Comment by bearjaws

Comment by bearjaws 9 days ago

11 replies

4 months from report to remediation... absolutely pathetic.

This could have been exploited to just unban every account that has ever been banned. This guy would have made a fortune selling just that exploit to cheaters.

ronsor 9 days ago

Selling the exploit? No. What you do is offer an unban API and charge $1 per call.

  • edm0nd 9 days ago

    You would be able to charge much more than $1 per call and the real $ wouldn't come from unbanning but banning instead.

    Think about being able to empower a kid to ban anyone they want.

    It would turn into chaos but I do not think such a service would be long lived as it would generate so many support tickets and issues that EA would start looking into how it was happening.

    • jerf 8 days ago

      If someone was out to maximize chaos and not just make money, this is in all seriousness in the class of problems that someone intelligent could have used to all but destroy EA. You don't offer an API with targeted usage, and you sure don't ban everyone.

      There's lots of fun ideas you can go for here, but just as one, suppose I spend a month banning accounts that haven't played much, but more than zero. Then go quiet for a couple of weeks. EA frontline support notices but if you play your cards right they don't put the pieces together and nobody is quite roused to investigate. Then you start up again, somewhat faster, spend a couple of days banning a good chunk of medium sized accounts. Then maybe at the end you ban the biggest accounts as quickly as you can.

      Now the bannings are news. EA's PR is probably completely blown out by the crisis and starts saying contradictory things. (My guess is that initially they end up backing their right to ban people and releasing statements to the effect of how right they probably are; this is, in the end, a huge mistake on their part.) Gamers can be reliably expected to start a ton of rumors, take them in the worst way possible, and antagonize EA, and EA is pretty likely to make at least one class-A error in being antagonistic back. (The hackers could even supply some of the rumors and some bots to get them going, though I doubt it'll be necessary. The gamer community is pretty well primed to turn on EA.) A ton of people who are curious but figure this can't be affecting them because they hardly use the service log in and discover they've been banned despite not having done anything on EA in six months. The fire rises as they post to reddit and hundreds of people chime in with "WTF, me too!", even if it's only a small percentage of the total people who check.

      Several days later, EA puts all the pieces together confidently enough to be sure that they can announce it's a hack. They're right. Nobody cares. Half of the gamer community doesn't even believe their defense.

      It's hard to guess what the upper bound of damage is on this scenario.

      • edm0nd 8 days ago

        I think you are right, banning would cause too many issues and be loud.

        I think the real quiet $ maker would be stealing usernames instead.

        Like if you wanted the EA gametag of jerf but someone else had it, you could steal it using OPs method if it was still unpatched. A pay service for this would be viable in low volume and on the EA side it would just look like the user did it.

        The seller of service would have to implement some kind of checks to make sure for example they weren't stealing the username of a top streamer or etc which would bring heat.

  • Aachen 8 days ago

    Then you're on the hook and the income dries up when they find out. Selling for cash up front means you got 90% of the law if the prosecution decides you've done something wrong and finds you in the first place (the use of exploits is commonly illegalised, and often indirectly the discovery or development, but not the knowledge or sale)

    Not that I'd advise either course of action for the players' sake

  • tomschwiha 9 days ago

    You could turn it into a simple subscription based service: pay to stay (unbanned).

    Pretty sure "price restructuring" (price increases) will be paid by most users (cost sunk fallacy).

    • darkwater 9 days ago

      Yeah, if Alice and Bob are at war, accept a huge payment by Alice to ban Bob, and then ask Bob a small recurrent fee to unban his account til the next payment.

      Mafia style. The second part is called "pizzo".

  • h1fra 9 days ago

    $1 is not very ambitious when people have sometimes thousand of dollars worth of games :D

    • bearjaws 9 days ago

      Not to mention mainstream cheats are going for $50+ a WEEK.

grantwu 9 days ago

The timeline says that the initial report was 6/16 and the initial patches were 7/8 and 7/18.

It's not clear to me what was exploitable when.