima Online anymore, that the fricken game isn't worth logging into.

Re:My personal feelings..

[Rei]

People rely on the "grinding" aspect because it's the easiest to develop and balance properly. It's a well-worn formula. I do believe that there is some potential for ingenuity in games (and actually have worked a bit on developing a game (Eaku) that strives toward this end, with the idea of user-level scripting controlling actions in a very malleable world), but it's a lot trickier to pull off. Probably the worst idea that I've seen in practice is the one where people create a game world with the intent of it being "an environment for role-playing, not fighting". That almost never works out. Such an environment, if well advertised, will get plenty of people logging in, asking, "How do I attack things?" and leaving when they find that they can't, day in and day out. Even if in the ads you explicitly tell them that it's just for role playing.

The article touched on game dev reactions to bug reports. I've seen negative reactions to bug reports myself. In one game I was a developer for, I once did a security audit of the code and was appalled at what I found. With almost no effort, I was able to craft an in-game exploit that would wipe the hard drive of every user logged into the game who tried to bring up a URL. I had to push and push to get it fixed. Almost any bug that was security related, they didn't want to address; they were much more afraid of introducing gameplay bugs that might come as a side effect to fixing security bugs, and more afraid of having the schedule slip. Almost none of the strings in the game were checked for length or null termination when operations were done on them. It really disturbed me (and also reinforced to me why game code shouldn't be written in C; at least use C++, people...)

Re:Just ask regular players....

[Anonymous Coward]

Part of the reason WoW manages so well is that many of the kinds of rewards for achievements they give simply can't be bought and sold, the most significant being items that you can only get from PvE progress. I've never heard of gold farmers joining a high-end guild and selling a char with Illidan-killing level gear...

However, the AH prices for those items that can be sold and bought are pretty screwed up. Anything that's worth buying has seriously inflated prices while everything else doesn't sell at all (random greens sell for slightly above the vendor price due to enchanters leveling their skill, but that's about it). Of course most of those things are achievable without cheating - just by spending lots and lots of time online with enough characters...

Another problem is that leveling a new character on a realm where you don't have higher level characters requires you to choose a class that isn't too gear-dependent, since any gear worth having will be very difficult to get - since most similar level chars are twinks...that has nothing to do with cheating, but the item price inflation problem is very much related.

Re:Not just the game...

[Reapman]

Eh what? First off, FFXI isn't made by Sony, it's made by Square Enix. Also it wasn't the FFXI Site that got hacked, it was a major fan site outside of SE's control that had an Ad that would install malicious code, the site was ffxi.somepage.com (it has now been corrected is my understanding, safe to visit, or just use Opera or Firefox to work around it)

SE is dropping the ball in this area though, I know a few people that got screwed and lost their accounts like this.

Re:Cheating in online games

[JDAustin]

The program you mention was ShowEQ. Originally, it was a linux only program so it wasnt used by many. Eventually, someone ported it to Windows and its use increased vastly.

What really made things bad though was Macroquest II. Even though this required to be recompiled with every new patch, this is what made many of the exploits possible. Even SOE knew how rampant its use was but they would not go after people using MQ for its passive features (ie maps, targeting, healbot macros, etc) but people using it for the active exploiting (ie teleporting, attacking any mob in a zone from the zone line, etc).

Re:From a mainstream publisher

[llefler]

I'd just point out that bypassing Blizzard's 'Warden' monitoring software is not against their TOS. Or at least it didn't use to be. They told us how to bypass it after all the furor about privacy concerns over Warden scanning our systems for all running processes.

Essentially, rather than validating data on their servers, they're pushing an application to the clients to report any process they feel is inappropriate. I personally felt Warden was inappropriate, and never allowed it to run.

Re:My personal feelings..

[Rogerborg]

Anyone writing Massive servers in Java (or C#) should be billed the full ongoing costs of the extra iron that they require. Quite apart from the inherent overheads of VMs, those languages automagically spawn threads for network activity, rather than allowing you to perform non-blocking access from a smaller thread pool. They simply don't scale up well. A few dozen players, fine, hundreds, OK, but you hit the thousands and you're spending a significant amount of your cycles just thrashing between threads.

Java and C# people will likely deny it, but then they were always pretty big on cognitive dissonance.