I Found a Game Exploit That Lets Hackers Take Over Your PC

Intro

Security vulnerabilities in online games aren't just theoretical - they happen more often than you'd think. Recently, I discovered a Remote Code Execution (RCE) exploit in Marvel Rivals that could allow an attacker on the same network to run arbitrary code on another player's device.

The Elephant

The issue is the game uses remote code execution for their hotfix patching system - but the game doesn't verify that it's connected to the real game server, and the cherry on top is that the game runs with admin privileges for the sake of anti-cheat.

This type of exploit, known as Remote Code Execution (RCE), is one of the most dangerous vulnerabilities a game can have. It means an attacker could potentially run harmful commands on your PC without your knowledge - just by being connected to the same Wi-Fi.

Video

Watch my breakdown of the exploit and why game security matters

Other Rant

Game developers continue to amaze me at their lack of security awareness.

In the past year, I've found at least 5 critical bugs in VERY POPULAR games that can have a negative impact on the entire player base. 3 of them still exist, because either the game dev isn't reachable, or the game dev just straight up doesn't care. Cool, right?

It's very hard for security researchers to report bugs to most game dev companies. On top of that, most do not have bug bounty programs. It is a huge shame, and it encourages people looking into video game security to not report vulnerabilities and only create hacks and bots, because that's where the money is. Thank you to those game devs that do have successful bug bounty programs!

Contributions

AeonLucid, LukeFZ, nitro, and sanktanglia all helped with the network crypto and helped out.