En Masse confirms TERA chat vulnerability and potential security breach as servers go down for emergency maintenance

Earlier today, TERA players began circulating the claim that an in-game chat vulnerability was allowing hackers to wreck up all regions of the game the way only hackers can. En Masse has now confirmed that vulnerability and says that Bluehole is focused on fixing the problem, but it doesn’t reveal the potential extent of the damage.

“The developers of TERA were immediately made aware of the vulnerability and they are exploring an appropriate course of action with the highest urgency,” the studio wrote this evening. “While they do so, the team at En Masse is continuing to investigate and assist the developers in any way possible. There are very serious claims floating around of what this vulnerability potentially allows malicious users to do. We are taking these claims very seriously but, as of this time, we have no evidence that the vulnerability is being exploited in these ways or that any player information has been compromised.”

The post is closed, and En Masse doesn’t give guidance on how players should proceed, only requests that players with helpful information PM the staff on the official forums. Reddit, meanwhile, has gone into meltdown, sending dire warnings to each other not to log in or make use of proxy services in the meantime, though that may be moot as the servers are being taken offline for “exceptional maintenance.”

We reached out to En Masse early this afternoon and still await reply; we’ll update if the response differs from the one on the forums.

Source: Official site, original Reddit post (archived), forums. With thanks to Corey, Berry, and everyone else who sent this in!
SHARE THIS ARTICLE
Code of Conduct | Edit Your Profile | Commenting FAQ | Badge Reclamation | Badge Key

LEAVE A COMMENT

15 Comments on "En Masse confirms TERA chat vulnerability and potential security breach as servers go down for emergency maintenance"

Subscribe to:
Sort by:   newest | oldest | most liked
Reader
Kickstarter Donor
Serrenity

Unpopular opinion: But a high impact vulnerability with, up until this point, a low rate of annual occurrence. So as I said below, I won’t nail them for the vulnerability when it was undiscovered if their Risk Assessment put it low down on the totem pole, but with all the press it’s getting the rate of annual occurrence just increased exponentially.

Reader
Utakata

…as long as my Elin army ears and tails are where they should be when I next log, I am okay while EM sorts this mess out…I think. /crosses pigtails :(

Reader
RJB

luL

Reader
Leiloni

There was also a repost of that Google doc on /r/MMORPG if anyone wants to read/contribute to that discussion – which I might add is obviously not EME moderated, so more free for discussion.

TERA now potentially malware from MMORPG

Reader
Loyal Patron
Kickstarter Donor
Patreon Donor
kgptzac

tl;dr: tera chat is in html. claims that people can link an image to get your ip, crash your game, and allegedly delete your in-game character or even remote code execution.

Reader
Patreon Donor
Schlag Sweetleaf

.

terable hack.gif
Reader
Bruno Brito

I play Tera for the visual novel elements.

Reader
Utakata

:(

berryble
Reader
berryble

Just a slight correction, Enmasse(NA) didn’t take the servers down, they’re still requesting solid proof and such, GameForge(EU) took action to implement some “security” (Disabling most of the public chat channels such as whispers , global , trade,however ineffective it will be , but at least there’s something). This is especially infuriating as the game has been suffering from severe exploits for at least half a year and according to “Tera Player Council” members, enmasse was made aware of this issue ages ago and yet nothing happened, so this vulnerability has been there for months yet no action was taken until the developer community took it to reddit after it was leaked.

Reader
Loyal Patron
Kickstarter Donor
Patreon Donor
kgptzac

Seriously unsanitized html in game’s chat. wtf are people thinking when they coded this shit?

Reader
the_balance

It was either an incredibly dangerous oversight, or intentionally put into the game and utilized one way or another by those that put it there.

There is a 0% chance I’ll believe ANY cybersecurity/integrity professional honestly missed this and screwed up. That’s not what happened here – this is an obvious thing that ANYONE whose job it is to catch these things would’ve caught.

Someone either got a job they weren’t qualified to perform, or let it get in.

It’s interesting to see where this all goes.

Reader
Kickstarter Donor
Serrenity

Enterprise security isn’t necessarily the first thought when developing games, and almost definitely wasn’t when Tera was being developed. The game launched in 2011, and the development start several years before that. Security/Vulnerabilities within the systems of the game client were likely not even a consideration when the game was originally built. Likely, the developers knew it was a vulnerability, but the risk assessment wasn’t very high and was probably noted as an accepted risk by secops.

You have to be super careful when you think about this stuff that you aren’t judging it by today’s security landscape. Cybersecurity has changed drastically in the last few years and issues have become a lot more pervasive. In a game that’s been running for a few years, what makes best security sense now wasn’t necessarily the expectation when the feature was developed.

I wouldn’t get all up in En Masse’s bizness over an identified vulnerability, but if they opt to not fix the vulnerability, that’s a totally different story.

Reader
Dušan Frolkovič

You are assuming a security guy went over the code.
I would not be surprised if none did.

Reader
rafael12104

Man… that doesn’t sound good, does it.

Reader
Utakata

:(

wpDiscuz