This made me think, okay, this particular exploit uses malicious code in a mod that targets an old embedded chromium vulnerability, and can be fixed by updating the game’s dependencies. This game started a dozen years ago, but it’s still being worked on.
How many retro games that are not still in development could have vulnerabilities like that? Especially moddable games.
Another thing I think about sometimes is how games can be malicious too. The trend in PC gaming for a while now is “flavor of the month” where every couple months a huge breakout title comes out and everyone plays it for a few weeks.
The expectation from these games is that they run like shit despite being a fifth as graphically complex as a bigger budget game. What stops them from slipping a coin miner in for half a day at the peak of their popularity?
Schedule 1 for example. I love this game and I’m not accusing them of anything, just an example. Let’s be honest. It runs at 100fps when it could run at 1000fps. Say the dev finally optimizes it, pushes the optimizations and a coin miner in a hotfix patch with no patch notes post on Steam. Six hours later the dev removes the coin miner and pushes that as a major patch with a patch notes release calling it the “optimization update” or something. We’d be none the wiser.
Don’t take this as me saying not to support indie titles but it’s a little weird that millions of people install untrusted closed source code from 1-3 devs all at the same time every couple months.
It could happen, but especially if the game has at least some popularity on a platform like Steam I expect someone more tech savvy than average would smell a rat and start looking, or ask around, and it’d be found out.
I don’t know exactly how those work, but I imagine on top of weird CPU usage it would make very suspicious network calls too. There’s always a guy that sees stuff like that and goes “where the fuck are my cycles and packets going?”
Yeah you’d think, but when I worked in cybersecurity the thing that freaked me out the most is how often this just doesn’t happen. It can happen immediately or it can take ages.
This made me think, okay, this particular exploit uses malicious code in a mod that targets an old embedded chromium vulnerability, and can be fixed by updating the game’s dependencies. This game started a dozen years ago, but it’s still being worked on.
How many retro games that are not still in development could have vulnerabilities like that? Especially moddable games.
Outdated chromium…Like the steam overlay?
Or electron
Oh yeah. That too :|
Another thing I think about sometimes is how games can be malicious too. The trend in PC gaming for a while now is “flavor of the month” where every couple months a huge breakout title comes out and everyone plays it for a few weeks.
The expectation from these games is that they run like shit despite being a fifth as graphically complex as a bigger budget game. What stops them from slipping a coin miner in for half a day at the peak of their popularity?
Schedule 1 for example. I love this game and I’m not accusing them of anything, just an example. Let’s be honest. It runs at 100fps when it could run at 1000fps. Say the dev finally optimizes it, pushes the optimizations and a coin miner in a hotfix patch with no patch notes post on Steam. Six hours later the dev removes the coin miner and pushes that as a major patch with a patch notes release calling it the “optimization update” or something. We’d be none the wiser.
Don’t take this as me saying not to support indie titles but it’s a little weird that millions of people install untrusted closed source code from 1-3 devs all at the same time every couple months.
It could happen, but especially if the game has at least some popularity on a platform like Steam I expect someone more tech savvy than average would smell a rat and start looking, or ask around, and it’d be found out.
I don’t know exactly how those work, but I imagine on top of weird CPU usage it would make very suspicious network calls too. There’s always a guy that sees stuff like that and goes “where the fuck are my cycles and packets going?”
Yeah you’d think, but when I worked in cybersecurity the thing that freaked me out the most is how often this just doesn’t happen. It can happen immediately or it can take ages.