YouTubers Josh Strife Hayes and Callum Upton released a video on Friday, detailing multiple game-breaking chat exploits that are possible in Amazon's new MMORPG New World due to the ability to inject code via chat interfaces throughout the game.
"The text box in the game allows you to code," Hayes explained. "What if I told you the general text box, the general chat, the area chat, the zone chat, or the private message chat, allows you to directly inject code into it to manipulate what other players see. It allows you to pull images from the item files and resize them to a custom size. . . Or it allows you to send a single line of code that, when someone hovers their cursor over it, will instantly crash their game. And you can put this in general chat, and anyone could do it."
In the video, Hayes demonstrates that you can use the chat in New World to manipulate what other players see, including resizing images and placing them on their screen, putting a massive yellow box above your head blocking other players' vision, or even crashing other players games. The video did not show how to do these bugs, only that they are possible.
The exploit is caused by the fact that the text chat is apparently using HTML.
As explained to me by a security consultant, this kind of attack is very common on websites, and since Amazon is using HTML in New World for its text boxes, the attack is also possible in the game.
"The concept is basically that most webpages have to "escape" certain characters, because a character such as < is an open bracket for the beginning of a header in HTML or XML," they explained. "So the website has to be able to differentiate between characters inputted by the user and the actual code of the website. If the website did not properly escape the brackets, every time someone clicked on the page with that message, the website would execute the script that wasn't properly escaped."
They continued, "TL;DR New World is vulnerable to really old script kiddie b*llsh*t from the looks of it. It's slightly different in games vs websites because the games could be a slightly different hack, and there are different ways to execute malicious code. But regardless it's not a good look."
In the video originally pointing to the issue, Hayes and Upton recreated some of the more game breaking-bugs to demonstrate they are possible. Based on the evidence they presented, it seems clear that some type of code injection is currently available in New World.
New World is riddled with bugs, some funny, some useful, and some frustrating. But the ability to inject malicious code severely threatens the competitive integrity of the game and could be catastrophic given code can be injected in general chats and affect hundreds of players at once. Amazon will hopefully fix this issue ASAP.
Aaron is an esports reporter with a background in media, technology, and communication education.