Connect with us

Hi, what are you looking for?

Hard News Hard Hitting News Source Global Political News

Cyber Security

Google security researcher banned from Call of Duty: Modern Warfare after ‘reverse engineering networking code’

A security researcher says he has been banned from online multiplayer game Call of Duty: Modern Warfare after reverse engineering its networking code in pursuit of memory corruption vulnerabilities.

In a blog post published yesterday (November 25), Ned Williamson urged game developers to exempt legitimate security research from anti-cheating rules after Call of Duty’s developer, Activision Blizzard, suspended his account “about a week ago”.

Google Project Zero’s Williamson, who conducted the research in a personal capacity, suspects that his activities were first flagged as suspicious when he dumped “unobfuscated code from the memory of a running game process” because “the executable was heavily obfuscated and IDA was unable to analyze it”.

The specific “flagging event” was “probably” the attachment of the WinDbg debugging tool while reading memory from the process, which he did to avoid “affecting any players” and which caused the game to exit.

He also paused the process before dumping memory. “I simply dumped an image of the game from memory in the main menu and then exited normally,” he explains.

The security and enforcement policy for Warzone – a ‘combat arena’ within Call of Duty: Modern Warfare – states that players will have their accounts permanently suspended for “decompiling or reverse engineering game code or data on disk or in memory”.

‘Clear signal’

“As a user, I think I ought to be able to research vulnerabilities when I may be at risk,” said Williamson, pointing to the potential for malicious compromise in multiplayer games that network communication between users and between the user and vendor.

The researcher said the ban “sends a clear signal: this research is not welcome”.

Despite this, Williamson noted that other researchers had reverse engineered previous iterations of the first-person shooter, and Activision had set a “precedent” in accepting vulnerability reports that resulted in CVE-2018-20817 and CVE-2018-10718.

Williamson said he had also previously “reverse engineered and fuzzed” Valve’s Counter-Strike: Global Offensive during a capture-the-flag event without incurring a penalty.

ValveRockstar Games, and Riot Games are among a growing number of video game developers with active bug bounty programs.

However, Activision Blizzard does not appear to have an active vulnerability disclosure policy.

‘Symbiotic relationship’

Williamson said he was banned from the Call of Duty platform “about a month” after temporarily shelving the research project because “the binary was so large and unwieldy”.

He insisted that he had no intention to cheat and did not “manipulate any aspect of the game for another player or even myself”.

The researcher, who had “reconnected with family and friends” by playing the game during the coronavirus pandemic, said there was no process for appealing the ban.

Advertisement. Scroll to continue reading.

He acknowledged the gravity of the cheating threat and software developers’ “need to leverage a variety of signals” to detect underhand behavior.

However, he suggested that online game developers should establish exemptions for security research, a point of contact for submitting vulnerability reports, and possibly bug bounties.

“I believe that Activision should join Valve and other publishers in fostering a symbiotic relationship with security researchers rather than an adversarial one,” he said.

“Together we can make games safer from cheaters and malicious users alike.”

The Daily Swig has contacted Activision and Ned Williamson for comment and will update the article if and when we receive responses.

Source: https://portswigger.net/daily-swig/google-security-researcher-banned-from-call-of-duty-modern-warfare-after-reverse-engineering-networking-code

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like

Cyber Security

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has given federal agencies three weeks to secure Adobe ColdFusion servers on their networks against two...

Cyber Security

Businesses and developers are focusing more on the security of applications in their digital environment as cyber threats and data breaches continue escalating. The...

Cyber Security

HCL BigFix is an endpoint management platform that has the capability to automate discovery, management, and remediation. It can find and fix vulnerabilities on...

Cyber Security

The Environmental Protection Agency cited a lack of resources and the sheer volume of critical vulnerabilities as the reasons for its inability to patch...

Copyright © 2023 Hard News Herd Hitting in Your Face News Source | World News | Breaking News | US News | Political News Website by Top Search SEO