All games developed by Bethesda since 2001 carry a security exploit that may put Elder Scrolls Online‘s launch at risk.
Update: Since The Elder Scrolls Online is being developed by ZeniMax Online Studios and uses “its own unique engine”, there is little chance this particular vulnerability will exist in the finished game.
There are two generally accepted facts when it comes to Bethesda’s RPGs: They feature vast worlds that players can explore for hours, and those worlds will be filled with various bugs. Such quirks are par for the course in single-player games, but they could create all-new problems for the MMO setting of Elder Scrolls Online. A security analyst poking around the developer’s back catalog has discovered a vulnerability within Bethesda games stretching back to 2001. While the exploit was relatively harmless for single-player titles, the same code within Elder Scrolls Online could subject players to security and privacy risks when it launches later this year.
This exploit is a format string vulnerability, which allows users to manipulate the game’s running stack. By activating specialized functions using the developer’s console, players can display information hidden in the program’s memory or, with a few keystrokes, crash the game to the desktop. The exploit has been tested using Morrowind, Skyrim, and even Fallout 3, although abuses would be understandably rare in single-player games. Trouble is, if Elder Scrolls Online uses the same code, potentially any user could access the functions of other systems, or perhaps the server itself.
So let’s say the exploit is included in Elder Scrolls Online: What’s the worst that could happen? The most likely answer is an increased risk of DDoS attacks on servers, which would prevent anyone from being able to play their recently purchased game. One could also activate administrative privileges for their characters, or even more concerning, display the account passwords of other players. That said, now that the exploit is public knowledge, hopefully Bethesda can patch any offending code before its game reaches the public. Not only would that make the launch easier on players and staff alike, but it would prevent an MMO launch disaster comparable to Diablo III in its scope.
Source: Joe’s Security Blog, via Warcry