U Got Hacked: Email to Mobster World Admin

Email to Mobster World Admin

Let me be honest - I played originally and noticed a lot of exploits.
I used them because it seemed funny to become super rich instantly.
I'd be surprised if you weren't pissed off for this, but like it or
not I have some good advice.

I know about a good number of exploits, and I don't play the game
anymore, mostly because it's too time-consuming to play without
cheating, and believe it or not I don't find cheating to be fun.  But
I hate to see people paying for something so easy to hack.  Don't take
too much offense, but I'm amazed at the number of ways in which the
average person can break into your app.  You really need to do some
research on security if you want to have a long-lasting pay-to-play
game.

Almost every cheat I've found has to do with hidden fields.  You use
forms in a lot of places, and you store VITAL information in "hidden"
fields.  I guess you're not aware, but it's child's play to modify
these fields.  I could show my wife (a computer dummy) how to modify
those fields in about 5 minutes.  Everything from the login to the
stores uses these hidden fields.  In the case of the login, it makes
it very easy to get past the security code.  I simply change the field
to whatever I want, and it lets me in without ever viewing the
pictures.  At the stores, I can change the hidden field "value" to 0,
and buy anything for free!

Similar exploits are all over the place - shooting a player has a spot
for upkeepdamage, clips to use, and "addedbonus"  I can get 100% shot
accuracy without ever damaging my weapon or using ammo just by
changing these fields.

In other words, every place you use hidden fields, you need to stop
using them, and put all the values, bonuses, etc in the server-side
scripts.  Any time you expose any internals to the world, they're
unsafe.  The scripts should validate everything carefully before
accepting the values as being "good".

I also noticed that your emails were vulnerable to XSS attacks.  With
careful planning, I was able to create an email that made me
automatically shoot any player of my choosing, and then delete the
email automatically, leaving no trace of the cheat.  Essentially I
could have sent this to somebody and made them shoot their own Don.  I
never ended up using it, and I think you may have fixed the issue by
disallowing HTML (and javascript) in the forums and email.  If you
didn't fix this, you should do so right away.  Simply converting all
"<" characters to "&lt;" should be enough, but I'm not up on all the
XSS information, so there may be more.  I think php's got a command
that'll do it for you, so if you can dig through the docs, it'll be
your best bet.

I don't know much about "real" hacking, so this is all the information
I can give you.  If possible, you should look at any PHP security
information you can and see if you're likely to get hit by other
attacks.

One Reply to “U Got Hacked: Email to Mobster World Admin”

  1. Pingback: Filler » Web security and Mobster World: a tale of woe

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.