Modern games foster so much competition that a lot of top-level gamers will do whatever it takes to win. In too many cases, this fierce desire to win leads to hacking. Other times, young pranksters troll their friends by hacking games as a joke. In either case, game devs worry a lot about keeping games fair. Thus, keeping games safe from hackers has grown into quite a bustling industry within the greater infosec economy.
In this article, we’ll familiarize you with game hacking using a realistic example. Both red and blue team tactics will apply, since we’ll show the whole process of finding and fixing a game vulnerability. After we go through a quick example hack, we’ll look at common types of game security issues and an overview of major gaming hacks from the past decade.
Oh, and stick around for the mini-guide at the end, where we teach you how to get into this lucrative, high status field!
Walk-through of a real game hack
To keep this digestible, let’s code up the simplest multiplayer game possible: Tic-tac-toe. We need it to be multiplayer so that cheating matters in some sense. Here’s a minimal Node.js server that makes multiplayer Tic-tac-toe possible:
const express = require('express');
const app = express();
app.use(express.json());
const board: Array<Array<null | 'x' | 'o'>> = [
[null, null, null],
[null, null, null],
[null, null, null]
];
const turn: { who: 'x' | 'o' } = { who: 'x' };
app.post('/move', (req: any, res: any) => {
const { x, y } = req.body;
board[x][y] = turn.who;
turn.who = (turn.who === 'x') ? 'o' : 'x';
res.end('ok');
});
app.get('/board', (req: any, res: any) => {
res.json(board);
});
app.listen(3000, () => {
console.log(`Server running at http://localhost:${3000}/`);
});
Since we’ve taken literally no steps towards securing this API, it’s obviously hackable. Perhaps the most obvious issue: a single player can control their opponent’s moves by moving multiple times! We could make a fancy frontend, but it’s simpler to show you what I mean with curl.
# first, we make a move and check that it worked.
➜ ~ curl --json '{"x": 2, "y": 2}' localhost:3000/move # move X to bottom corner
ok%
➜ ~ curl localhost:3000/board
[[null,null,null],[null,null,null],[null,null,"x"]]%
# Now we simply move again, controlling the move that should go to our opponent...
➜ ~ curl --json '{"x": 1, "y": 2}' localhost:3000/move # uh oh...
Too simple? That’s the point! We could fix this by assigning a cookie to a user who starts a game, thus preventing other users from moving as them. Try it out! And add a front end. Then see if you can still hack in, after you attempt to fix the original issue.
Really, I can’t overstate the value of creating, hacking, and then fixing your own games. The more complex, the more you’ll learn!
Case studies in game hacking
Counter-Strike: Global Offensive (CS) – Aim Bots and Wall Hacks:
WoW honor farming
fortnite infinite health and item dupe
1. World of Warcraft (WoW) – Honor Farming Exploit
In WoW, perhaps the most popular MMORPG in history, players managed to farm honor by killing their own alt accounts. As you can imagine, legitimate players of the game were not friendly to these cheaters, many of whom were banned. As one prominent player remarked on Reddit:
You were banned justifiably. Get over it. You’re a scumbag and no one wants you around in game. Move on with your life.
…maybe you shouldn’t have honor exploited.
https://www.reddit.com/r/archeage/comments/8jrrtv/banned_for_honor_farmingexploiting/
Ouch. It’s just a note that black hat game hacking comes with social problems, as well as legal and ethical ones.
2. Fortnite – Infinite Health and Item Duplication Glitches
It’s hard to find a young person alive today who doesn’t play Fortnite! The popularity of Fortnite, and the competition scene that’s grown around it, has of course inspired hackers to find ways to cheat. For example, watch this player on TikTok gain infinite health using a well-known exploit: https://www.tiktok.com/@vimzyeu_twitch/video/7316187285651770666.
Another major Fortnite sploit happened when players found out how to dupe certain items. The most famous version of the sploit happened in LEGO Fortnite, although it impacted various minigames within Fortnite.
Consider how much security engineering talent collectively works to protect these games, and you’ll realize how vulnerable smaller games must be. Given budget constraints and reduced tech investment, hacking small to medium sized games is easier than ever, especially on mobile.
Common vulnerabilities for hacking games
Denial of Service
Sometimes, conflicts in games lead to heated fights, and players decide to “kick” another player from the game. For example, they might obtain the victim’s IP address and flood their home network with packets, making them unable to continue playing or even accessing the game.
Social engineering
Tens of thousands of gamers have lost their accounts and things due to social engineering scams. These “exploits” hack the human mind, tricking victims into giving up sensitive info by applying mind trickery. Remember to never share your password, even with a game’s official support. If they’re real, they won’t ask for it.
Bots
Everyday, software gets better at emulating human behavior. Games are no exception. In fact, many bots can play games with superior skill to any human player. Other times, bots and automation augment a real human player, for example, by giving them super human aim or grinding while the player sleeps.
The legendary game hacker Totally_Not_A_Haxxer gives a few samples of this type of hack further in his guide to exploiting games: https://medium.com/@Totally_Not_A_Haxxer/exploiting-games-f39621ecea64.
How to learn about hacking games
First off, the best way to learn is by doing. In that spirit, you should check out writeups from classic video game CTFs: https://github.com/mrT4ntr4/CTF-Game-Challenges.
Ideally, you could simply hack into some games. We don’t recommend learning that way, for obvious ethical and legal reasons. However, you can use open source games to run a local server and hack to your heart’s content. In the meantime, you should consider learning a game framework, if you don’t know one already. And if you don’t, you’re in luck! Learning gamedev is easier than it’s ever been. Consider starting with a beginner-friendly, open source framework like Godot.
On the other hand, if you already know some technology like JavaScript or mobile dev, learn something that builds on your existing knowledge.
Oh, and a quick reading list to get you up to speed on web3 gaming:
- Security and Privacy in Web3 Gaming: What You Need to Know
- The Dark Side of Web3 Gaming: Understanding Fraud and Ensuring Security
- Web3 Game Developers Targeted in Crypto Theft Scheme
- Security Challenges in Web3 Gaming and GameFi
As always, the web3 folks love making new terms, thus “GameFi”. In any case, it’s plain to see that hackers have keenly noticed the money that investors have poured into the crypto gaming ecosystem.
Remember, it’s not about finding the perfect learning path. Instead, what matters is consistency. So stay persistent and have fun hacking games!
Leave a Reply