About how I accidentally dropped a browser game server from EA

Actually, I didn’t know how to more accurately express the content of the topic in the name - so I decided to play on the fact that someone would be interested in my little story. A topic about the importance of testing and the well-thought-out architecture of your application, even if you are a serious organization.

I will not write the name of the browser game, for the topic it does not matter. We are talking about a browser strategy from Electronic Arts (EA Games).

Actually further the story itself.

In the spring of this year, while searching for something to do in my spare time to unload my brains, I came across an online strategy that seemed interesting enough for me to spend time quietly. The game turned out to be reasonably thought out, very beautiful in terms of graphics and even fascinating (for the first time). The essence of almost all browser strategies is quite similar, get resources, build units, rob and enjoy the leisurely construction of endless cities.


To my unhappiness (and maybe even happiness) I can’t do monotonous business as a matter of duty, although it brings some pleasure to some :). The game process quickly got fed up, which can’t be said about a chat in which you could have fun in a good way, you can say that I frolic like a little troll (I ask for such a comparison) and it brought me a lot of pleasure, undeniably more than riveting units. Actually, after the next ban from the moderators, I had a little thought about how else I could amuse my FAQ.

The idea was to create a simple chat bot for the game, which could log in, support the connection and spam a little in the chat with prepared phrases like “Hello, wonderful world!”, It was written in simple PHP, it was run on the crown once a minute from a regular virtual server. Actually, the bot successfully caught bans from moderators when another idea occurred to me. The fact is that the game has internal mail. The idea was very simple, parsing the names of all the top players on the server (it turned out to be about 1,500 nicknames), my bot, or rather 5 of its copies launched by the crown, started sending letters, choosing a random nickname as the recipient. I must say right away that the letters were not malicious, just to confirm the fact of spam, because there was no protection from the letters received in the game, as a result, people suffered quite a lot when there were 100 or 200 unnecessary letters in their mailbox. I know that this is not very beautiful, but at that moment I was least concerned about the attitude of people to this, I perceived everything as a small game in the game.

After some time, I drew attention to an important detail when sending internal mail in the game (which actually played a fatal role), namely, the “Copy” field, which I had not even looked at before. Actually a screenshot of sending a letter:



It turned out that the Copy field can contain up to 200 names separated by a colon, which allows you to send a copy of the letter to each nickname, as a result, at a time, you can send 201 letters and this can be done once every 1-2 seconds. If there are several bots, then it becomes clear that this is already a decent load on the server (as I understood later).

Several copies of the bots instantly arranged a small armageddon on the server, due to the fact that all players began to receive tens and hundreds of letters in a very short time. The effect was stunning and really pleased me with the players' reaction to what was happening. After some time, strange things started to happen on the server.

The fact is that in the game, among other things, there is a mechanism for preserving surplus resources, if, for example, your warehouse is full - you need to do something with them. Therefore, the developers provided a mechanism for the transfer of conventional resources to other types necessary for various kinds of improvements, construction, and so on. If my memory serves me right, then 10,000 Wood turns into 1 Twilight tree, well, or something like that. Also, in the game there are paid services, the so-called ministers, who, when the warehouse is full, automatically transfer resources to elite instead of the player.

So, the following situation turned out, players with millions of elite resources began to appear (and this is very, very much for that game), it was not clear where they came from, but everything turned out to be quite simple. The ministers of the players (from whom they were purchased), subject to overfilling of warehouses (a common thing in that game), sent commands to transfer resources to elite ones, apparently, at very short intervals, but because the queue of teams was filled with letters sent by bots players, teams for processing resources just accumulated.

When the turn came to the accumulated commands for converting resources, they were performed without additional verification from the server for the possibility of such actions, apparently the check was done only when the task was queued, but not when it was completed, which ultimately led to a complete collapse of the server economy and the complete inexpediency of continuing the game, because some players have gained a huge gaming advantage.

Subsequently, the server began to lag noticeably after 5 or 6 simultaneous bots were launched and safely went down.

Of course, I did not expect such results, in the form of a fallen server and the destruction of the economy, but this shows how correct architecture and testing are important.

By the way, the next day I received this email here:

Hi iSteely,
my name is David and I am the Global Community Manager at EA Phenomic and responsible for * game name *.

We noticed your recent activity in * game name * and started to mute your accounts in the chat and to ban your accounts and IPs. I would like to know your reason for these raging activities on our servers and what you want to achieve with it.

I hereby recommend you to stop it, as we won´t stop banning your accounts. Behavior like this might also affect all of your other EA accounts and games.

Best regards,
David Erhard

During the correspondence, I apologized for the inconvenience and promised not to get up any more of such somersaults, so everything ended well.

update: By the way, subsequently, they took measures and no longer allow players to send so many letters, limiting the actions to some reasonable time frame. So, we can say, I just pointed out the problem.

The most interesting thing is that in the same game a very unpleasant XSS was found that allows you to do "terrible" things. He wrote about it in EA, they repaired it for a very long time, about two months, during which time I conducted a couple of experiments with its use, I can tell if it will be interesting to the community.

About XSS:
When sending a letter to the “Subject” field, there was an XSS vulnerability, in fact, it was possible to steal cookies through it, but not all, but only the most banal ones — language settings, appearance, and so on, but we failed to get the necessary cookie with the session, apparently from for HTTP only. Perhaps I did something wrong, not the point.

So, it was possible to insert 100 characters in the Subject field, and due to the fact that it was not filtered, it was possible to insert any HTML tags, which I actually did by inserting a pre-created page through the "iframe" there, something like the following (screenshots were not saved , made an example to make it clearer):


This is an ordinary letter that the player received.


And this is an example of which zone could be covered using the tags “iframe”, “div”, “img” or others, in fact, you could even insert a video from youtube there (which was what I actually did), the background music loading became special who continued to play even after closing the letter.

Subsequently, another “brilliant” idea came to my mind. If you substitute a screenshot from the official site in the letter and write EA managment or something similar on it, people will think that the administration of the game is writing to them, which can be used for personal gain. I’ll note right away that I didn’t have an interest in getting other people's accounts, I still didn’t know what to do with them and harm people, but the feeling of interest was huge. “Really succeed? Is it possible that after everything that happened on the server someone gets caught? ” - I had some such thoughts at that time.

The implementation of the plan did not take much time, I sent one letter to approximately 1000 players, after which I received about 100-120 passwords. I don’t know whether the word * facepalm * is appropriate here, but nothing comes to mind either at that moment or now. That same evening, I conducted a similar experiment on one of the European servers of the same game - having only sent a letter "supposedly" from the administration - after which out of 1000 players I received only 10-20 passwords. Why so - I don’t know, maybe the mentality plays a role, because when you receive emails, EA warns you in advance not to send your usernames / passwords to anyone, but our man has long since lost the habit of reading all kinds of warnings, probably in vain :)

Also popular now: