Today’s episode of our Exploit History is a different one, because we’re not actually talking about ingame stuff. The bug however was nonetheless directly related to the game because it allowed pretty much everyone to read postings on the Arcgames Vanilla forum software that they shouldn’t have access to. As often the cause was fairly simple as one particular API call of the Vanilla software bypassed the permission system.
Getquote Bypassed Permission System
Whenever a user uses the “Quote” function, the forum sends a request to the server to retrieve the post and put it into the reply box. That call did fully ignore permissions and was able to retrieve any discussion, comment, or user reports. We saw dumps from the forum with posts we definitely shouldn’t have access to.
The structure in which we received the data didn’t allow us to completely understand where quotes where coming from. But we’re pretty sure all private areas of the forum, including mod talk and user reports, could be accessed this way. And we can’t fully rule out private messages either, although that seems unlikely. The bug has since been fixed, and PWE never acknowledged the massive hole in the software they use. No actual user data was affected by the way, but nobody should obviously be too thrilled that all posts got exposed. The report war behind the scenes for example is nothing to be proud of…
Exploit History: Locking Auctions – Caturday – Masterwork Nodes – Permadodge – Arcane Reservoir – Full GF Runs – Attribute Enhancement – Using the old Refining System – Killing Fulminorax and Valindra From Below – Skipping Shadowfell – Resonator Exploit – Safely Killing Traven Blackdagger – Foundry Power Leveling – Castle Never Picture Frame Shortcut – Infinite Buff Stacks and One-Shotting CWs – Max Level In About One Hour – No Ward Consumpion – Gateway Scripting – Temple of the Spider Exploits – Foundry Refinement Botting