18 April 2024

Common Game Flaws Found During Penetration Testing: Cyrex Engineers at Work

Back again into the incredible work our security engineers conduct, this time right into the heart of our speciality! Game security is our bread-and-butter, it is the mainstay by which we established the gold-standard of our penetration testing services and continue to grow and develop our skills.   

Hazem Elsayad, Lead Offensive Security Engineer for the Cyrex Entertainment team, has some great insights into these game-related flaws and vulnerabilities. If you’re developing your game or considering your coding security practices, check this out.  

1. Manipulating Time for Daily Rewards

Although I’ve talked about this before, this specific vulnerability can have a lot of attack vectors. We see almost every type of possibility during a penetration test. Ever wondered if you could trick a game into giving you daily rewards early? Turns out, you often can! It's as simple as playing around with dates and times. For example, say the game's waiting for it to be 18/11/2023 to dish out the next reward. Just tweak your request from 17/11/2023 12:55:55 to 18/11/2023 12:55:55, or mess with those long tick numbers like changing 638358225550000000 to 638359089550000000 and you might just fool the game into thinking it's reward time. And get this – sometimes, just fast-forwarding your phone's clock does the trick. Simple, but sometimes it still works. On occasion, the game relies on the client side for such actions as of time calculation.  

2. Game Hacking: Bypassing the Limit of Limited Offers

Limited offer items in games are like those exclusive gear pieces or equipment that everyone wants. But what if you could keep buying them, even after they're supposed to be sold out? I've seen games where resending the purchase request lets you snag the same item over and over. The UI says it's gone, but the backend begs to differ. And for an extra twist, race conditions can make this even more fun. Send a bunch of requests at once, and you might just multiply your loot. It’s something worth keeping an eye on for server-side verification.  

3. Invisible Items for Sale? Yes, Please!

Picture this: There's a legendary 'wings' item that's usually off-limits until you hit level 100. But who wants to wait for that? I've found in some games where swapping the item ID in a purchase request can turn buying a mundane 'rock' into snagging those legendary wings. The server sometimes forgets to ask, "Hey, should this player even see this item, let alone buy it?" This vulnerability could be handled by having an additional check for key or valuable items – multiple states need to be achieved for example.  

4. Equipping Items or Gear

Similar to our shopping attack surface, equipping items can be a goldmine for vulnerabilities. Ever dreamt of wearing high-level gear while you're still a newbie? Just swap the item IDs in your equip request. Change the ID from a low-level hat to a high-end armour, refresh, and you might just be strutting around in gear way above your pay grade. Sometimes that won't easily work out and can be a bit tricky, so you can mix it with our shop flaw, buy a hidden item from shop that you haven't unlocked yet which in our case is the level 100 gear, then try to equip it now after you already bought it although you don't meet the level requirements!  

5. Currency Adjustment

In some games, the shop plays it cool with currency options, only showing a few. But what if you change the currency in your purchase request? Try switching from USD to, say, TL, and check out the price difference. Sometimes, the game gets confused and you might find yourself with a significant discount!  

6. Skipping the Upgrade Grind

Upgrading stuff in games can feel like climbing a mountain – it takes time and resources. But here's a neat trick that comes up in our penetration tests: capture the request for a final upgrade, then use it on a new item or building. Why bother with all the early, expensive steps when you can jump straight to the top?  

Penetration Testing: Changing the Game Hacking Mindset

In the words of Hazem, “It's all about getting creative and thinking outside the box. Happy hunting and stay tuned for more tales from the game-hacking front lines!”   We hope this look behind the scenes in discovering game vulnerabilities or exploits has opened your eyes to what an average penetration test can find. These are just a handful discovered by one of our security engineers on their off-time! We’re proud of the expertise displayed by our security engineers and by Hazem in this blog. If you’d like to see more of his work, check out his blog, Hacktus, or follow him on LinkedIn where he often shares his security insights.  

If you’d like to get leverage Cyrex’ penetration testing expertise and utilize an entire team with the talent, ingenuity, and skill shown by Hazem, contact us today for the industry leading results in penetration testing and load testing!