Remote Code Execution in Marvel Rivals Game

185 points by eugenekolo 5 months ago | 129 comments
  • doctorpangloss 5 months ago
    The engineering culture behind AAA video games is rotten to the core with regards to security. Everyone thinks they're making Doom 3 and they're really making Windows 2000 Service Pack 1.
    • TeMPOraL 5 months ago
      The problem in big part stems from the business culture upstream. They're trying to produce a game, but what they're really after is e-sports money. They design multiplayer to be about organized pro play, which brings in all the cheating problems of professional sports, so they end up subjecting every player to e-sports-grade security like those anti-cheat systems, despite 99.9% of the player base not caring about pro play in the first place.

      This is the worst possible combination: players are forced to accept first-party invasive rootkits that are disruptive and ineffective, while cheaters still cheat.

      IMHO the only sensible solution is to separate out e-sports angle from the game itself. People who want to "go pro" would be free to subject themselves to anti-cheats and drinking verification cans and past some point might as well buy company-authorized computers to play on. Everyone else should just be allowed to play casually and enjoy the game without the anti-cheat nuisance (and a looming threat of false positive).

      With main incentive for serious cheating separated out, non-pro players would only have to worry about griefers. Those are a problem too, but they can be dealt with by simpler and less invasive measures than a kernel-level rootkit.

      As it is, AAA multiplayer games are basically like if FIFA was to micromanage Town Recreational Leagues and hold them to the World Cup standard, because cheating is a Big Deal so every kid needs to take regular blood tests before the match.

      • ThatMedicIsASpy 5 months ago
        Nobody wants to play multiplayer (only) games with cheaters. It is that simple.

        Esports money...? Micro transactions is the money. Publisher driven esports is advertising.

        • TeMPOraL 5 months ago
          Microtransactions are a self-inflicted fuckup. They're like a zombie bite - once you add them in, your game will start to transform into a slot machine wearing the skin of a dead game, and there's fuck all anyone can do to stop it.

          > Publisher driven esports is advertising.

          Yes, of course. E-sports is advertising. All professional sports are advertising. That's what makes money. Sales of tickets, merch, guides, coverage, etc. A successful sport is a self-sustaining money printing machine. Now, traditional sports are "frozen in time" relative to business timescales; meanwhile, in e-sports, it's entirely possible for a company to introduce a new game and turn it into a worldwide phenomenon over a couple of years, and then keep getting a cut from aforementioned money printer for many more years still, all while trying to introduce a new game to keep the money running.

          And it's okay, I honestly don't mind. As far as the advertising-driven economy goes, sports (traditional or otherwise) is one of the more benign fields. The problem I see is the relentless focus on building a game optimized for professional play ruins it for vast majority of players, and I fail to see why companies keep doing it instead of bifurcating the multiplayer aspect into "casual play" and "pro play", allowing for the latter while also letting the former have their fun.

          > Nobody wants to play multiplayer (only) games with cheaters.

          My point is that most of the cheating comes from structuring the game around pro-play. You get a global ladder, which establishes an ordinal ranking that invites cheaters who just want to score higher for less effort. All those cheaters end up ruining the game for regular people, who don't care that much about the ranking. Most of those cheaters would go away if the ladder was removed - but that ladder is critical to the company and wannabe progamers precisely because the top levels of that ladder are a gateway to pro-level play.

          You can't eliminate all cheating - there's always some people who, for whatever reason, enjoy ruining the game for others. Fortunately, such people are a very small fraction of the playerbase, and most of them don't enjoy it enough to bother if you throw some small obstacles their way. It's manageable. Competitive rankings, on the other hand, are something cheaters love much more than regular players, so by adding it, you're basically creating the problem.

          This is true for all competitive endeavors - the bigger the reward, the more it attracts competitive players, some of which are going to resort to cheating, and attempts at fighting cheating further ruin things for those who don't care about competing in the first place. And yes, it applies to the market economy too.

      • bilekas 5 months ago
        I don’t work in gaming, I know a few people who do, everyone of them does it for the love of the game. Certainly not for the job security or even the money. This idea that they’re also to handle security is too much. It’s not their fault, they’re writing “art” not secure micro services for multi national companies.

        Publishers will pay to have 0level kernel ring on your system but not for software securing their game.

        > the game runs with admin privileges for the sake of anti-cheat

        Nobody higher than the devs thought “this might be risky?”

        Because can assure you, the devs felt it stupid and risky.

        Your “Everyone thinks their making doom 3”. As I see this is not the developer fault.

        • bongodongobob 5 months ago
          I've done IT support for a number of devs across multiple companies and they all expect local admin and admin access to everything. So no, I don't believe they feel it is risky. I believe they don't get it/don't care. It's just not their wheelhouse.
          • idiotsecant 5 months ago
            No, it's because the average IT infrastructure is abysmal and getting things done without admin is it's own full-time job filing and following up on tickets and trying to plead your case for the ten thousandth time to the exalted security dieties that you just want to do your job gets old.

            Am i bitter? Nah

            • bilekas 5 months ago
              This is a different case, if I don’t have permission to talk to the graphics card, sound card, even ram, I’m a restricted engineer.

              > I believe they don’t get it/don’t care.

              You’re right, anything that’s not obstructive is never worried about.

              To me that says you’re doing a good job giving permissions, it’s also your job to manage those permissions, not the developers..

              > It's just not their wheelhouse.

              Your absolute bang on. And I can say from experience, it’s good you guys are there.

              • maccard 5 months ago
                I use a company managed machine. If my machine is compromised even in user space, my AWS credentials (which AWS stores in %UserProfile%/.aws) are hosed. Source code? Gone. Cookies from chrome? Gone. Files on the network share that everyone has mounted? Compromised.

                If someone can run a python script on your machine, it’s game over whether it’s running as admin or not.

                • 5 months ago
              • Thaxll 5 months ago
                It's not more rotten that your regular backend shop. How many api issues / auth problems / s3 open bucket there are out there exactly?
                • bobnamob 5 months ago
                  s3 open bucket syndrome is basically cured at this point. (Aside from legacy buckets, which should all be exploited by now)

                  The "yes I really want to do this" confirmations you need to go through when opening up a bucket these days are about 4 deep...

                  Authn/z issues are real though, they'll never be fixed

                • devmor 5 months ago
                  Why would there be a strong engineering culture behind AAA video games at all? Game developers are underpaid, overworked and constantly told they can be replaced at a moments notice.

                  I wouldn't expect anything but code that "ships" out of them, and its understandable why.

                  • pyrolistical 5 months ago
                    There needs to be at least 1 person to figure out why the game isn’t hitting the performance target. That is real engineering
                    • mrguyorama 5 months ago
                      In modern gaming you just make every texture max size even though it only covers a tiny surface and will only fill 6 pixels on a large monitor.

                      Also, half of their shaders are broken on some configurations. Also they used a function call wrong so their game tries to render something a bunch of times instead of once.

                      A huge portion of NVidia and AMD GPU drivers is literally hacks to make games actually run well. Both Nvidia and AMD patch game shaders at runtime to keep things from being unusable, and hack around broken behavior or wrong usage of APIs. It's exactly reminiscent of the situation Windows 95 had when all sorts of popular programs couldn't even save interrupt flags properly because they straight up did not read the manual which had many sentences and code fragments demonstrating that what they wrote would not work.

                      Also, Titanfall 1 shipped with like 30gb of uncompressed audio. They did this to "reduce CPU load". In 2014.

                      • DrillShopper 5 months ago
                        With DLSS nobody bothers anymore. Just force the punters to buy an overpriced video card and then poor-shame them if they don't
                    • maccard 5 months ago
                      It’s definitely games that are the problem. There’s no way that websites are still embedding third party code that is just slopped together shit and wildly vulnerable [0]. Or that domain registrars, one of the core points of trust of the internet would lie about their security practices and be sued by the FTC almost a decade after it[1]. Or that an endpoint management system would take down multiple airports due to basic bounds checks missing [2]. How about a massive software company used by huge enterprises for storing their knowledge bases having an RCE [3]. A global CDN definitely wouldn’t break DNS and take down half the internet [4].

                      Now you might say, those companies are irresponsible and that well maintained open source software doesn’t have this issue. That would mean no 0 days for linux [5], and that the most battle tested libraries in the world are immune from basic issues [6][7].

                      Software engineering is broken, it’s not just games. (Although, if you think physical construction is any better I suggest you stick a T square in the corners of your house and figure out how many of your walls aren’t square ). You

                      [0] https://mrbruh.com/chattr/

                      [1] https://news.ycombinator.com/item?id=42849632

                      [2] https://en.m.wikipedia.org/wiki/2024_CrowdStrike-related_IT_...

                      [3] https://www.csoonline.com/article/2138177/atlassians-conflue...

                      [4] https://techcrunch.com/2021/07/22/a-dns-outage-just-took-dow...

                      [5] https://www.indusface.com/blog/rce-zero-day-vulnerabilities-...

                      [6] https://en.m.wikipedia.org/wiki/Log4Shell

                      [7] https://heartbleed.com/

                      • cubefox 5 months ago
                        > The engineering culture behind AAA video games is rotten to the core with regards to security.

                        But it is way ahead with regards to efficient hardware utilization!

                        • 0cf8612b2e1e 5 months ago
                          And usually with an eye towards good user interface design. Not some white space heavy “clean” look where everything is hidden behind hamburger menus.
                          • ykonstant 5 months ago
                            Preach. I often point towards games for examples of good balance of density, as well as elements of modern-looking skeuomorphism in UI.

                            Of course I get all the usual garbage non-arguments in response from designers who don't want to take up a challenge and actually design, and instead fall back on a "tried and true" (except it is shit) fashion.

                            • tpxl 5 months ago
                              Some games, sure, most games, no. There are tons of games out there with dialog options that don't support choosing with numbers, a ton of games where you can't quickloot/drop with shift-click, comparing equipment is a chore, confirmation screens don't have y/enter to confirm or n/esc to cancel, missing/useless tooltips, custom fonts that are unreadable...

                              These things are _trivial_ to implement, it's just nobody thinks about the UI as long as it 'works'.

                              • creaturemachine 5 months ago
                                I dunno, lately they're more interested in pointing you to the store page for skins and loot boxes.
                            • agoodusername63 5 months ago
                              Is it particularly surprising though?

                              These are game developers. Not backend developers. Not web guys. Not remotely trained in infosec. They make games. Not security software. And for the longest time this was acceptable.

                              I think for a GaaS in 2025 it's unacceptable to not have security minded engineers on staff for the backend stuff. Too much money is involved not to. Especially for studios very familiar with shipping online games.

                              But I'm also kind of disappointed in how much we're forgetting that these people are not infosec nerds. Last year there was a cute fishing game made by a single dude messing around making things. It got popular and a kid found an RCE bug with the multiplayer. The dude got a TON of shit for the flaw, which feels deeply unfair. I don't expect my mom to configure a router correctly. I don't expect video game developers to understand defensive network programming without training.

                              Maybe I'm just a little frustrated at the Internet largely unable to understand that defensive programming is something that isn't in a game devs trained skills. I would expect better of Netease however

                              • phoronixrly 5 months ago
                                Hey, I feel there's some predisposition in infosec-minded people that insecure software must not exist regardless of its purpose or threat model. And also that people who can't write secure code must not write code...
                                • Hackbraten 5 months ago
                                  People who can't write secure code yet can learn how to write secure code.
                                • chefandy 5 months ago
                                  For some little indie setup, sure. But AAA studios are like any other software companies— the folks putting their network stack together aren’t the same people that are making the gameplay logic, many of whom probably went to art school and learned how to script and write some less-complex C++, and they’re different from the people working with the low-level graphics programming in the game engine, many of whom probably have PhDs in computer science or other related math disciplines. Having a connection low-latency enough and reliable enough to have fighting game tournaments on servers with many thousands of players isn’t a job for a general purpose game developer.
                                  • 5 months ago
                                    • supermatt 5 months ago
                                      They generally make software that runs with (at least) unrestricted user level access on client devices, as opposed to backend guys who have no client access, and web guys whose code runs in a sandbox.

                                      If anything these devs should be more cautious than the others as the risk to the end user is extreme.

                                      • gruez 5 months ago
                                        >These are game developers. Not backend developers. Not web guys. Not remotely trained in infosec. They make games. Not security software.

                                        Why do game developers get a pass but not "backend developers" or "web guys"? Don't the latter only "make CRUD apps, not security software"?

                                        • sbarre 5 months ago
                                          I think for web or "backend for network" people, you are always deploying into a hostile environment (the Internet) and so you really should be at least aware of basic security measures. If you consider yourself a professional in that field, it's table stakes.

                                          If you're a game dev, you were taught to write optimized code that runs locally on a computer.

                                          Not everything you do will run on the network, and networking/multiplayer might not be relevant every single time you ship a game. So it's less relevant (if still important)

                                      • Xunjin 5 months ago
                                        Great commentary, today the industry is focused on delivering free game with tons of cosmetics (which gives a ton of money) but forgetting about performance and security.
                                        • TonyTrapp 5 months ago
                                          Your average networked game these days is probably a bazillion times more secure than one from 20 years ago. It was super common that there were cheat tools to crash all game clients in a match. It was super annoying, we can just be glad that it was usually not used for anything more nefarious.
                                          • Xunjin 5 months ago
                                            Excellent point, how do you see today the industry, security wise?
                                      • agentultra 5 months ago
                                        I was literally thinking about this the other day. There are a ton of games using kernel modules for anti-cheat and... just load and interpret data payloads. Certainly some of those payloads could manipulate the funny machines inside of a game executable if they're not careful about their parsing and validation.

                                        Nice PoC!

                                        Update: yes, most game client processes don't run in the kernel. My b. I was just thinking that updates and content payloads might be an interesting vector for langsec.

                                        • Liquix 5 months ago
                                          Yes. For example world of warcraft's anticheat (warden), although it runs in userspace, has been exploited multiple times to gain RCE/server root after receiving malicious payloads from clients.
                                          • agentultra 5 months ago
                                            Also, if you see content distribution networks the way we've been looking into package managers as a vector distributing poisoned payloads... seems fruitful.
                                            • mavhc 5 months ago
                                              Imagine if security software did that, but also ran on boot and took down a million critical machines
                                            • kibwen 5 months ago
                                              I bought a Steam Deck with the sole purpose of having a cheap, airgapped PC to run games on. Game devs just don't have the incentives or discipline to be trusted with security.

                                              Reminder that all three Dark Souls games allowed full RCE to any users connected to the internet: https://flashpoint.io/blog/rce-vulnerability-dark-souls/

                                              • Etheryte 5 months ago
                                                I wish Steam offered a console format of the deck, essentially the same thing, but with better specs, HDMI out and bluetooth for controllers. Would be a massive hit I wager.
                                                • oxygen_crisis 5 months ago
                                                  The deck already has bluetooth for controllers and HDMI out if you get a standard USB3/HDMI dongle (or their expensive dock).

                                                  Essentially all you're asking for them to add is better specs.

                                                  In December their revised branding guidelines added a "Powered by SteamOS" badge so presumably 3rd-party boxes with various specs in set-top form factors will be coming before too long:

                                                  > The Powered by SteamOS logo indicates that a hardware device will run the SteamOS and boot into SteamOS upon powering on the device. Partners / manufacturers will ship hardware with a Steam image in the form provided by and/or developed in close collaboration with Valve.

                                                  • ThatPlayer 5 months ago
                                                    Better specs would also be interesting, because Steam's current "Steam Deck Verified" does check if games run well on the Steam Deck's hardware. There's another check for text size on the smaller 7" screen too.
                                                  • jamie_ca 5 months ago
                                                    They tried some years back https://en.wikipedia.org/wiki/Steam_Machine_(computer) but it didn't really hit big. That said recent updates to SteamOS and agreements around logo/branding use hint that we're likely to see a few other options in the coming year or two (alongside some 3rd-party handhelds running SteamOS).
                                                    • kibwen 5 months ago
                                                      This is what I do, I rarely use it in handheld mode (but I do appreciate the ability to). Valve sells a dock with HDMI out (along with ethernet, USB, etc), and I can confirm that it works wirelessly with Xbox controllers.
                                                      • LordDragonfang 5 months ago
                                                        > Would be a massive hit I wager.

                                                        I strongly doubt it. Steam already tried releasing a console alternative, Steam boxes, and they massively flopped. By and far the main reason for the Steam deck's success is its portable form factor, not the fact that it's a linux machine that runs games. It succeeded in spite of the software, not because of it.

                                                        The overwhelming majority of users are going to want either a "real" (read: Windows) PC, or a "real" (read: the same one their friends have) console.

                                                        • Etheryte 5 months ago
                                                          This misses why the old Steam Machine was a failure: it was half baked hardware with few games that would run well on it. With the work they've put into the Steam Deck they've largely solved both of those issues, they now have a stable platform and also a sizable library of games that just work, no tinkering required.
                                                          • oxygen_crisis 5 months ago
                                                            Steam Deck succeeded where Steam Machines flopped because of nearly a decade of advancement on the Proton compatibility layer, so the catalog of eligible games is orders of magnitude larger than it was in 2015.

                                                            When Steam Machines re-launch with the current generation of Proton compatibility it will be an entirely different story.

                                                          • qskousen 5 months ago
                                                            This is something they are (probably) working towards with SteamOS, being able to run it on your own hardware with deck-level hardware support. See https://www.pcguide.com/news/valve-could-be-thinking-about-r...
                                                            • 0cf8612b2e1e 5 months ago
                                                              I thought SteamOS was just some layers on top of Arch.

                                                              To not go full Dropbox, but I think if someone wants a Linux PC to run games, it is within the realm for a home PC builder to accomplish. It would otherwise be a tough market to sell, “Buy this gamer PC, less great specs than you would likely pick for yourself and not compatible with the most popular games that have onerous anti-cheat root kits”.

                                                              • aprilnya 5 months ago
                                                                According to leaks, “Steam Deck TV” has been in the works for a couple years now iirc
                                                            • lockemx 5 months ago
                                                              Interestingly, the game doesn't run as admin for any good reason. The first thing I did was only let the launcher and game run as the user with RunAsInvoker. The anticheat alone is allowed RunAsAdmin. At the same time, I don't trust any anticheat. It's probably worse than useless, but it is what it is. I thought Microsoft would clean this up after the Crowdstrike incident for all kernel-level code, but I guess there's no incentive for them to only let game companies request runtime analysis / reports rather than run code. As for the anti-cheat industry, they should focus on patterns of user behavior to help game companies moderate the players as much as neccesary.
                                                              • zwily 5 months ago
                                                                I have a related question for you... my kids like Marvel Rivals, but I also use Microsoft family tools to limit their screen time so they don't have Admin accounts. However, the Marvel Rivals anti-cheat makes me enter my password every time they launch. Is there any way for me to create a shortcut or something so Rivals will launch without my password?

                                                                I'm not a Windows guy and trying to figure this out has been extremely frustrating...

                                                                • voxic11 5 months ago
                                                                  You can make a on-demand scheduled task that runs Marvel Rivals as admin then create a shortcut that invokes the task.

                                                                  Full instructions https://chatgpt.com/share/67a13960-c1b4-8002-a699-7b547c759c...

                                                                  • sandyarmstrong 5 months ago
                                                                    I just had to fix this for my kid over the weekend. https://steamcommunity.com/app/2767030/discussions/0/5962604... was very helpful:

                                                                    You can also skip the UAC prompt without editing the registry, by adding the following to the game's launch options in Steam:

                                                                    cmd /min /C "set __COMPAT_LAYER=RUNASINVOKER && start "" %command%"

                                                                    • zwily 4 months ago
                                                                      Wow... thank you so much. I actually couldn't get that way to work, but adding RunAsInvoker in the registry worked for us. I can't believe all it took was one registry entry.
                                                                  • kevingadd 5 months ago
                                                                    I tried to get Microsoft to stop signing kernel mode anti-cheat drivers with no result. Even when a vulnerable driver is found the vendor is given way too much time to deploy a fix while the vulnerable build is out in the wild with a valid signature. The signature should be revoked as soon as an exploit is found, it's an anti-cheat driver for video games not essential business/government infrastructure.
                                                                    • EA-3167 5 months ago
                                                                      If anticheat worked then it would be an interesting, perhaps tolerable tradeoff for some. The reality however is that games are absolutely packed with cheaters, there's an international industry in creating cheats for popular games, so what you get is an arms race that as usual only punishes honest users. It's like DRM, pirates don't seem to have much of a problem, but it sure can hurt the rest of us.

                                                                      Unfortunately both the executives who buy into these things, and the average consumer, are simply too... simple, to understand or appreciate that.

                                                                      • maccard 5 months ago
                                                                        > Unfortunately both the executives who buy into these things, and the average consumer, are simply too... simple, to understand or appreciate that.

                                                                        With all due respect, it’s ironic that you’re calling everyone else simple.

                                                                        Something doesn’t have to be. 100% effective to be a massive deterrent. Cheat prevention is a game of cat and mouse and anti cheat is one of the levers. Here[0] is an example of a popular game with no anti cheat which was completely ruined by cheaters. Did putting EAC into the game stop every single cheater? No. But it did make the experience better for a significant number of players who were having their games destroyed by cheaters.

                                                                        [0] https://www.pcgamer.com/fall-guys-adding-anti-cheat-in-the-n...

                                                                        • EA-3167 5 months ago
                                                                          The line that stood out for me in that article was: "There is no in-game reporting system." On a somewhat amusing note, I searched for stories about cheating on Fall Guys these days, and one of the first results was... a vendor for cheats. Literally the third result. Another result was a Reddit article from last February talking about the ubiquity of cheaters. There are similar articles in a similar time frame on Steam and elsewhere. TikTok at that same time has collections of videos of them.

                                                                          While I'm sure that Easy Anti-Cheat is... easier than a reporting system that would require numerous humans working it, I don't think it's the best solution for the player. It's "just enough" at best, and at worst... well see the article we're all commenting under.

                                                                    • bangaladore 5 months ago
                                                                      > the game runs with admin privileges for the sake of anti-cheat

                                                                      "sake of anti-cheat" should be taken lightly here. There is a reason why all the other sane anti-cheats have at least two applications, the anti cheat service which often runs as admin, and the game, which does not. Running the game as admin is quite frankly inexcusable.

                                                                      The service often does the network comms and communicates to a kernel-mode driver and/or to the application via IPC or similar. Having defined barriers of separation are good things.

                                                                      In any case, this POC doesn't have huge implications necessarily for most people, but maybe in SEA or China where LAN cafes are more prevalent, it could be a larger concern.

                                                                      • shalzuth 5 months ago
                                                                        The one implication that I (the author) should highlight for the extra paranoid - this exploit extends to ISP's and cloud vendors that traffic is routed through. Anywhere in the trace route can MITM. It depends on how much you trust those parties.
                                                                        • sim7c00 5 months ago
                                                                          tried in some communities of gamedev to talk about security but i gave up. i think the main sentiment is not to care at all. so many games have or had trivial exploits. enabling mass cheating, harasment of other players (DOS) and more nefarious stuff. for people whwo think the mitm wont affect them... thats a silly stance. people hack home routers on massive scales. (another domain who doesnt seem to give shits about security)

                                                                          good writeup! thanks!

                                                                          • 999900000999 5 months ago
                                                                            Their's a really good argument for having a "gaming" os, Windows, and a serious OS , Linux on the same computer.

                                                                            If League of Legends needs super admin mode, it's no longer my computer. I'm sharing it with Tencent. I can't trust them ( specifically a disgruntled employee) to not install key loggers and other really nasty things.

                                                                      • sanktanglia 5 months ago
                                                                        Funny enough this engine is based off the same one they used in Diablo immortal which also has this issue
                                                                        • lcnPylGDnU4H9OF 5 months ago
                                                                          > This also opens the door up to an entrypoint on PS5.

                                                                          Does he mean that this is potentially how one could install custom firmware on their console?

                                                                          Curious because I remember reading somewhat recently that console vendors have locked their consoles down well enough so as to avoid any vulnerabilities which could be exploited to install custom firmware. It would be amusing if that was invalidated by game dev security and I start hearing about ways to install some modded firmware, which include a step of "install one of these games".

                                                                          IIRC, the web browser on 3DS systems was exploited to install custom firmware rather than a game so it was rather easily patched with a system update (and, indeed, it actually was patched). I wonder if we'll be seeing Sony/Nintendo/Microsoft start to insist on certain security standards as a result of games being exploited to install custom firmware on the devices they sell, presuming the answer to my first question is affirmative.

                                                                          • bakugo 5 months ago
                                                                            > Does he mean that this is potentially how one could install custom firmware on their console?

                                                                            Sort of. It's a userland code execution exploit, which is often the first step, but all games run in a locked down VM specifically to protect against things like this, so you still need a kernel/hypervisor exploit to escape the VM and actually mess with the system in any significant way.

                                                                            • lcnPylGDnU4H9OF 5 months ago
                                                                              Thanks for the explanation. That helps complete the picture another comment (https://news.ycombinator.com/item?id=42921799) started about “funny machines”. I do believe the measures they’ve taken to protect against malicious payloads are going to be tested rather relentlessly.
                                                                            • shalzuth 5 months ago
                                                                              PS5 games are sandboxed, so it only allows an entrypoint to run code. For full PS5 exploitation, another chain is needed to go break out of the sandbox.
                                                                            • tart-lemonade 5 months ago
                                                                              It downloads and executes a Python script to update the store page? Log4j/log4shell, anyone?

                                                                              Just build a JSON API! It's not that hard! You don't need to RCE your game every time it launches just for microtransactions.

                                                                            • S0y 5 months ago
                                                                              So what part of the game code exactly is able to download a random python script and run it?
                                                                              • sanktanglia 5 months ago
                                                                                The patching process sends python byte code for hot fixes
                                                                              • jauntywundrkind 5 months ago
                                                                                For a second I thought this was the Marvel game that got briefly banned along with TikTok, but that's marvel Snap.

                                                                                It would have been a tiny bit funny if it had been the same company that was just briefly banned that was allowing a remote exploit.

                                                                                • xnx 5 months ago
                                                                                  Exactly my confusion. This would've made the TikTok ban feel a little more legitimate.
                                                                                  • empath75 5 months ago
                                                                                    To be honest, I would not be surprised if netease the same kind of attention as bytedance.
                                                                                  • zxilly 5 months ago
                                                                                    Looks like a typical mitm attack, which confuses me a bit, don't the developers use something like tls or dtls to protect their communications? The most recent game I analysed was helldivers 2, which uses dtls. i would have thought that would be fairly common knowledge.
                                                                                  • plagiarist 5 months ago
                                                                                    I like the other rant at the bottom. But why would game developers care about security when their customers don't care? The customers are fine running anticheat with admin privileges like in this RCE he just found.
                                                                                    • kevingadd 5 months ago
                                                                                      I personally encountered a game anti-cheat driver in the wild (Anti-Cheat Expert) that caused BSODs and data loss. I later discovered there were known exploits in it and the signature still hadn't been revoked. I managed to get the developers of the game I was playing to reconfigure it by kicking up a fuss on the subreddit, at least.
                                                                                    • foco_tubi 5 months ago
                                                                                      Interesting that the PS5 has been implicated - does this mean that there is an opportunity to jailbreak firmware again?
                                                                                      • wyldfire 5 months ago
                                                                                        I'm surprised - isn't this game just a skin on Overwatch? So does Overwatch have an RCE?
                                                                                        • Nannooskeeska 5 months ago
                                                                                          No, Marvel Rivals and Overwatch are not related in any way other than they're both the same genre of game.
                                                                                          • wyldfire 5 months ago
                                                                                            Wow, I was so convinced that it was the case that I thought you were mistaken. They look remarkably similar. But yeah, just another game in that genre like you said.
                                                                                        • bilekas 5 months ago
                                                                                          > Game developers continue to amaze me at their lack of security awareness.

                                                                                          Because game developers are SUPPOSED to be aware of these things?

                                                                                          > It's very hard for security researchers to report bugs to most game dev companies. On top of that, most do not have bug bounty programs

                                                                                          Yet the OP blames the GAME developers…

                                                                                          They already have harder jobs than the majority of us, picking on them for not knowing skills outside of their area is just being mean and OP is targeting frustration at the wrong group.

                                                                                          • shalzuth 5 months ago
                                                                                            You’re right - I should have specified more explicitly. I am not referring to the game dev that is developing game features or content - I am specifically talking about the “security engineering” organizations within game developer companies. NetEase hired security engineers to specifically do security related tasks (see NetEase AntiCheat @ https://dun.163.com/locale/en?force=true). NetEase Games doesn’t have an excuse for not conducting a security review on a massive game like Marvel Rivals - and this isn’t some corner case, this is part of the core architecture.

                                                                                            And this is not a story unique to NetEase. I have multiple other examples that I’ll probably talk about in the future.

                                                                                            • boricj 5 months ago
                                                                                              >> Game developers continue to amaze me at their lack of security awareness.

                                                                                              > Because game developers are SUPPOSED to be aware of these things?

                                                                                              If a civil engineer amazed people with their lack of structural integrity awareness, they wouldn't be trusted to build a house of cards let alone a bridge open to the general public. Software developers write defective, bug-ridden and unsafe public-facing devices and services that are open to the entire world and we shrug whenever there's a major cybersecurity or software crash catastrophe.

                                                                                              If software engineers were held to the same standards of accountability and liability as real engineers when they apply their signature at the bottom of a design calculations document, maybe we'd stop shoveling trivially wormable garbage onto the Internet without a second thought.

                                                                                              • munchler 5 months ago
                                                                                                YES. Did you read the part where the game devs use RCE with admin privileges to run patches? Any developer who does that should be aware of the security risks they’re taking.
                                                                                                • bilekas 5 months ago
                                                                                                  Any developer yes, but I personally put game developers into a different category, they’re making games and trying to find shortcuts to meet strange management requirements. They don’t know the security side.. I’m admitting there should be some guard before code review is approved from a real security engineer

                                                                                                  > Any developer who does that should be aware of the security risks they’re taking.

                                                                                                  Developer yeah, someone who’s focused on recreating the game probably not

                                                                                                  • munchler 5 months ago
                                                                                                    Trying to meet strange management requirements is normal for just about any professional developer. I don’t understand why you think game developers deserve a special exemption.
                                                                                                • kevingadd 5 months ago
                                                                                                  If you sell software to millions of people that runs with access to sensitive data you have an obligation to do a good job, sorry. If you don't like that, make it MIT licensed on an open source site instead of $70 on Steam.
                                                                                                  • bilekas 5 months ago
                                                                                                    The developers don’t have that obligation, the publishers do though.. They are the last in the chain here.. Those gaming agencies have a lot of beuracracy filtered in gaming senses.

                                                                                                    I’ll say this, every single game dev I’ve ever met, has no clue how to navigate bureaucracy. I’m not saying it’s a type, but it’s not random, they have other things to worry about.