IT risk consultant says New World devs "should be ashamed of themselves" for code injection vulnerability

Source: Amazon Game Studio

Update 10/31/2021: According to a comment from Amazon on New World forums, New World is not client authoritative, which means your PC should be safe. It still leaves many questions about why their servers take direct user inputs.

Original Article: We are still learning new things about the potential dangers of the New World exploit that was discovered on Friday, and the situation may be worse than we initially thought. Not only is direct code injection possible in every text box in the game, but also the developers appear to be clueless when it comes to fixing the issue.


For those who missed it, New World players Josh Strife Hayes and Callum Upton discovered on Friday that the text boxes in the game are HTML, and that the text is not sanitized, which in short means you can run client-side code in any text box in the game. While Amazon has claimed this is not the case, there is overwhelming evidence and examples of players doing this at this point.



"Every developer at Amazon Game Studio should be ashamed of themselves for letting this go live," said an IT Risk Consultant. "It's hard to understate how incompetent this is. Like they would teach you not to do this in a f*cking high school web dev class."


They told me that the bug potentially could not only break in-game systems, but in theory could also be used to access someone's PC, depending on the permissions that Amazon runs New World on. The extent of the bug is currently unknown, so it is unknown to what extent people can affect the computers of those playing the game, potentially putting your data or even hardware in danger.


"If this bug can affect someone's computer beyond game files, they could use this to gain remote access to people's computers, install keyloggers to pull their passwords, install viruses, ransomeware, or just delete their entire windows install. That's the doomsday scenario," they explained.


Luckily, so far no one has experienced the "doomsday" scenario as far as we know, so there is no need to panic about your PC, at least not yet. As the consultant made clear, there is no evidence that this exploit goes beyond in-game experiences as of now.


But even without the potential threat to your data and hardware, code injection allows for some seriously damaging in-game results. According to Callum Upton's testing, Players can crash each other's systems, blackout the chat with huge images, and he even reported that code injection allows for infinite gold using a script and a quest that nets you 50 gold. This is a clear existential threat to New World's economy.



To communicate the gravity of the situation, the consultant told me: "Honest to god, if they can't fix this tonight [Friday], and can't determine the extent of the problem, the servers should be taken down. The game is already broken and unplayable since anyone can crash your game at any time
and print infinite money. It would be a reckless disregard for their customers to leave the game up in this state IMO."


Amazon Games Studios developers appear to have no idea what they are doing

While the exploit itself is scary enough, Amazon Games Studio's response, or rather lack of response, is even scarier.


The IT consultant told me: "What's scary about this, is it seems to me like the Amazon devs don't understand the nature of the problem, the nature of this very basic and easy to solve problem."


So far the studio has done nothing about the underlying code injection issue, the servers remain online, and the only action they took to limit the dangers of code injection was by banning specific codes in the chat (which didn't work). It is unacceptable to have a code injection flaw this large in 2021, it is even more unacceptable that they appear to not know what do to next.


For context, this is an exploit that previously showed up and was fixed in World of Warcraft.... in 2004! Over 16 years ago game developers solved this problem using the now standardized method called code sanitation, so for Amazon Game Studios to completely miss it is unacceptable to IT professionals. 


In fact, not only is code sanitation already very well known, and taught in basically every college internet development course, but according to the IT Consultant, it's also already built into most developer languages. So the tools are already there for them to properly sanitize messages and avoid client-side coding issues. The IT professional I consulted with for this article said that they were "baffled" at this level of incompetence from New World devs.


The patch that Amazon did put out on Friday seemed to misunderstand the issue they are facing. Their patch just banned the specific code that people were using to spam images in the general chat, but you can still do it right now by typing the code in a different order. The fundamental flaw remains In the game, as of writing this article.



The details surrounding this exploit are still emerging, so we don't necessarily have all the facts about the severity of this issue. Players don't necessarily need to start uninstalling New World from their devices or anything, but until this issue is fixed the integrity of New World is in question. Amazon needs to take quick decisive action to fix the exploit plaguing their systems, or they are looking at a serious crisis.


Unfortunately, the dev team isn't exactly filling New World players with the hope that they are in good hands. Hopefully, they can get their act together and patch this issue very soon.








Sort by:

Comments :0

Insert Image

Add Quotation

Add Translate Suggestion

Language select