I think we can all agree that general chat in MMOs is usually not super great. Now imagine if those spam-slinging all-caps jerkholes could also force everyone to download computer viruses via that chat window.
Yesterday, a member of the subreddit for the long-running action-MMO Tera posted about a potentially ruinous vulnerability in the game’s chat system. The poster, Gosukek, along with other players on Discord, claimed that Tera‘s chat interface uses HTML, meaning that if unscrupulous types got creative, they could theoretically do everything from forcing everyone to look at nauseating imagery, to collecting everybody’s IP address, to remotely executing malware and viruses on people’s computers. This issue has seemingly been present for years.
In response, Tera publisher En Masse quickly announced that the game’s chat services would be taken offline. It added, however, that it seems as though nobody’s taken advantage of the vulnerability so far.
“There are very serious claims floating around of what this vulnerability potentially allows malicious users to do,” En Masse wrote in a forum post. “We are taking these claims very seriously but, as of this time, we have no evidence that the vulnerability is being exploited in these ways or that any player information has been compromised.”
As of writing, all chat except guild chat has been disabled while the game’s developers work on a fix. There is currently no ETA for when it will be re-enabled. Given that MMOs are kinda all about communicating with other players, probably go ahead and wait before jumping into this one – if, you know, you were suddenly planning to after five years.
Comments
9 responses to “MMO Disables Chat After Players Discover It Could Be Used To Send Malware”
Player should be pissed about this, the problem has been known about for freaking ever.
They players are pissed. Its only just recently been made widely known and the amount of people getting pissed is growing. Whats even more controversial (But not proven to be fact, Just a rumour at this point) is that this bug has been known by the dev team for ages and they have done nothing about it.
The issue has been observable for years and years, I don’t think they realized the severity though. Even more recently (a year+ ago) with the issue with greetings being HTML editable (mostly just used to make the text really big), should have pointed out to them that there is an underlying issue (greetings use a chat channel), but apparently not.
I know, thats what I just said. Many people were aware of it after seeing the photoes appearing in temp files from player shout outs.
Hi, I wrote the initial reddit post that made this into an issue, feel free to contact me as the article fails to mention a few things, and there’s a lot more drama/issues, main one being that chat is NOT CORRECTLY DISABLED and users are still at risk despite being told otherwise.
EDIT: Chat is now correctly disabled on EU, and NA has a working fix (as far as I’ve tested) for the external image/remote code part of the issue. Internal images and commands still usable. Surprising it took them this long considering it’s a few lines of code.
This is just bad design, straight up. Even if they wanted to use HTML, the rule is disable everything and only enable what you need, never just enable everything.
Wait a second, just because the text is HTML doesn’t mean you can execute a drive-by attack. That needs an active component like JavaScript. HTML is just markup.
Are you telling me TERA’s Chat support JavaScript as well? Because if so that’s the stupidest inclusion in a system that doesn’t need it since Adobe put JavaScript into PDFs.
It doesn’t, TERA uses ScaleForm/ActionScript, so only a few things are enabled.
The real shock is that no one used it to be an asshat