In cybersecurity, ethical hackers are like digital guardians, keeping our online world safe. Game hacking adds a twist to this, giving hackers a chance to test their skills and help make gaming platforms secure. Today, we meet one of these ethical game hackers, diving into their world to understand what drives them. Let’s uncover their story, challenges, and successes as they shape the future of cybersecurity in gaming. Say hello to hg_real!
How did you come up with your username?
Combining my initials (HG) and the name of the company where I last worked in a corporate job.
What initially drew you towards the field of ethical hacking?
I wanted to escape the “9 to 5” jobs, and the bug bounty concept looked interesting.
Can you tell us more about your journey to becoming a hacker, including crucial moments or experiences that shaped your path?
When InnoGames opened a public program on Intigriti, I got hooked. It would be a dream job: playing games, searching for security vulnerabilities, and getting paid for it! So I delved into game security research for a year and returned to use my experiences on bug bounty programs.
What challenges do you commonly encounter when trying to find vulnerabilities in games? And in your opinion, what are some of the biggest security issues the gaming industry faces today?
The two most common challenges are Anti Cheat systems and backend calls that are not standard HTTP requests. But once you get past that, numerous vulnerabilities emerge.
There are three pain points for the gaming industry: The first pain point are the cheaters in competitive games. Secondly the hackers trying to steal personal data from other players. Thirdly are DoS vulnerabilities – not volume-based DoS – but the following:
- Crashing other players’ game clients.
- Causing other players’ mobile devices to crash.
- Bringing down game servers by sending a malicious request that causes null pointer crashes in the backend.
How do you stay updated on the latest trends and techniques in game hacking, and how do you adapt your strategies accordingly?
Each game has a different technology stack and requires a different approach. Sometimes games use the same technologies, but many games use custom game engines. This means you often have to write custom tools that only work on specific games. So, in summary, it’s always a challenge to approach a new game.
What characteristics do you find similar between game hacking and hacking on other types of assets or scopes?
It’s a different mindset; sometimes you encounter “common web vulnerabilities” in games, such as:
1. IDORs
2. Privilege escalation
3. (Player) PII disclosure.
What motivates you to hunt within the gaming sector, despite the complexity?
I don’t like cheaters and want to create a safe environment for the gaming community.
Have you ever faced criticism or resistance from the gaming industry or professionals due to your work in game hacking, and if so, how do you respond to such comments?
Completely the opposite, those who receive my reports are very satisfied with my work.
Are there any specific ethical guidelines or codes of conduct that you adhere to as an ethical hacker, and if so, how do they influence your work?
It is best to minimize the impact; no one can see you are cheating, so you have to test in isolation.
You can only test on your own player accounts, which means you have to level up different “game characters” to unlock all scopes in games.
What role do you believe cybersecurity researchers play in shaping the future of the gaming industry, especially in terms of cybersecurity and player safety?
Cheaters and hackers will always exist, but through our work, developers learn the pain points for new games in development.
This makes it more difficult time and time again to create exploits.
Have you ever collaborated with game developers or security teams to improve the security of their products, and if so, how was that experience?
They internally assess with a team what the worst-case impact of my findings is and respond very transparently and honestly.
They offer beta access to find vulnerabilities early.
They provide paid in-game currency and other goodies, which makes testing easier.
What advice would you offer to aspiring cybersecurity researchers interested in game hacking?
Be prepared to learn and get creative; this cannot be done in a few months.
Are there common pitfalls or misconceptions that you think aspiring hackers should be aware of?
Every game publisher has different priorities, so a vulnerability that has a critical impact for company A, may have a lower impact for company B.
Are there specific areas or aspects of game security that you are interested in exploring further?
I would like to conduct deeper research on games running on consoles, but I have enough work, so it’s not for now.
Why do you hunt on Intigriti?
The quality of the triage team and the professional approach of the clients.
Do you have any final words you would like to share or a quote to close?
Shoutout to InnoGames, Embark Studios, Ubisoft, and numerous other redacted game publishers for the good cooperation.
Shoutout to mattibijnens, quikke, and ferib for the great game security collaborations.
Thank you for joining us as we peek behind the scenes and meet the faces of ethical hacking. Whether you’re a gamer, a cybersecurity fan, or just curious about security, “Meet the Hacker” is your window into this fascinating world. A big thank you to hg_real for sharing their insights. Stay tuned for more interviews with hackers who are changing the game in bug bounty hunting. Get ready to learn, be inspired, and dive deep into the world of cybersecurity!
