A hidden danger of MMOs

A massive multiplayer game (MMO) runs primarily on very powerful servers that live in the internet cloud. This is obviously essential so that all the interaction between players and with the game itself can take place. However a lot of the game also runs on the player’s computer, the software that does this is known as the client. In traditional boxed MMOs the client is quite big and comes on a disk when you buy the game, or as a big download.

A lot of more recent MMOs are so called browser games, because they work inside your Windows Explorer, Firefox or other web browser. Some people, very mistakenly, think that this makes these games safe. It does not. When you play the game you are letting it download client software into your computer without you knowing. And once that software is in your computer it can do anything it wants and it can download new software into your machine any time it wants without you knowing. And because you chose to download the client in the first place (by playing the game) your anti virus and anti malware protection software will see nothing.

So what could malignant client software do in your machine? Well it could log your keystrokes and send your credit card details back to its operators. You wouldn’t know this had happened until your credit card was robbed. And obviously it would know all your passwords. Another thing it could do is to access and use all your contacts, in your email, your facebook and so on. Then it could use these contacts for spamming or for spreading a virus or for lots of other purposes. Yet another thing the client software could do is to work as a trojan, taking over your computer and using it for all sorts of illegal activities. As you can see the potential downside is massive.

Now you are going to tell me that the same applies to any game. It does and there have been instances of viruses in boxed games. So basically, every time you play a game on your computer you are entering into a pact of trust with the provider of that game not to abuse their position by putting naughty software on your machine. Obviously with big, established publishers there is no problem, they have their reputations to protect and it would be commercial suicide for them to do anything wrong. So they can be trusted. However when a game company comes from nowhere and doesn’t even have an address or a phone number you are taking a massive, an enormous risk.

You can see how attractive this is for someone who intends harm. They can put a game out and very easily gain control of millions of computers. Because game players are ignorant about the client software being put on their machines. This could even be used as a weapon by a hostile government.

Finally, for some well established MMOs, it is possible to download alternative clients into your computer that have not been written by the game’s publisher. These alternative clients are engineered to do part of the game playing for you, to enable you to cheat. Once again you need to be very, very careful of these because they are not coming from the proper game publisher. So they can put anything they want inside your computer.

11 Comments


  1. “When you play the game you are letting it download client software into your computer without you knowing. And once that software is in your computer it can do anything it wants and it can download new software into your machine any time it wants without you knowing.”

    I do not believe this is generally true, or at least, it’s no more true of games than of anything else on the web. Modern browsers by design do not download and run code with arbitrary privileges without letting you know. They will download and run code, yes, for example Javascript, Flash, Shockwave, Java and Silverlight. But all these types of code are run in sandboxes that are designed to isolate the code and prevent it from gaining access to your passwords, banking details, etc.

    I think perhaps you are referring to games that require you to download and install their own custom browser plugin. (I don’t think Habbo is such a game, am I wrong?) You are right to say that such programs could do pretty much whatever they wanted on your computer. However I don’t think it’s accurate to say that they can do this “without you knowing”. All browsers I have used will display some scary messages before letting you run such a program explaining that it could be harmful and do anything to your computer. Of course, people may choose to ignore such a message.

    It’s good to remind people of the dangers of running programs that cannot be verified to come from a trustworthy source, but I think it’s also important to do so in a way that is factual and makes it clear what steps people can take to protect themselves (i.e. don’t download and install software or grant permission when the browser says a site wants to install software) without making people afraid of every single Flash game on the web.


  2. Bruce, you’re right that sometimes there are security holes in programs like Flash or the browsers themselves. However, these attacks are not special to games, and importantly avoiding playing games will not do much to help protect you! It is entirely possible for websites to run Flash applications without you seeing them. In this case, where the vulnerability is in the Flash engine, your protections are 1. (safe, but not so useful) uninstall Flash and other plugins and for good measure probably just stop using a web browser altogether; and 2. (a bit unsafe) make sure your software is always up to date with security fixes.


  3. Consumers do need the assistance of qualified individuals to make honest recommendations in this area. Bruce understands the gaming industry and appears to have good media contacts too. This is encouraging because it separates his website from general game bloggers, fan sites or those that simply promote their own products under proxy. In a sea of hype and confusion this websites is showing remarkable promise at getting to the core issues.

    Independent market analysis is crucial to legitimate users and producers of games. But while reviewers talk about games, many appear to have no understanding of the security risks that can exist within any online product.

    Articles like this have been a long time coming. Why have so many writers proved incapable of challenging MMOs? The reason of course is simple; too many people remain ignorant of what may transpire within them. To many gamers ignorance is bliss, even if their personal privacy and security is at risk.

    Sadly academic evaluation into MMOs has revolved around the notion of the metaverse rather than researching the financial and political opportunities that exist within a MMO to mine data. I find it quite absurd that in an age of recognised electronic corruption game reviewers continue to have no understanding about security features. Their ignorance in this area is all too apparent.

    In March 2009 cyber spying become a reality http://en.wikipedia.org/wiki/GhostNet. This is currently believed to transpire from within the Republic of China. In this respect all MMO commentators need to become much more informed in understanding the potential goals behind any Chinese online product, especially MMOs that deny Chinese involvement.

    In my MMO experience I have met a number of players in the field of law enforcement, the military, politics and diplomacy. Indeed I have contacted some of these people personally and many are who they claim to be. Few understand that MMOs do attract people of capacity. Many of these players use computers located in their offices. This fact is well known to any mature player, so informed individuals within China will be well aware of the intelligence gathering potential of any MMO product, especially any product that claims it can be used secrecy on office computers. The humble MMO is the perfect foil to obtain data from businesses and confidential organisations. This is why MMO users and organisation at large need to be better informed of these types of issues.

    AC


  4. What is really worrying is when people play these sorts of games at work. The potential is that they are bringing a trojan into their work computer system where it could wreak unbelievable havok.


  5. @Weeble

    One example is Centra (web conferencing/classroom).
    It installs completely from Java (there is a loader applet on the page when you attend a meeting). The only confirmation that you will be prompted with on a standard windows system is from JRE, asking you if you want to trust the Centra company. (This is standard with many applets, games, etc.)

    After this, Centra proceeds to install it’s desktop client on your system. This includes writing many files to C:\Program Files\Centra\ (including a win32 executable) and creating start-menu shortcuts. It then loads the executable, and makes a lot of network transactions (which you won’t be prompted about, except possibly if you have installed a third-party firewall).

    Now, Centra is a very fine piece of software and a pleasure to use, but this illustrates how much control and influence a Java applet may have, with only one very standard prompt. This of concern primarily because the users are willing to install the game – they are happy to click “Yes” once or twice to be able to play their game.

    Once there is a win32 binary running on the average user’s system, there is practically no limit to what it can do/install/run… spam bots, DDOS bots, keyloggers, proxies, trojans…


  6. Why would a piece of malware installed via a game through this new “Windows Explorer” browser you’ve invented, or any other mechanism, not be picked up by anti-virus or anti-malware software? They don’t care if you allowed something to be installed – they’d be pretty damn useless if they just said, “oh no, hang on, the user ALLOWED this keylogger to be installed – it must be fine. Carry on.” And have you ever noticed how any dodgy piece of software, particularly games, that does something unusual or unwelcome, gets ripped apart in days by skilled hackers & exposed as malware?


  7. Oh dear. Does this apply to Ragnarok Online? =o


  8. I totally agree with Weeble.

    I think that Bruce’s article in this case is misleading because it implies carte-blanche access of browser based software to your system. As Bruce points out correctly, if this were the case this would entail a massive risk to you as the user of browser software whether it be online banking, shopping or gaming.

    But its simply not generally true. Technology like browser Flash and Java was basically designed to provide maxmimum security to the end-user in the browser. A great deal of time and money was invested in accomplishing this so we could shop online with a reasonable degree of safety. For the most part, the same security blankets that apply to your online banking system apply to ANY bit of software running in your browser (even IF it is a game). Like most programmers I often pine and wish this wasn’t the case because it makes a mountain out of every molehill ๐Ÿ˜‰

    While Bruce and Samjetski both cited valid examples where applets seemed to have misbehaved, these are the exception rather than the the rule. Sporadic instances reveal a single flaw in the program designed not to do such things, rather than a full toolkit designed to accomplish full control over your computer. Any piece of software will have a few minor ‘chinks’ in its armor, but these are usually minor and the companies involved are always trying to close them up – not provide free-reign to the programmers.

    So I really do think that overall this article is quite sensationalist, and a little disturbing that it might be taken as gospel @AC

    Just because a few thieveries occur now and then in a certain neighborhood, DOESN”T MAKE IT A NEIGHBORHOOD OF THIEVES!


  9. you can , ( if you like) consider this as a “wake up call” to the fact that this stuff DOES happen.

    other than just letting/relying on the electronic gizmo’s do all the hard work of protecting you and your machine there is 1 small trick i’ve used for years after several guild m8’s accounts have been hacked or stolen in a number of leading MMO’s

    and it’s simply typing in my passwords in non-sequential order ..
    ie
    1)type the last half(or so) of my password
    2)click the spacer/curser to the front of the typed text
    3) and then type in the first half(or whats left) of my password.

    this way , even if my accounts have been keylogged, the hacker types in an incorrect password based on the details the keylogger would have obtained and therefore guess’s that the data to my machine is corrupted and moves on to the next name on his/her list.

    once you get into the habit of doing this , it becomes automatic and a reflex action, and i ALWAYS type in any credit card details “back to front” (in chunks) too.

    been playing MMO’s since 2001, pretty much tried them all ( proper MMO’s , not flash portal booby-traps) not been hacked yet.
    /touch wood


  10. Hi steve, your methods of prevention is indeed wise, for normal keyloggers that might really work out.. however incase if you haven’t know.. Modern keyloggers nowadays are able to send data on what is inside your clipboard (Ctrl + C/ Copied Text).

    But logically.. your method might somehow work, afterall.. Hackers who have alot of list to hack on, might possibly skip to the next one.. but who knowns.

Comments are closed.