An authentication scheme is only as strong as its weakest link. This videogame security example comes from an MMORPG called MapleStory, and the resulting exploit allows for a malicious actor to take complete control of any other player’s character. This includes Game Masters who have access to special commands only intended for staff. Note: the issue described in this post has been patched from the game.

The network map for the MapleStory game server includes a login server and several channel servers, as well as servers for other aspects of the game such as the cash shop, though these can be ignored. When a player first launches the game, they are connected to the login server and prompted for their username and password, and upon entering the correct login information are progressed to the world and channel selection screen. The player chooses their world (each world is self-contained) and channel (worlds have several channels) and then selects their character within that world.

Once the player selects their character, the game client sends a packet to the login server, and the login server replies with IP address and port of the player’s chosen world and channel server. The game client disconnects from the login server, and then connects to the channel server.

This same process also applies when a player switches between channels within a world while in-game: the client sends a channel change request, receives the IP and port of the selected channel server, disconnects from the current server, and connects to the new server. But wait, how does the channel server know who this player is if it’s a completely separate connection? Simple: upon connecting, the client sends a packet containing their character ID. And nothing else. Oops.

But is that really exploitable? If a client connects to a channel server directly and sends the character login packet they will be disconnected. The channel server won’t permit a login unless a logged-in client has sent a request to “change channel.” What this means is anybody can login using any known character ID by connecting directly to the channel server and sending the character login packet before the original player does so. When the original player connects to the channel server and sends their character login packet they will instead be booted back to the login screen. And when they attempt to login again they will receive an error stating that the account is already logged in! The bad actor has successfully logged in and prevented the owner of the character from regaining access until they choose to disconnect.

This exploit can be made easier and mass-automated by writing a program to rapidly connect to the channel server, send any target player’s character login packet, and wait until one of the attempts succeeds. Character IDs can easily be obtained from various packets, and the exploit will function any time a player changes between channels while playing including during the login process itself.

The solution to this problem was to add a random token that clients connecting to the channel server must send along with the character ID to ensure the login is truly from the same player.