Bungie shuts Destiny 2 text chat to stop malicious exploit

Improper coding of Chinese characters let players weaponize copy-pasted text strings.

Read the whole story

 

[Deleted member 219054]

Relevant xkcd https://xkcd.com/327/

 

[KChat]

Obligatory xkcd:

ETA: damn, ninja’d!

 

[bioMatrix]

It's prolly not due to lack of input sanitation, but not handling multibyte characters properly (like using byte semantics instead of char semantics).

 

[HiredGoons]

Once again Chinese characters remain undefeated.

 

[GolbatsEverywhere]

It's prolly not due to lack of input sanitation, but not handling multibyte characters properly (like using byte semantics instead of char semantics).

I've made the exact same stupid mistake before. Didn't notice until four years later. Can't say I learned anything from the experience: every programmer knows (or ought to know) that multibyte characters require more than one byte, right?

Memory corruption sucks.

 

[SolidSnack]

Curious, what is the state of game for New World, havent heard much about it in any news source for awhile now?

 

[SolidSnack]

Destiny 2 just seems like a raging dumpster fire of a game across the board for multiple reasons.

Idk, its pretty fucking amazing for awhile now, and I only dip in and out like a casual

 

[MisterMano]

Curious, what is the state of game for New World, havent heard much about it in any news source for awhile now?

Judging from Steamcharts, it's been somewhat stable with 15-20k players in the last couple of months. It just received a big update, so the numbers are currently higher than that average.

 

[Unthinkable537]

Curious, what is the state of game for New World, havent heard much about it in any news source for awhile now?

They merged a bunch of servers. There's been some qol updates, and it's still fun to play. But I'm not certain they know where they're going with it or if it's going anywhere. I'm hoping Amazon let's them fiddle with it and maybe in a year or so it'll be awesome again like it was till you realized there's nothing to do end game. It's definitely in that weird spot many new MMO's fall into after launch where all the hype is gone and it just needs time.

 

[SolidSnack]

People still play Destiny?

Just two weeks ago, I went back and downloaded Destiny1 on PS5, apparently Im curious, but I wanted to see how it played and looked on the new console. Meh, its the same game. What I was surprised to discover is just how much the rest of the games biz only ever looked at it in terms of new ways to make moneeeyyy, and not actually the immense investment behind the netcode, gameplay, art and story.

I deleted my highest level Warlock, started from scratch, ran through all the story campaigns, and its a treat, even its modern infancy its still a sci-fi dream of a game.

 

[Paladin]

Wouldn't it be great if someone could devise a similar exploit that weaponizes any kind of micro-transactions in games? Purchasing anything other than cosmetic add-ons would infect and lock your game or delete your character or something. That would be awesome.

Note: I'm not encouraging anyone to actually do that... I just think it would be wonderful to live in a world where games could be played for fun instead of being turned into a parasitic financial platform.

 

[SamStephens]

I wish these bugs were not talked about as sanitisation issues. Sanitisation means removing potentially problematic characters from data. In this case, the problematic characters are multi-byte characters. So sanitisation would prevent the usage of Chinese characters, along with almost anything that isn't in the Latin character set. Likewise, for the HTML injection, sanitisation would prevent users from using the less than sign < in their chats.

Talking about this as a sanitisation issue masks the real problem; that programmers need to understand encodings, and always have them front of mind when working with strings.

They need a deep understanding that characters and bytes are not the same thing. Preferably, they use a programming language and/or code patterns that protect them from this kind of buffer overflow. They need to understand how strings behave and the paradigms to encode them when placing them in contexts such as HTML or database commands. Preferably they are using languages and frameworks that make doing the right thing easy (such as Rails making you explicitly mark strings as HTML safe to avoid HTML encoding).

IMO, string sanitisation may sometimes be appropriate, but treating issues like this as sanitisation issues is hurting our handling of these issues, because the discussion needs to be about encoding.

 

[daneren2005]

I wish these bugs were not talked about as sanitisation issues. Sanitisation means removing potentially problematic characters from data. In this case, the problematic characters are multi-byte characters. So sanitisation would prevent the usage of Chinese characters, along with almost anything that isn't in the Latin character set. Likewise, for the HTML injection, sanitisation would prevent users from using the less than sign < in their chats.

Talking about this as a sanitisation issue masks the real problem; that programmers need to understand encodings, and always have them front of mind when working with strings.

They need a deep understanding that characters and bytes are not the same thing. Preferably, they use a programming language and/or code patterns that protect them from this kind of buffer overflow. They need to understand how strings behave and the paradigms to encode them when placing them in contexts such as HTML or database commands. Preferably they are using languages and frameworks that make doing the right thing easy (such as Rails making you explicitly mark strings as HTML safe to avoid HTML encoding).

IMO, string sanitisation may sometimes be appropriate, but treating issues like this as sanitisation issues is hurting our handling of these issues, because the discussion needs to be about encoding.

I agree that they labeled this incorrectly. This is almost definitely from counting characters vs bytes and has nothing to do with sanitizing/changing what was sent by the user.

BUT, your post about sanitization being equivalent to removing is wrong. Changing a raw less than character < to something that can't be used to inject html is absolutely sanitization. Sanitizing is cleaning, and removing is only ONE way to clean the user input. In this case maybe the discussion needs to be more about encoding, but that definitely isn't true for all types of malformed inputs.

 

[moobg]

Destiny 2 is a 9 year old failed experiment in watching talented people stay with Microsoft, and awful people work for Activision to milk content for the barest of improvements at maximal prices. Given the rampant cheating and constant bugs that emerge with every piece of content, and Bungie/Sony's demeaning, condescending attitude towards its customers, the Chinese need to continue demonstrating just how woefully inadequate the frauds at the company are. Truly an awful game that needs to die, along with the company with it. We can only hope Sony realizes the error of its purchase and puts the developers out of work.

Wtf are you even talking about? Not only have Bungie been delivering the goods when it comes to their story-based content (The recently released Witch Queen being regarded by many as Destiny 2's best DLC and they've been cracking down on cheaters), but Bungie themselves have been out in front on a number of issues concerning their employees (like abortion and working from home, and access to healthcare along with acknowledging heinous acts that employees may relate to to cover some recent events) when most other game devs/studios couldn't be arsed.

You want to criticize Bungie for content vaulting, have at it (yeah, it's shit), but Bungie has been speaking up when most of their peers (including Sony, oddly enough) refuse to, and that should be both acknowledged and encouraged.

 

[SamStephens]

I wish these bugs were not talked about as sanitisation issues. Sanitisation means removing potentially problematic characters from data. In this case, the problematic characters are multi-byte characters. So sanitisation would prevent the usage of Chinese characters, along with almost anything that isn't in the Latin character set. Likewise, for the HTML injection, sanitisation would prevent users from using the less than sign < in their chats.

Talking about this as a sanitisation issue masks the real problem; that programmers need to understand encodings, and always have them front of mind when working with strings.

They need a deep understanding that characters and bytes are not the same thing. Preferably, they use a programming language and/or code patterns that protect them from this kind of buffer overflow. They need to understand how strings behave and the paradigms to encode them when placing them in contexts such as HTML or database commands. Preferably they are using languages and frameworks that make doing the right thing easy (such as Rails making you explicitly mark strings as HTML safe to avoid HTML encoding).

IMO, string sanitisation may sometimes be appropriate, but treating issues like this as sanitisation issues is hurting our handling of these issues, because the discussion needs to be about encoding.

I agree that they labeled this incorrectly. This is almost definitely from counting characters vs bytes and has nothing to do with sanitizing/changing what was sent by the user.

BUT, your post about sanitization being equivalent to removing is wrong. Changing a raw less than character < to something that can't be used to inject html is absolutely sanitization. Sanitizing is cleaning, and removing is only ONE way to clean the user input. In this case maybe the discussion needs to be more about encoding, but that definitely isn't true for all types of malformed inputs.

We could have a disagreement of definitions here. My take is that sanitisation is taking a string as you *receive* it and make it "safe", whereas encoding focuses the other side, as you then *present* a string you've received in a context; encoding HTML, SQL, etc.

The problem with encoding a string upon ingestion as sanitisation, say making it HTML safe, is when you go to put the string in a different context. Hence you end up with text messages and instant messages with &lt; in them and the like.

Once you start talking about encoding rather than sanitization, you start talking about the context you are using a string in, and the appropriate presentation for that context, rather than this idea you make a string "safe" at ingestion. Because there is no single sanitised representation. What is safe for HTML is different to what is safe for SQL is different to what is safe for Javascript. Once you are talking about encoding, then you're talking about what is appropriate in a particular context.

 

[Mr.SloppyPants]

Ah the joys of C and C++ programming. Truly dog***t programming languages.

The only people who think that are dogshit programmers.

 

[Mr.SloppyPants]

People still play Destiny?

People still make this lame joke?

 

[ReaderBot]

Obligatory xkcd:

ETA: damn, ninja’d!

I often wonder how the caller pronounced ‘);

 

[whiteknave]

Obligatory xkcd:

ETA: damn, ninja’d!

I often wonder how the caller pronounced ‘);

"Single-quote End-parenthesis Semicolon"

 

[searaydriver]

People still play Destiny?

People still make this lame joke?

Yeah, number 10 on Steam's peak players for today. Mostly behind the other juggernaut online games, but ahead of 90 other games and about double Rocket League, which seems to be a favorite of many that doesn't slagged as a dead game. Considering this is the end of season doldrums where many have already got their seals, weapons and armor and are taking it easy doing other stuff, it is probably a little lower than its average activity.

Yeah, Destiny is here for the duration.

FWIW, Solstice doesn't do much for me, so I reloaded Destiny (1) on the PS5. I am amazed how full that game still is. Granted I'm just running the campaign missions, but getting strike teams together is no trouble and they still charge $60 for the base game and all the addons. I was expecting like $20 all in. Go figure.

 

[SolidSnack]

People still play Destiny?

People still make this lame joke?

Yeah, number 10 on Steam's peak players for today. Mostly behind the other juggernaut online games, but ahead of 90 other games and about double Rocket League, which seems to be a favorite of many that doesn't slagged as a dead game. Considering this is the end of season doldrums where many have already got their seals, weapons and armor and are taking it easy doing other stuff, it is probably a little lower than its average activity.

FWIW, Solstice doesn't do much for me, so I reloaded Destiny (1) on the PS5. I am amazed how full that game still is. Granted I'm just running the campaign missions, but getting strike teams together is no trouble and they still charge $60 for the base game and all the addons. I was expecting like $20 all in. Go figure.

I was surprised too by the premium pricing. Nice if they remastered it for console and PC.

 

[dimathiel]

Destiny 2 just seems like a raging dumpster fire of a game across the board for multiple reasons.

Got owned in the Crucible huh?

 

[orangpelupa]

People still play Destiny?

People still make this lame joke?

Yeah, number 10 on Steam's peak players for today. Mostly behind the other juggernaut online games, but ahead of 90 other games and about double Rocket League, which seems to be a favorite of many that doesn't slagged as a dead game. Considering this is the end of season doldrums where many have already got their seals, weapons and armor and are taking it easy doing other stuff, it is probably a little lower than its average activity.

FWIW, Solstice doesn't do much for me, so I reloaded Destiny (1) on the PS5. I am amazed how full that game still is. Granted I'm just running the campaign missions, but getting strike teams together is no trouble and they still charge $60 for the base game and all the addons. I was expecting like $20 all in. Go figure.

I was surprised too by the premium pricing. Nice if they remastered it for console and PC.

If they remastered D1 with all contents, I'll gladly rebuy it.

 

[orangpelupa]

Destiny 2 just seems like a raging dumpster fire of a game across the board for multiple reasons.

Got owned in the Crucible huh?

Seems I'm the only one that prefer to be completely destroyed in the crucible.

It made the matches ends quickly so I can get the weekly rewards quicker

 

[panton41]

Destiny 2 just seems like a raging dumpster fire of a game across the board for multiple reasons.

Got owned in the Crucible huh?

About every negative article about gaming for the last few weeks on Ars has been about Destiny 2.

Frankly, everything I've seen of the game on Steam and elsewhere makes me think it's the opposite of fun.

 

[orangpelupa]

Destiny 2 just seems like a raging dumpster fire of a game across the board for multiple reasons.

Got owned in the Crucible huh?

About every negative article about gaming for the last few weeks on Ars has been about Destiny 2.

Frankly, everything I've seen of the game on Steam and elsewhere makes me think it's the opposite of fun.

the main story/campaign is fun. the repeating doing the same thing again and again ad infinitum is not fun.

since they are divorced from activision, the amounts of content you get from the money you pay also drops down substantially.

 

[brokkr]

The specific way those Chinese characters are encoded in Unicode [...]

Should probably be "encoded in UTF-8", an encoding where one character can require anything from one to four bytes. Counting characters as a way to determine number of bytes used seems really sloppy in this day and age.

See "What's the difference between encoding and charset?"

 

[redtomato]

Obligatory xkcd:

ETA: damn, ninja’d!

I often wonder how the caller pronounced ‘);

"Single-quote End-parenthesis Semicolon"

Quite likely an unlawful name. Countries that don’t operate lists of allowed names will often still require that names are to be non-obscene and made from Aa to Zz or the equivalent in the local languages, no numbers or weird punctuation*. Real-life name sanitisation is already implemented.

*Technically this wouldn’t allow double-barrelled names or apostrophes (O’Sullivan) or numbers (Jim Robertson III)** but hey these are ‘familiar’ so they go unchallenged.

**Technically still letters that represent a number. He’s the third of his line, not the one hundredth and eleventh.

 

[RickRoyLeonPrisZhoraRachael]

Destiny 2 just seems like a raging dumpster fire of a game across the board for multiple reasons.

Idk, its pretty fucking amazing for awhile now, and I only dip in and out like a casual

Can it still be played solo? I mean, with Destiny (v1), I was able to play the campaign, along with having a few friends jump in with me. We'd help at events. Then the loot cave fiasco tainted it all. (look, call it cheesing, call it fun, but for the devs to openly mock their flaw ... people want to grind...they will grind).
Then D2 came out, and that crucible, along with (yes, I couldn't do the Vault of Glass or any lengthy Raid. Not that kind free time.) raids and events and just the pain of waiting for some weapon part to be sold at some random location by Xur.

Wonder how it plays in the PS5...?

 

[fenris_uy]

I wish these bugs were not talked about as sanitisation issues. Sanitisation means removing potentially problematic characters from data. In this case, the problematic characters are multi-byte characters. So sanitisation would prevent the usage of Chinese characters, along with almost anything that isn't in the Latin character set. Likewise, for the HTML injection, sanitisation would prevent users from using the less than sign < in their chats.

Talking about this as a sanitisation issue masks the real problem; that programmers need to understand encodings, and always have them front of mind when working with strings.

They need a deep understanding that characters and bytes are not the same thing. Preferably, they use a programming language and/or code patterns that protect them from this kind of buffer overflow. They need to understand how strings behave and the paradigms to encode them when placing them in contexts such as HTML or database commands. Preferably they are using languages and frameworks that make doing the right thing easy (such as Rails making you explicitly mark strings as HTML safe to avoid HTML encoding).

IMO, string sanitisation may sometimes be appropriate, but treating issues like this as sanitisation issues is hurting our handling of these issues, because the discussion needs to be about encoding.

Sanitization wouldn't prevent the use of <, this site sanitizes the inputs and allows the typing of < and [.

If you are printing user text back into something capable of printing html, you need to sanitize that text and output &lt; instead of <.

 

[fenris_uy]

I wish these bugs were not talked about as sanitisation issues. Sanitisation means removing potentially problematic characters from data. In this case, the problematic characters are multi-byte characters. So sanitisation would prevent the usage of Chinese characters, along with almost anything that isn't in the Latin character set. Likewise, for the HTML injection, sanitisation would prevent users from using the less than sign < in their chats.

Talking about this as a sanitisation issue masks the real problem; that programmers need to understand encodings, and always have them front of mind when working with strings.

They need a deep understanding that characters and bytes are not the same thing. Preferably, they use a programming language and/or code patterns that protect them from this kind of buffer overflow. They need to understand how strings behave and the paradigms to encode them when placing them in contexts such as HTML or database commands. Preferably they are using languages and frameworks that make doing the right thing easy (such as Rails making you explicitly mark strings as HTML safe to avoid HTML encoding).

IMO, string sanitisation may sometimes be appropriate, but treating issues like this as sanitisation issues is hurting our handling of these issues, because the discussion needs to be about encoding.

I agree that they labeled this incorrectly. This is almost definitely from counting characters vs bytes and has nothing to do with sanitizing/changing what was sent by the user.

BUT, your post about sanitization being equivalent to removing is wrong. Changing a raw less than character < to something that can't be used to inject html is absolutely sanitization. Sanitizing is cleaning, and removing is only ONE way to clean the user input. In this case maybe the discussion needs to be more about encoding, but that definitely isn't true for all types of malformed inputs.

We could have a disagreement of definitions here. My take is that sanitisation is taking a string as you *receive* it and make it "safe", whereas encoding focuses the other side, as you then *present* a string you've received in a context; encoding HTML, SQL, etc.

The problem with encoding a string upon ingestion as sanitisation, say making it HTML safe, is when you go to put the string in a different context. Hence you end up with text messages and instant messages with &lt; in them and the like.

Once you start talking about encoding rather than sanitization, you start talking about the context you are using a string in, and the appropriate presentation for that context, rather than this idea you make a string "safe" at ingestion. Because there is no single sanitised representation. What is safe for HTML is different to what is safe for SQL is different to what is safe for Javascript. Once you are talking about encoding, then you're talking about what is appropriate in a particular context.

You are thinking of escaping, covering a < into &lt; is escaping a character. Encoding is deciding that "a" is going to be saved by a byte value of 0x61. And that á is either 0xE1 or two bytes one with the value 0x61 and another indicating the "’" (not the right character I couldn't find the correct one in my phone keyboard)

 

[fenris_uy]

While we are at it, if I had to guess what the bug is, is probably a byte array one byte too short. If the max length of a user string is 200 chars, the byte array is 400 bytes, when it should had been 401 for the null terminator.

 

[Tofystedeth]

Destiny 2 just seems like a raging dumpster fire of a game across the board for multiple reasons.

Got owned in the Crucible huh?

About every negative article about gaming for the last few weeks on Ars has been about Destiny 2.

Frankly, everything I've seen of the game on Steam and elsewhere makes me think it's the opposite of fun.

There's been only 3 articles featuring Destiny in the last month. This is the only one that's actually about the game, though it in fact it's only about a bug in the chat system not the game as a game.
The other two were not about the game at all, but problem players, and in one, Destiny shared billing with Minecraft.

 

[orangpelupa]

Destiny 2 just seems like a raging dumpster fire of a game across the board for multiple reasons.

Idk, its pretty fucking amazing for awhile now, and I only dip in and out like a casual

Can it still be played solo? I mean, with Destiny (v1), I was able to play the campaign, along with having a few friends jump in with me. We'd help at events. Then the loot cave fiasco tainted it all. (look, call it cheesing, call it fun, but for the devs to openly mock their flaw ... people want to grind...they will grind).
Then D2 came out, and that crucible, along with (yes, I couldn't do the Vault of Glass or any lengthy Raid. Not that kind free time.) raids and events and just the pain of waiting for some weapon part to be sold at some random location by Xur.

Wonder how it plays in the PS5...?

Yes it can. It got no current gen patch