A popular first-person shooter game has significant vulnerabilities that allow malicious hackers to take over other players’ computers, as long as they are in the same online match. The situation is so dire that some streamers have urged people not to play the game, as they have declared it “completely unplayable” because hackers have “taken over.”
“I’ve been running into a lot of them, it’s been like almost every single lobby,” one streamer said in a video from six months ago.
The vulnerabilities are in Call of Duty: Black Ops III, a game published by Activision. According to another streamer “hackers have a tool that can reveal your IP address,” when playing the game.
“They can join your game, they can kick you from the game, they can corrupt your [Downloadable Content], they can crash your game, they can fucking do anything they want,” he added.
Released in 2015, Black Ops III still attracts more than 5,000 players a day, according to stats from the gaming platform Steam. Because of its age, patching the vulnerabilities does not appear to be a priority for the game’s publisher Activision, so two gamers-turned-hackers have taken it into their own hands to patch the game’s vulnerabilities and make it safer to play.
“The game has become infested with hackers. There are tons of security vulnerabilities which have a severe impact,” Maurice Heumann, one of the two hackers behind the effort to fix the game, told TechCrunch. “You can get hacked just by playing the game. Your data can be stolen and so much more.”
Heumann has been reverse engineering Black Ops III since 2015. At the time, he and a friend were working on a “client” — essentially a modified, customized version of the game — but because they were “young and dumb,” he said, they tweeted about their project and Activision sent them a cease and desist letter, which “totally frightened” them and prompted them to stop working on the client.
Now Heumann is trying again, and this time, at least so far, Activision doesn’t seem to mind. He said he found two vulnerabilities in the game capable of remote code execution, or RCE — a type of flaw that allows malicious hackers to remotely run code on the target’s device, effectively taking full control of it — and reported them to Activision on May 14 and December 2, 2022.
Activision acknowledged the first bug report, and awarded him a bug bounty for reporting it. In the case of the second bug, Heumann said he hasn’t heard back yet.
So far, however, Activision has yet to fix them. (Heumann shared screenshots with TechCrunch of his bug reports to Activision.)
“I assume they somehow recorded that they exist, passed it on to the dev team and then somehow it gets lost, probably due to the fact that old games have no priority anymore […] the old games are old, nobody buys new copies anymore, so spending time on maintaining them is not worth it,” he said. “As activision is not doing anything, I’m just going to fix things myself.”
Neil Wood, a spokesperson for Activision and Treyarch, the studio that developed the game, sent the following statement: “Call of Duty: Black Ops III was published in 2015, and we are committed in continuing to support this title 8 years following its original release. We are aware of a technical issue on the Steam version of Call of Duty: Black Ops III and are scheduled to deploy an update this week. We thank our community for their continued support.”
Heumann’s project is open source and he is asking people in the community to support it, given that he’s working on it in his spare time.
The idea is that his client will essentially replace the game’s official launcher — or launching it through Steam — so when players open it, the client patches the vulnerabilities, applies performance fixes and lets players play “safely without having to worry,” he said.
The downside of this approach is that the players using his version of the game cannot interact with other players using the official game. But Heumann’s goal is to get as many people as possible to his ecosystem, luring them by offering not only better security but also modifications and other features not present in the current game.
Heumann said that the only things that are not open source are the patches for the vulnerabilities, because those would help malicious hackers find and exploit them with people who are using the vulnerable version of the game.
After nine months working on it again, Heumann said the project isn’t completed yet, but he has almost 180 testers who are helping him find and fix bugs, and may be ready for regular players in a couple of months.
Heumann is one of several hackers working to make the game safer for players. Another altruistic hacker who goes by the online handle shiversoftdev is also working on a project to protect Black Ops III players, which he calls a “community patch.” His approach is different from that of Heumann, as his goal is to still let players launch the game from Steam, letting them stay in the official ecosystem, but without having to worry about getting hacked.
“It’s unfixable. Don’t play it, don’t buy this game.”
Shiversoftdev is also helping Heumann with his project, but he admits that Heumann’s project will be the better one in the long term.
“I primarily focus on protecting players who need/want to stay on the official [Black Ops III] servers, where [Heumann] is targeting his own ecosystem,” shiversoftdev told TechCrunch. “I focus on only fixing critical problems with the game. Additionally, [Heumann] can leverage the fact that all players in his ecosystem are on his version of the game, allowing for much stronger protection methods.”
Heumann and shiversoftdev are not the only ones who have decided to fix old games on their own, without waiting for the original developers. In 2020, a coder who goes by the nickname Milenko created a bot detector for the 2007 first-person shooter Team Fortress 2. The game is notoriously riddled with bots and cheaters, so the coder developed their own special bots, which detect other bots and cheaters, and automatically kill them or flag them to other players, giving them the chance to vote them out of the game.
While they still work on their patches and clients, Heumann and shiversoftdev both suggest players avoid Black Ops III entirely, or at least use the community patch.
“I cannot understate how trivial the exploitation of this vulnerability is,” shiversoftdev said. “Patch up if you can, and if not, try to avoid public multiplayer lobbies. If you stream, use alt accounts and avoid getting your steam username leaked. Use a VPN while connected to any [Call of Duty] servers.”
They both face an uphill battle. According to one of the streamers who has denounced the existence of cheaters and hackers on Black Ops III, “hackers are so fucking annoying they will spend hours and hours creating new tools to bypass the patches that the community is creating so it’s just this endless cycle of creating patches creating new mods creating patches creating new mods.”
“It’s unfixable. Don’t play it, don’t buy this game,” he said. “If you have the game on Steam uninstall it.”
This story was updated to include the statement from Activision and Treyarch’s spokesperson.
Do you hack or reverse engineer video games? We’d love to hear from you. From a non-work device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Wickr, Telegram and Wire @lorenzofb, or email lorenzo@techcrunch.com. You can also contact TechCrunch via SecureDrop.