The builders behind a well-liked “open source MMO RTS sandbox game for programming enthusiasts” on Steam, named Screeps: World, have been pressured to replace their sport “in order to protect both players” and their “own reputation,” following the invention of an alleged “remote code execution vulnerability” that might allow gamers to take management of different gamers’ computer systems. Even worse, the one who helped uncover the vulnerability in query alleges that Valve “ignored” their reported findings.
In case you’re noticing an overabundance of quotes within the earlier paragraph, there’s motive for that, as this story spawned out of a slightly nasty back-and-forth on X between Screeps: World’s builders Screeps, LLC and an “information security” aficionado by the identify of Isaac King.
As King defined in his preliminary put up, Screeps: World apparently allowed “any other player in the game world to gain remote access to your computer” via the usage of a programming exploit. For context, Screeps: World is a programming sport that lets gamers write their very own code in JavaScript, which is then used to craft their very own custom-made AI items.
As of this writing, the sport is at the moment sitting at a “Very Positive” evaluation rating on Steam, having amassed roughly 1,876 critiques and, in keeping with VG Insights, over 113,000 particular person purchases.
If you’d like the precise clarification of the reputed vulnerability, I extremely recommend studying King’s extremely detailed write-up of the exploit on his blog. I’ll, nevertheless, warn you upfront that it requires (a minimum of) a base understanding of JavaScript to totally perceive.
Fortunately, King contains an analogy for “non-programmers” within the conclusion: “imagine if there were one particular kind of unit in Starcraft that, if you trained it, let people hack your computer. And when pointed out, the game designers said ‘well this is self-inflicted, the players all chose to train that unit’.”
King additionally explains that the builders have been conscious of the problem since July 2024, as considered one of Screeps, LLC’s two builders replied to a report on GitHub detailing the vulnerability. The dev in query replied, stating that they “do not see this as a serious security threat.” Nevertheless, a consumer from the Screeps Discord noted that the vulnerability had been efficiently abused up to now.
As soon as the preliminary put up on X started to realize traction, the official Screeps X account replied stating that the accusation was “at the very least, a clickbait exaggeration, and at worst, malicious defamation intended to cause reputational damage.” However, in addition they acknowledged that the alleged vulnerability has, as of January 25, been faraway from Screeps: World.
The doubtless extra worrying aspect of that is that King famous in his weblog put up that he’d reported the problem to Steam instantly, however didn’t obtain a reply: “I reported the game to Steam, which of course they ignored. Their terms of service make them not liable for any hacks caused by malware on the platform, so if it’s getting sales from which they can take a cut, why do anything about it?”
We’ve reached out to Valve to corroborate this, and can replace the piece in the event that they reply.
