Marvel Rivals has overcome a couple of difficulties since it was released at the end of last year. This mostly involved improving performance or sorting out technical issues with the breakable environment or individual hero abilities, but now it looks like its security will be the next hurdle the devs need to overcome.
A YouTuber who goes by Shalzuth revealed that he's found a vulnerability in Marvel Rivals that hackers can use as a doorway to take over your PC. The video details the issue without giving any technical details, which could then be used to harm other players. "Please note, this isn't about fearmongering," Shalzuth says. "It's about understanding how this class of vulnerability works and why it's so important for game developers to design hotfixes and patch updates in a secure and safe way."
It all apparently started when Shalzuth was playing Marvel Rivals, and he "noticed something odd about how the game updates the cosmetics store" because it does so without a client patch or update. "So I dug a little deeper and realised there's a flaw in how this patch system works," Shalzuth says. "Originally, it was designed so the game developers could run code to update parts of the game on your device, but there's a flaw that someone can use to execute code on your device. This is what the security industry calls Remote Code Execution (RCE)."
Hackers use RCE vulnerabilities to execute arbitrary code on a remote device, which they can then use to gain full unauthorized control over things like PCs and laptops. These attacks can then be used to install data-stealing malware, extract important data like passwords, disrupt applications, or install ransomware. All of which can be done without the owner's knowledge.
"To show how serious this can be, I created a test environment," Shalzuth says. This setup includes two devices I own: my gaming desktop and my travel laptop. They're both connected to the same network. I'm recording this video and running the exploit from my desktop, and I'm remoting into my laptop to include it in the video."
The demo of how the RCE tool worked saw Shalzuth load up Marvel Rivals, but a problem was present before the shaders were even compiled. "This is also hilarious," Shalzuth says. "The game itself also requires admin privileges for the sake of their anticheat, so the game has full privileges, which is great. So I'm going to go ahead and approve that and sign away my computer to the game." Not a great start.
After this, as the game was launching, Shalzuth fired up the exploit tool, which began searching for packets with admin privileges. As soon as Shalzuth pressed start, the exploit tool found decryption keys, which were used to inject a Python script that would then trigger the RCE exploit, giving the desktop full control over the laptop: "At this point, my laptop is owned, it's sending all my passwords to some malicious user." All of this is possible just because the game apparently doesn't verify whether it's connected to the real game server, so it can easily be tricked.
It's very hard for security researchers to report bugs to most game dev companies.
Shalzuth
Luckily, this exploit has its limitations right now. A hacker would need to be on the same Wi-Fi as you in order to see packets on your network. So you're in the most danger if you start up Marvel Rivals while sitting at a coffee shop, are on a university or college campus, or have a simple Wi-Fi password that someone local to you could easily figure out. Theoretically, internet service providers' employees who have access to packets going over your network could also make use of this exploit. But just because the odds of players being affected by this exploit are low, it doesn't make it any less unnerving.
Shalzuth goes on to discuss in a blog post just how frustrating it is to keep encountering poor security protections in substantial games. "In the past year, I've found at least five critical bugs in VERY POPULAR games that can have a negative impact on the entire player base. Three of them still exist because either the game dev isn't reachable or the game dev just straight-up doesn't care.
"It's very hard for security researchers to report bugs to most game dev companies. On top of that, most do not have bug bounty programs. It is a huge shame, and it encourages people looking into video game security not to report vulnerabilities and only create hacks and bots because that's where the money is. Thank you to those game devs that do have successful bug bounty programs."
It's unclear whether NetEase is taking this claim seriously. While commenters claim that they have raised this issue with the developers, there's no concrete evidence that the developers are aware of this problem yet. I've reached out to NetEase for a comment, and while I haven't heard anything yet, I'll update this article once I do.
