
Chat Exploit? Oh man, this is gonna be good.
Weird Chat Exploit
Earlier this morning, a malicious user used a chat exploit to send (what looked like) rainbow colored server messages. The messages really looked like they were from the server or staff members (including me). They were fake. Players saw rainbow colored messages from Artix saying that the game was shutting down. Thankfully the fake messages were limited to just the room the user was in. But it was pretty unsettling (or pretty funny depending on your sense of humor). Either way we fixed the exploit. And I hope it does not disappoint anyone to learn that, no, the game is not shutting down.
Summary
- There was a chat exploit
- Malicious player used exploit to send messages that looked like server & staff messages.
- We fixed the exploit
Also...
- No staff accounts were hacked
- Those messages were not really from Artix
- No player accounts were hacked or compromised
- The game is not shutting down
Transparent Story time
I hate it that game devs never tell the full story when things like this happen. In my commitment to brutal honesty, I am going to. Zhoom was out sick so I went to the gym with Dage. About half way through the workout I got a surprise discord voice chat invite from Clarion. *Gulps*. He said we had a problem and sent me screenshots of AdventureQuest 3D showing rainbow colored server messages from "Artix" saying that the game was shutting down. (It was not me, but I appreciate they did not use any contractions while pretending to be me.)
My first thought was uh oh, was a staff account hacked? (Spoiler: It was not) High level staff accounts can send server wide messages. These are the only type of chat messages in that game that do not start with your name. They are also highly customizable, letting you change their colors. When I run live events, this can be used to send messages that look like they are from different NPCs. Anyway, Zhoom got a list of every mod that had logged in recently from the database. Only Clarion and Korin had been on this morning so far-- and they logged in to check on this exact issue. So that was good news, no accounts were breached. But if it was not a hacked staff account, how were they doing it? We moved our investigation to focus on the chat code.
At this point, about 15 minutes had passed. I had finished driving home from the gym and Broomtool was in the voice chat with us. When investigating a source of a problem, it is important what questions you ask in your head. For us it is, "How could we create this problem?" By asking this question, you look at the problem in a different way. And it lets you spot things like.... If the server is looking to see if the sender of a message is "Server Message". See, if a message comes from "Server Message" it has no name in front of it and it can be color customized. But how could a player send a message from this "Server Message" O_O Oh...... Broomtool figured it out immediately. The player had created an account named.... oh yeah... that is right... "Server Message". /facepalm. So literally any messages this character typed would look like... server messages. This explains why only people in the room with them saw the messages. It also meant that only one player would ever be able to do this exploit. We were also surprised that this account even existed -- the game is not supposed to let you create a character with the word "server" in it. Guess not. Regardless, we fixed it. We patched the server to double check messages to catch weird outlier cases like this. I am proud of the team for fixing this issue within an hour of learning about it.
What a weird one!
On the topic of cheating, botting, and hacking tools
Normally when someone is poking and prodding at the game it means they are going to do a lot more of it. So, at this time we are also tightening up our cheat filters. Please report any weird activity you see in the game. Please warn your friends about the dangers and consequences of using any 3rd party "hacking tools". And I am not just talking about getting your AQ3D account banned for using them. When you download a program created by a stranger, that program can literally do anything. It can steal your login information, steal your personal saved browser passwords, or even plant a back door allowing access to your computer. If you thought Honey was bad... imagine installing a program from someone whose intention was actually to do bad things. Why would they not do the same to you? #TheMoreYouKnow