"The developers behind a popular "open source MMO RTS sandbox game for programming enthusiasts" on Steam, named Screeps: World, have been forced to update their game "in order to protect both players" and their "own reputation," following the discovery of an alleged "remote code execution vulnerability" that would enable players to take control of other players' computers. Even worse, the person who helped discover the vulnerability in question alleges that Valve "ignored" their reported findings."
"As King explained in his initial post, Screeps: World apparently allowed "any other player in the game world to gain remote access to your computer" through the use of a programming exploit. For context, Screeps: World is a programming game that lets players write their own code in JavaScript, which is then used to craft their own custom-made AI units."
"If you want the exact explanation of the reputed vulnerability, I highly suggest reading King's highly detailed write-up of the exploit . I will, however, warn you in advance that it requires (at least) a base understanding of JavaScript to fully understand. Thankfully, King includes an analogy for "non-programmers" in the conclusion: "imagine if there were one particular kind of unit in that, if you trained it, let people hack your computer. And when pointed out, the game designers said 'well this is self-inflicted, the players all chose to train that u"
Screeps: World contained a remote code execution vulnerability that allowed other players to gain remote access to users' computers via player-written JavaScript. Screeps, LLC updated the game to protect players and their reputation after discovery of the exploit. Researcher Isaac King reported the vulnerability and alleges Valve ignored his report. The game functions as an open-source MMO RTS programming sandbox where players write JavaScript to control AI units. The title holds a Very Positive Steam rating with roughly 1,876 reviews and over 113,000 purchases according to VG Insights. A detailed technical write-up and a non-programmer analogy accompany the report. The technical explanation requires JavaScript knowledge to fully understand.
Read at Kotaku
Unable to calculate read time
Collection
[
|
...
]