This is the worst possible combination: players are forced to accept first-party invasive rootkits that are disruptive and ineffective, while cheaters still cheat.
IMHO the only sensible solution is to separate out e-sports angle from the game itself. People who want to "go pro" would be free to subject themselves to anti-cheats and drinking verification cans and past some point might as well buy company-authorized computers to play on. Everyone else should just be allowed to play casually and enjoy the game without the anti-cheat nuisance (and a looming threat of false positive).
With main incentive for serious cheating separated out, non-pro players would only have to worry about griefers. Those are a problem too, but they can be dealt with by simpler and less invasive measures than a kernel-level rootkit.
As it is, AAA multiplayer games are basically like if FIFA was to micromanage Town Recreational Leagues and hold them to the World Cup standard, because cheating is a Big Deal so every kid needs to take regular blood tests before the match.
Esports money...? Micro transactions is the money. Publisher driven esports is advertising.
Publishers will pay to have 0level kernel ring on your system but not for software securing their game.
> the game runs with admin privileges for the sake of anti-cheat
Nobody higher than the devs thought “this might be risky?”
Because can assure you, the devs felt it stupid and risky.
Your “Everyone thinks their making doom 3”. As I see this is not the developer fault.
The "yes I really want to do this" confirmations you need to go through when opening up a bucket these days are about 4 deep...
Authn/z issues are real though, they'll never be fixed
I wouldn't expect anything but code that "ships" out of them, and its understandable why.
Now you might say, those companies are irresponsible and that well maintained open source software doesn’t have this issue. That would mean no 0 days for linux [5], and that the most battle tested libraries in the world are immune from basic issues [6][7].
Software engineering is broken, it’s not just games. (Although, if you think physical construction is any better I suggest you stick a T square in the corners of your house and figure out how many of your walls aren’t square ). You
[0] https://mrbruh.com/chattr/
[1] https://news.ycombinator.com/item?id=42849632
[2] https://en.m.wikipedia.org/wiki/2024_CrowdStrike-related_IT_...
[3] https://www.csoonline.com/article/2138177/atlassians-conflue...
[4] https://techcrunch.com/2021/07/22/a-dns-outage-just-took-dow...
[5] https://www.indusface.com/blog/rce-zero-day-vulnerabilities-...
But it is way ahead with regards to efficient hardware utilization!
These are game developers. Not backend developers. Not web guys. Not remotely trained in infosec. They make games. Not security software. And for the longest time this was acceptable.
I think for a GaaS in 2025 it's unacceptable to not have security minded engineers on staff for the backend stuff. Too much money is involved not to. Especially for studios very familiar with shipping online games.
But I'm also kind of disappointed in how much we're forgetting that these people are not infosec nerds. Last year there was a cute fishing game made by a single dude messing around making things. It got popular and a kid found an RCE bug with the multiplayer. The dude got a TON of shit for the flaw, which feels deeply unfair. I don't expect my mom to configure a router correctly. I don't expect video game developers to understand defensive network programming without training.
Maybe I'm just a little frustrated at the Internet largely unable to understand that defensive programming is something that isn't in a game devs trained skills. I would expect better of Netease however
If anything these devs should be more cautious than the others as the risk to the end user is extreme.
Why do game developers get a pass but not "backend developers" or "web guys"? Don't the latter only "make CRUD apps, not security software"?
Nice PoC!
Update: yes, most game client processes don't run in the kernel. My b. I was just thinking that updates and content payloads might be an interesting vector for langsec.
Reminder that all three Dark Souls games allowed full RCE to any users connected to the internet: https://flashpoint.io/blog/rce-vulnerability-dark-souls/
Essentially all you're asking for them to add is better specs.
In December their revised branding guidelines added a "Powered by SteamOS" badge so presumably 3rd-party boxes with various specs in set-top form factors will be coming before too long:
> The Powered by SteamOS logo indicates that a hardware device will run the SteamOS and boot into SteamOS upon powering on the device. Partners / manufacturers will ship hardware with a Steam image in the form provided by and/or developed in close collaboration with Valve.
I strongly doubt it. Steam already tried releasing a console alternative, Steam boxes, and they massively flopped. By and far the main reason for the Steam deck's success is its portable form factor, not the fact that it's a linux machine that runs games. It succeeded in spite of the software, not because of it.
The overwhelming majority of users are going to want either a "real" (read: Windows) PC, or a "real" (read: the same one their friends have) console.
To not go full Dropbox, but I think if someone wants a Linux PC to run games, it is within the realm for a home PC builder to accomplish. It would otherwise be a tough market to sell, “Buy this gamer PC, less great specs than you would likely pick for yourself and not compatible with the most popular games that have onerous anti-cheat root kits”.
I'm not a Windows guy and trying to figure this out has been extremely frustrating...
Full instructions https://chatgpt.com/share/67a13960-c1b4-8002-a699-7b547c759c...
You can also skip the UAC prompt without editing the registry, by adding the following to the game's launch options in Steam:
cmd /min /C "set __COMPAT_LAYER=RUNASINVOKER && start "" %command%"
Unfortunately both the executives who buy into these things, and the average consumer, are simply too... simple, to understand or appreciate that.
With all due respect, it’s ironic that you’re calling everyone else simple.
Something doesn’t have to be. 100% effective to be a massive deterrent. Cheat prevention is a game of cat and mouse and anti cheat is one of the levers. Here[0] is an example of a popular game with no anti cheat which was completely ruined by cheaters. Did putting EAC into the game stop every single cheater? No. But it did make the experience better for a significant number of players who were having their games destroyed by cheaters.
[0] https://www.pcgamer.com/fall-guys-adding-anti-cheat-in-the-n...
"sake of anti-cheat" should be taken lightly here. There is a reason why all the other sane anti-cheats have at least two applications, the anti cheat service which often runs as admin, and the game, which does not. Running the game as admin is quite frankly inexcusable.
The service often does the network comms and communicates to a kernel-mode driver and/or to the application via IPC or similar. Having defined barriers of separation are good things.
In any case, this POC doesn't have huge implications necessarily for most people, but maybe in SEA or China where LAN cafes are more prevalent, it could be a larger concern.
good writeup! thanks!
Does he mean that this is potentially how one could install custom firmware on their console?
Curious because I remember reading somewhat recently that console vendors have locked their consoles down well enough so as to avoid any vulnerabilities which could be exploited to install custom firmware. It would be amusing if that was invalidated by game dev security and I start hearing about ways to install some modded firmware, which include a step of "install one of these games".
IIRC, the web browser on 3DS systems was exploited to install custom firmware rather than a game so it was rather easily patched with a system update (and, indeed, it actually was patched). I wonder if we'll be seeing Sony/Nintendo/Microsoft start to insist on certain security standards as a result of games being exploited to install custom firmware on the devices they sell, presuming the answer to my first question is affirmative.
Sort of. It's a userland code execution exploit, which is often the first step, but all games run in a locked down VM specifically to protect against things like this, so you still need a kernel/hypervisor exploit to escape the VM and actually mess with the system in any significant way.
Just build a JSON API! It's not that hard! You don't need to RCE your game every time it launches just for microtransactions.
I agree that a JSON API is a better approach, but it's possible for AAA game developers to screw that up too: https://arstechnica.com/gaming/2021/03/developers-to-update-...
It would have been a tiny bit funny if it had been the same company that was just briefly banned that was allowing a remote exploit.
Because game developers are SUPPOSED to be aware of these things?
> It's very hard for security researchers to report bugs to most game dev companies. On top of that, most do not have bug bounty programs
Yet the OP blames the GAME developers…
They already have harder jobs than the majority of us, picking on them for not knowing skills outside of their area is just being mean and OP is targeting frustration at the wrong group.
And this is not a story unique to NetEase. I have multiple other examples that I’ll probably talk about in the future.
> Because game developers are SUPPOSED to be aware of these things?
If a civil engineer amazed people with their lack of structural integrity awareness, they wouldn't be trusted to build a house of cards let alone a bridge open to the general public. Software developers write defective, bug-ridden and unsafe public-facing devices and services that are open to the entire world and we shrug whenever there's a major cybersecurity or software crash catastrophe.
If software engineers were held to the same standards of accountability and liability as real engineers when they apply their signature at the bottom of a design calculations document, maybe we'd stop shoveling trivially wormable garbage onto the Internet without a second thought.
> Any developer who does that should be aware of the security risks they’re taking.
Developer yeah, someone who’s focused on recreating the game probably not
I’ll say this, every single game dev I’ve ever met, has no clue how to navigate bureaucracy. I’m not saying it’s a type, but it’s not random, they have other things to worry about.
