After earlier discovering an exploit that enabled a Firefox extension to secretly be downloaded whilst a user runs an Instant Play application James Rhodes has discovered several more vulnerabilities in YoYo Games’ Instant Play feature.
One vulnerability can fetch the login hash of Windows XP user’s logged into YoYo Games if they have selected the “Remember Me” feature. This feature uses cookies to store login data and when Instant Play is run from Internet Explorer the cookie, and hence the hash, can be accessed.
The Remember Me feature gives the user one month of automatic logins, and the extracted data could easily be sent back to a server using 39dll which could give a hacker access to your YoYo Games account.
A simple path modification means that the same opperation can easily be performed to users of the Windows Vista OS.
This proves another point I’m going to make about Game Maker/Instant Play security.
Why does Game Maker have access to the user’s cookies? Why does Game Maker have access to the system32 directory?
None of these things should be able to be accessed by Game Maker, and certainly shouldn’t be allowed when it’s running as Instant Play.
This example grabs your login information for YYG (if you are using Internet Explorer), and shows it to you. THE DATA IS NOT SENT ANYWHERE.
– James Rhodes
Another vulnerability supposedly gives games an automatic 5-star rating however at the time of writing I was unable to verify this.
YoYoGames are “looking into it”.
Oh noes. Vulnerabilities.
Yes, I agree, only games running from Instant Play should be running in a sandbox.
YYG could sandbox the games, but GM by itself doesn’t need stupid restrictions. Writing a game without GM gives you that access, why not with?
The 5 star vunerability is less of an issue as it will be fixed when the first two issues are fixed. Unfortunately YYG is down right now, so I don’t know whether it’s finished being virus scanned.