NOTE: This is an older article that I did not release at the time. You can take a look now though! 😀
Since I’ve been busy for the past couple of weeks, I wanted to get something short but interesting out here on my site. A really great little example of that is the story behind a bug that I uncovered just a few weeks ago. It’s the kind of thing that you don’t tend to hear about unless common sense goes out the window and into r/eve. Instead, it would have been this simple line here in the Invasion patch notes:
Most people likely skipped right on past that one thinking “oh, just some more bad legacy code” when in reality the potential for abuse was much greater. What if instead the patch notes read removed the potential for players to maliciously crash clients using bait links in chat. Now that would garner some attention, wouldn’t it?
Imagine jumping into a 20-man gatecamp and escaping purely because half of them clicked your fake killmail and crashed their clients. Imagine FC’ing a brawl and using magic powers to kill the logi off while they can’t respond. Imagine the sperg on Reddit once someone takes this and starts posting it in every damn system they warp through.
It’s thanks to CCP Peligro, CCP Habakuk, CCP Goliath, and their security/bug hunting teams that the above scenario isn’t one that we had to live through. And I’ll be honest, the temptation to cause some mischief was there. Using what is clearly an exploit to your own benefit isn’t really a way to get in CCP’s good books, though, so bug report was the way to go. Hell, I received 1000 PLEX from the PLEX for Snitches program for being a good girl so it’s a win-win.
How it Worked
So the way this worked is deceptively simple. By using some simple tools you can edit any link pasted into chat however you like. Usually this is a bit pointless since
url=showinfo:52510>Triglavian World Ark Spawner A isn’t all that interesting. So what if you change the TypeID to something else? Instead what you use is a little something something called ‘localsvc‘. By fiddling with different links in-game I found that this is part of what is responsible for triggering certain events not limited to teleportation, editing bulletins, and viewing contracts. In fact, you can make a neat little “View Corp Contracts” link with the following URL:
Now what was particularly interesting was the method to show a market category. It takes a parameter corresponding to the ID of any market group. In simple terms, this is what happens when you’re scrolling through the market browser and a panel shows up for ‘Minmatar Battlecruisers’ or the like. By altering that ID you can instead choose to show all battlecruisers or perhaps every type of drone. Turns out that marketGroupID 2 relates to blueprints, what happens if you try and load that?…
As you can see the market browser doesn’t like that at all. To use the technical term, it goes totally up the fuck. I haven’t ran the SQL query to determine just how many items this is loading but without an ID that would load absolutely everything, it’s about as big as I could find. And it was enough. It was easily disguised as a killmail or website link in chat and anyone clicking on it would find their client(s) hanging for upwards of a minute while the market window chugged along. Anyone unfortunate enough to click around while this went on would likely have their clients crash on them.
But wait, there’s more! This bug actually went as far as to save that category for when they log back in. If the victim’s computer isn’t good enough then every single opening of a market window would cause a crash from then on. The simple fix was to send over a revised link which showed them a very small category instead.
So why am I telling this story? For one it’s a very interesting bug in its own right. I also wanted to show people that yes, CCP will fix something quickly if the need is there. Bug reports are appreciated and you should definitely drop one in if you notice one in the wild, you might even be rewarded.
The real takeaway, though, was that I didn’t need to make this a public matter while the vulnerability existed. The best thing is to follow what’s known in the cybersecurity industry and responsible disclosure. CCP’s own wording on the matter is: Should you think that you may have discovered an unknown exploit, please report it directly to us through the “Exploit” category in a support ticket. Emailing firstname.lastname@example.org is probably a good bet, too if you find something serious.