The builders behind a well-liked “open supply MMO RTS sandbox recreation for programming fanatics” on Steam, named Screeps: World, have been compelled to replace their recreation “so as to shield each gamers” and their “personal status,” following the invention of an alleged “distant code execution vulnerability” that might allow gamers to take management of different gamers’ computer systems. Even worse, the one that helped uncover the vulnerability in query alleges that Valve “ignored” their reported findings.
If you happen to’re noticing an overabundance of quotes within the earlier paragraph, there’s an excellent purpose for that, as this story spawned out of a quite nasty back-and-forth on X between Screeps: World’s builders Screeps, LLC and an “info safety” aficionado by the identify of Isaac King.
As King defined in his preliminary submit, Screeps: World apparently allowed “every other participant within the recreation world to realize distant entry to your pc” by means of using a programming exploit. For context, Screeps: World is a programming recreation that lets gamers write their very own code in JavaScript, which is then used to craft their very own custom-made AI items.
As of this writing, the sport is at the moment sitting at a “Very Constructive” evaluation rating on Steam, having amassed roughly 1,876 evaluations and, in accordance with VG Insights, over 113,000 particular person purchases.
If you would like the precise clarification of the reputed vulnerability, I extremely counsel studying King’s extremely detailed write-up of the exploit on his weblog. I’ll, nevertheless, warn you upfront that it requires (a minimum of) a base understanding of JavaScript to completely perceive.
Fortunately, King consists of an analogy for “non-programmers” within the conclusion: “think about if there have been one specific form of unit in Starcraft that, when you skilled it, let folks hack your pc. And when identified, the sport designers stated ‘nicely that is self-inflicted, the gamers all selected to coach that unit’.”
King additionally explains that the builders have been conscious of the problem since July 2024, as one among Screeps, LLC’s two builders replied to a report on GitHub detailing the vulnerability. The dev in query replied, stating that they “don’t see this as a severe safety risk.” Nevertheless, a person from the Screeps Discord famous that the vulnerability had been efficiently abused previously.
As soon as the preliminary submit on X started to realize traction, the official Screeps X account replied stating that the accusation was “on the very least, a clickbait exaggeration, and at worst, malicious defamation meant to trigger reputational harm.” Nonetheless, additionally they said that the alleged vulnerability has, as of January 25, been faraway from Screeps: World.
The doubtless extra worrying facet of that is that King famous in his weblog submit that he’d reported the problem to Steam instantly, however didn’t obtain a reply: “I reported the sport to Steam, which in fact they ignored. Their phrases of service make them not chargeable for any hacks brought on by malware on the platform, so if it’s getting gross sales from which they will take a reduce, why do something about it?”
We’ve reached out to Valve to corroborate this, and can replace the piece in the event that they reply.
