About how I accidentally dropped the browser game server from EA
Actually I didn’t know how to more accurately express the content of the topic in the title - so I decided to play on the fact that someone would be interested in my little story. A topic about how important testing and thoughtful architecture of your application, even if you are a serious organization.
I will not write the name of the browser game, for the topic is not important. This is a browser strategy from Electronic Arts (EA Games).
Actually further the story itself.
')
In the spring of this year, during the search for what to do in my spare time to unload my brain, I came across an online strategy that seemed interesting enough for me to have a good time. The game was quite thoughtful, very beautiful in terms of graphics, and even fascinating (for the first time). The essence of almost all browser-based strategies is quite similar, mine resources, build units, rob and enjoy the unhurried construction of endless cities.
To my misfortune (and maybe even happiness), I can’t do monotonous things, although it brings some pleasure to some :). The gameplay quickly got bored, which can't be said about the chat, in which you could have a good time, you can say that I frolicked like a little troll (I ask for such a comparison) and it brought me a lot of pleasure, unquestionably more than the riveting of units. Actually, after the next ban from the moderators, I had a little thought about how it was still possible to amuse my chsv.
The idea was to create a simple chat bot for the game, which knew how to log in, support the connection and spam a little with chat with prepared phrases like “Hello, wondrous world!”, It was written in simple PHP, started crown once a minute from a regular virtual server. Actually, the bot successfully caught the bans from the moderators when another idea occurred to me. The fact is that the game has an internal mail. The idea was very simple, after sparsing the names of all the top players on the server (something like 1500 nicknames came out), my bot, more precisely, 5 copies of it running on krona, started sending letters, choosing random nicknames as recipients. I’ll say right away that the letters were kindly, just to confirm the very fact of spam, because there was no protection in the game from the received letters, as a result, people suffered enough when there were 100 or 200 unwanted letters in their box. I know that this is not very beautiful, but at that moment I was least concerned about the attitude of people towards this, I perceived everything as a small game in the game.
After some time, I noticed an important detail when sending internal mail in the game (which actually played a fatal role), namely, the “Copy” field, which I hadn’t even looked at before. Actually sending a letter screenshot:
It turned out that the Copy field can contain up to 200 names separated by a colon, which allows you to send a copy of the letter to each nickname, in the end, at a time, you can send 201 letters and you can do this every 1-2 seconds. If there are several bots, it becomes clear that this is already a decent load on the server (which I understood later).
A few copies of the bots instantly arranged a small Armageddon on the server, due to the fact that all the players began to receive tens and hundreds of letters in a very short time. The effect was stunning and I was very pleased with the reaction of the players to what was happening. After a while, strange things started to happen on the server.
The fact is that in the game, among other things, there is a mechanism for preserving surplus resources, if, for example, your warehouse is full, you need to do something with them. Therefore, the developers provided a mechanism for transferring ordinary resources to other types needed for various kinds of improvements, construction, and so on. If my memory serves me, then 10,000 Wood turns into 1 Twilight tree, well, or something like that. Also, there are paid services in the game, the so-called ministers, who, when the warehouse is overflowed, instead of the player, automatically transfer resources to elite ones.
So, it turned out the following situation, players began to appear with millions of elite resources (and this is very, very much for that game), it is not clear where they came from, but everything turned out to be quite simple. The players' ministers (from whom they were bought), subject to overflow of warehouses (a common thing in that game) sent teams to transfer resources to elite ones, apparently at very short intervals, but due to the fact that the team queue was packed with the letters sent by the bots to players, resource recycling teams simply piled up.
When the queue reached the accumulated teams for the transformation of resources, they were performed without additional verification from the server on the possibility of such actions, apparently, the test was done only when the task was queued, but not when it was executed, which eventually led to a complete collapse of the server economy and the complete inappropriateness of continuing the game, because some players have gained a huge gaming advantage.
Subsequently, the server began to noticeably lag after 5 or 6 simultaneous bots were launched and successfully went down.
Such results, in the form of a fallen server and the destruction of the economy, I, of course, did not anticipate, but this shows how correct architecture and testing can be important.
By the way, the next day I received an e-mail here:
In the course of the correspondence, I apologized for the inconvenience caused and promised to no longer do these kind of somersaults, so that everything ended well.
update: By the way, later, they took action and no longer allow players to send such a number of letters, limiting actions to some reasonable timeframes. So, I can say, I just pointed out the problem
The most interesting thing is that in the same game a very unpleasant XSS was found that allows you to create "creepy" things. I wrote about it at EA, they repaired it for a very long time, about two months, during which time I conducted a couple of experiments with its use, I can tell you if the community is interested.
About XSS:
When sending a letter to the “Subject” field, there was an XSS vulnerability, actually stealing cookies through it turned out, but not all, but only the most trivial ones — the settings of the language, appearance, and so on, could not get the necessary session cookie, apparently because for HTTP-only. Perhaps I did something wrong, not the essence.
So, in the Subject field it was possible to insert 100 characters, and thanks to the fact that it was not filtered, it was possible to insert any HTML tags, which I actually did by inserting a previously created page through the iframe, it turned out something like this (screenshots were not saved , made an example to make it clearer):
This is an ordinary letter that the player received.
And this is an example of what zone could be blocked with the help of the tags “iframe”, “div”, “img” or others, in fact, you could even insert a video from youtube (what I actually did), the background music loading became special chic which continued to play even after closing the letter.
Subsequently, I came up with another "ingenious" idea. If you substitute a screenshot from the official website and write EA managment or something similar on it - people will think that the administration of the game is writing to them, which you can use for personal gain. Immediately, I note that I had no interest in receiving other people's accounts, I still didn’t know what to do and did not harm people with them, but the feeling of interest was enormous. "Is it possible?" Surely, after everything that happened on the server, someone will fall? ”- I thought about that at the time.
The implementation of the plan did not take much time, I sent about 1000 players one letter each, after which I received about 100-120 passwords. I don’t know if the word * facepalm * is appropriate here, but apart from him, nothing comes to mind at that moment or now. That same evening, I conducted a similar experiment on one of the European servers of the same game - having done only sending a letter “allegedly” from the administration - after which out of 1000 players I received only 10-20 passwords. Why is it so? I don’t know, maybe the mentality plays its part, because when receiving letters, EA warns in advance not to send your logins / passwords to anyone, but our man has long lost the habit of reading all sorts of warnings, probably in vain :)
I will not write the name of the browser game, for the topic is not important. This is a browser strategy from Electronic Arts (EA Games).Actually further the story itself.
')
In the spring of this year, during the search for what to do in my spare time to unload my brain, I came across an online strategy that seemed interesting enough for me to have a good time. The game was quite thoughtful, very beautiful in terms of graphics, and even fascinating (for the first time). The essence of almost all browser-based strategies is quite similar, mine resources, build units, rob and enjoy the unhurried construction of endless cities.
To my misfortune (and maybe even happiness), I can’t do monotonous things, although it brings some pleasure to some :). The gameplay quickly got bored, which can't be said about the chat, in which you could have a good time, you can say that I frolicked like a little troll (I ask for such a comparison) and it brought me a lot of pleasure, unquestionably more than the riveting of units. Actually, after the next ban from the moderators, I had a little thought about how it was still possible to amuse my chsv.
The idea was to create a simple chat bot for the game, which knew how to log in, support the connection and spam a little with chat with prepared phrases like “Hello, wondrous world!”, It was written in simple PHP, started crown once a minute from a regular virtual server. Actually, the bot successfully caught the bans from the moderators when another idea occurred to me. The fact is that the game has an internal mail. The idea was very simple, after sparsing the names of all the top players on the server (something like 1500 nicknames came out), my bot, more precisely, 5 copies of it running on krona, started sending letters, choosing random nicknames as recipients. I’ll say right away that the letters were kindly, just to confirm the very fact of spam, because there was no protection in the game from the received letters, as a result, people suffered enough when there were 100 or 200 unwanted letters in their box. I know that this is not very beautiful, but at that moment I was least concerned about the attitude of people towards this, I perceived everything as a small game in the game.
After some time, I noticed an important detail when sending internal mail in the game (which actually played a fatal role), namely, the “Copy” field, which I hadn’t even looked at before. Actually sending a letter screenshot:
It turned out that the Copy field can contain up to 200 names separated by a colon, which allows you to send a copy of the letter to each nickname, in the end, at a time, you can send 201 letters and you can do this every 1-2 seconds. If there are several bots, it becomes clear that this is already a decent load on the server (which I understood later).
A few copies of the bots instantly arranged a small Armageddon on the server, due to the fact that all the players began to receive tens and hundreds of letters in a very short time. The effect was stunning and I was very pleased with the reaction of the players to what was happening. After a while, strange things started to happen on the server.
The fact is that in the game, among other things, there is a mechanism for preserving surplus resources, if, for example, your warehouse is full, you need to do something with them. Therefore, the developers provided a mechanism for transferring ordinary resources to other types needed for various kinds of improvements, construction, and so on. If my memory serves me, then 10,000 Wood turns into 1 Twilight tree, well, or something like that. Also, there are paid services in the game, the so-called ministers, who, when the warehouse is overflowed, instead of the player, automatically transfer resources to elite ones.
So, it turned out the following situation, players began to appear with millions of elite resources (and this is very, very much for that game), it is not clear where they came from, but everything turned out to be quite simple. The players' ministers (from whom they were bought), subject to overflow of warehouses (a common thing in that game) sent teams to transfer resources to elite ones, apparently at very short intervals, but due to the fact that the team queue was packed with the letters sent by the bots to players, resource recycling teams simply piled up.
When the queue reached the accumulated teams for the transformation of resources, they were performed without additional verification from the server on the possibility of such actions, apparently, the test was done only when the task was queued, but not when it was executed, which eventually led to a complete collapse of the server economy and the complete inappropriateness of continuing the game, because some players have gained a huge gaming advantage.
Subsequently, the server began to noticeably lag after 5 or 6 simultaneous bots were launched and successfully went down.
Such results, in the form of a fallen server and the destruction of the economy, I, of course, did not anticipate, but this shows how correct architecture and testing can be important.
By the way, the next day I received an e-mail here:
Hi iSteely,
my name is the name of the game *.
We’ve seen your recent activity in * the name of the game. What do you want to achieve?
I don’t stop banning your accounts. Behavior EA accounts and games.
Best regards,
David Erhard
In the course of the correspondence, I apologized for the inconvenience caused and promised to no longer do these kind of somersaults, so that everything ended well.
update: By the way, later, they took action and no longer allow players to send such a number of letters, limiting actions to some reasonable timeframes. So, I can say, I just pointed out the problem
The most interesting thing is that in the same game a very unpleasant XSS was found that allows you to create "creepy" things. I wrote about it at EA, they repaired it for a very long time, about two months, during which time I conducted a couple of experiments with its use, I can tell you if the community is interested.
About XSS:
When sending a letter to the “Subject” field, there was an XSS vulnerability, actually stealing cookies through it turned out, but not all, but only the most trivial ones — the settings of the language, appearance, and so on, could not get the necessary session cookie, apparently because for HTTP-only. Perhaps I did something wrong, not the essence.
So, in the Subject field it was possible to insert 100 characters, and thanks to the fact that it was not filtered, it was possible to insert any HTML tags, which I actually did by inserting a previously created page through the iframe, it turned out something like this (screenshots were not saved , made an example to make it clearer):
This is an ordinary letter that the player received.
And this is an example of what zone could be blocked with the help of the tags “iframe”, “div”, “img” or others, in fact, you could even insert a video from youtube (what I actually did), the background music loading became special chic which continued to play even after closing the letter.
Subsequently, I came up with another "ingenious" idea. If you substitute a screenshot from the official website and write EA managment or something similar on it - people will think that the administration of the game is writing to them, which you can use for personal gain. Immediately, I note that I had no interest in receiving other people's accounts, I still didn’t know what to do and did not harm people with them, but the feeling of interest was enormous. "Is it possible?" Surely, after everything that happened on the server, someone will fall? ”- I thought about that at the time.
The implementation of the plan did not take much time, I sent about 1000 players one letter each, after which I received about 100-120 passwords. I don’t know if the word * facepalm * is appropriate here, but apart from him, nothing comes to mind at that moment or now. That same evening, I conducted a similar experiment on one of the European servers of the same game - having done only sending a letter “allegedly” from the administration - after which out of 1000 players I received only 10-20 passwords. Why is it so? I don’t know, maybe the mentality plays its part, because when receiving letters, EA warns in advance not to send your logins / passwords to anyone, but our man has long lost the habit of reading all sorts of warnings, probably in vain :)
Source: https://habr.com/ru/post/201212/
All Articles