We are still learning new things about the potential dangers of the new world exploitation that was discovered last Friday, and the situation may be worse than we first thought. Not only is direct code injection possible in all the text boxes in the game, but also the developers seem to be ignorant when it comes to solving the problem.
For those who missed it, New World players Josh Strife Hayes and Callum Upton discovered on Friday that the text boxes in the game are HTML and that the text is not cleared, which in short means you can run client-side code in any text box in the game. Although Amazon has claimed that this is not the case, there is overwhelming evidence and examples of players doing this at this time.
“Every developer at Amazon Game Studio should be ashamed to let this go live,” said an IT Risk Consultant. “It’s hard to underestimate how incompetent this is. As if they would teach you not to do this in a bad high school web developer class.”
They told me that the bug could potentially not only break systems in the game, but in theory could also be used to access someone’s PC, depending on the permissions that Amazon runs New World on. The extent of the error is currently unknown, so it is unknown to what extent people may affect the computers of those who play the game and potentially endanger your data or even hardware.
“If this error can affect someone’s computer in addition to game files, they can use this to remotely access people’s computers, install keyloggers to pull their passwords, install viruses, ransomware, or just delete their entire Windows installation. That’s the doomsday scenario.” they explained.
Fortunately, no one has so far experienced the “doomsday scenario” as far as we know, so there is no need to panic over your PC, at least not yet. As the consultant made clear, there is no evidence that this exploitation goes beyond experiences in the game right now.
But even without the potential threat to your data and hardware, code injection allows for some seriously harmful results in the game. According to Callum Upton’s test, players can crash each other’s systems, blackout the chat with huge images, and he even reported that code injection allows for infinite gold using a script and a quest that gives you 50 gold. This is a clear existential threat to the New World economy.
To communicate the seriousness of the situation, the consultant said to me: “Honestly, if they can not fix this tonight [Friday], and can not determine the extent of the problem, the servers should be taken down. The game is already corrupted and cannot be played as anyone can go down in your game at any time
and print infinite money. It would be a ruthless disregard for their customers to leave the game in this state IMO. “
Amazon Games Studios developers seem to have no idea what they are doing
While the exploitation itself is scary enough, Amazon Games Studios’ response, or rather lack of response, is even more frightening.
The IT consultant told me, “What’s scary about this is that it seems to me that Amazon developers do not understand the nature of the problem, the nature of this very basic and easy to solve problem.”
So far, the study has done nothing about the underlying code injection problem, the servers remain online, and the only action they took to limit the dangers of code injection was by banning specific codes in the chat (which did not work). It is unacceptable to have a code injection error so big in 2021, it is even more unacceptable that they apparently do not know what to do.
For context, this is an exploit that previously appeared and was corrected in World of Warcraft … in 2004! More than 16 years ago, game developers solved this problem using the now standardized method called code sanitation, so it is unacceptable for IT professionals that Amazon Game Studios completely misses it.
In fact, code reorganization is not only very well known and taught in virtually all universities’ internet development courses, but according to the IT consultant, it is also already built into most developer languages. So the tools are already there so they can clean messages properly and avoid coding issues on the client side. The IT professional I consulted with for this article said they were “confused” by this level of incompetence from New World developers.
The patch that Amazon released last Friday seemed to misunderstand the problem they are facing. Their patch has just banned the specific code that people used to spam pictures in the general chat, but you can still do that right now by writing the code in a different order. The basic error remains in the game as this article was written.
The details of this exploitation are still popping up, so we do not necessarily have all the facts about the seriousness of this problem. Players do not necessarily have to start uninstalling New World from their devices or anything, but until this issue is resolved, the integrity of New World is in doubt. Amazon needs to take swift decisive action to rectify the exploitation plaguing their systems, otherwise they are looking at a serious crisis.
Unfortunately, the development team does not exactly fill New World players with the hope that they are in good hands. Hopefully they can get together and fix this problem very soon.