In cybersecurity, ethical hackers are like digital guardians, keeping our online world safe. Game hacking adds a twist to this, giving hackers a chance to test their skills and help make gaming platforms secure. Today, we meet one of these ethical game hackers, diving into their world to understand what drives them. Let’s uncover their story, challenges, and successes as they shape the future of cybersecurity in gaming. Say hello to hg_real!
Combining my initials (HG) and the name of the company where I last worked in a corporate job.
I wanted to escape the “9 to 5” jobs, and the bug bounty concept looked interesting.
When InnoGames opened a public program on Intigriti, I got hooked. It would be a dream job: playing games, searching for security vulnerabilities, and getting paid for it! So I delved into game security research for a year and returned to use my experiences on bug bounty programs.
The two most common challenges are Anti Cheat systems and backend calls that are not standard HTTP requests. But once you get past that, numerous vulnerabilities emerge.
There are three pain points for the gaming industry: The first pain point are the cheaters in competitive games. Secondly the hackers trying to steal personal data from other players. Thirdly are DoS vulnerabilities – not volume-based DoS – but the following:
Each game has a different technology stack and requires a different approach. Sometimes games use the same technologies, but many games use custom game engines. This means you often have to write custom tools that only work on specific games. So, in summary, it’s always a challenge to approach a new game.
It’s a different mindset; sometimes you encounter “common web vulnerabilities” in games, such as:
1. IDORs
2. Privilege escalation
3. (Player) PII disclosure.
I don’t like cheaters and want to create a safe environment for the gaming community.
Completely the opposite, those who receive my reports are very satisfied with my work.
It is best to minimize the impact; no one can see you are cheating, so you have to test in isolation.
You can only test on your own player accounts, which means you have to level up different “game characters” to unlock all scopes in games.
Cheaters and hackers will always exist, but through our work, developers learn the pain points for new games in development.
This makes it more difficult time and time again to create exploits.
They internally assess with a team what the worst-case impact of my findings is and respond very transparently and honestly.
They offer beta access to find vulnerabilities early.
They provide paid in-game currency and other goodies, which makes testing easier.
Be prepared to learn and get creative; this cannot be done in a few months.
Every game publisher has different priorities, so a vulnerability that has a critical impact for company A, may have a lower impact for company B.
I would like to conduct deeper research on games running on consoles, but I have enough work, so it’s not for now.
The quality of the triage team and the professional approach of the clients.
Shoutout to InnoGames, Embark Studios, Ubisoft, and numerous other redacted game publishers for the good cooperation.
Shoutout to mattibijnens, quikke, and ferib for the great game security collaborations.
Thank you for joining us as we peek behind the scenes and meet the faces of ethical hacking. Whether you’re a gamer, a cybersecurity fan, or just curious about security, “Meet the Hacker” is your window into this fascinating world. A big thank you to hg_real for sharing their insights. Stay tuned for more interviews with hackers who are changing the game in bug bounty hunting. Get ready to learn, be inspired, and dive deep into the world of cybersecurity!