Sit down, criss-cross applesauce, and pay attention to Damion Schubert’s latest MMO storytime hour! In this edition, the ex-Star Wars: The Old Republic developer shared the secret story behind a headlining incident in Shadowbane back in 2003.
Speaking on Bluesky, Schubert recalled the cringy and hilarious details behind a hacker running amok in the PvP MMO:
It’s been years so this story can be told: perhaps the most notorious American MMO hack happened to a game I was working on (technically I was the producer!), and it was the result of two bugs. The article makes it sound like players experienced utter chaos (and they did), but everything in that Wired article really stemmed from a single bug: a hacker found a way to teleport any item they wanted anywhere they wanted.
Like many games, our worldbuilding tools were built in a specialized version of the player client, and required an account permission check to do any god commands. Except, uh, ‘teleport object.’
Some enterprising player found he could spoof that command to the server and it would move any object anywhere. But what was REALLY impressive was the sheer myriad of ways they found to cause chaos. They teleported newbies to the hardest zone. They’d teleport guild cities to the bottom of the ocean. They teleported boss monsters to city centers. They really found EVERY way to use a teleport command to make it seem like they had total control over the server.
The good news, though, is while the teleport function didn’t have permissions on it properly, every use of it WAS logged, so it was trivial to figure out the player(s) engaging in mischief and ban them, right? Right?
Remember when I said there were two bugs? The second bug was EVEN STUPIDER. And this one was the fault of some web programmer who worked for our publisher. Turns out, a savvy hacker who knew javascript could basically COMMENT OUT THE ‘AM I BANNED’ QUERY TO THE SERVER AND JUST LOG IN. Yes, somehow, we trusted the (web) client for this.
The combination of the two issues was a perfect storm of a horrific live service nightmare. My memory is hazy (It’s been two decades) but I’m pretty sure we had to take down the servers for a couple days, specifically until we could at least get the account check fixed.
So who wants to become a video game developer again? Sounds easy!
