YouTuber claims Marvel Rivals has an exploit that lets hackers take over your PC
Marvel GamesA YouTuber has discovered a security flaw in Marvel Rivals, which could lead to hackers taking over your PC.
Marvel Rivals has been a huge hit ever since it was released, with the game currently being one of the most-played titles on Steam. While players have been singing their praises to the devs, especially since they U-turned the decision about rank changes, the game isn’t without issues, however.
A lot of complaints come from optimization issues, unskippable animations, to various bugs affecting the game, among others. That said, there appears yet to be another issue that’s quite concerning, which involves a security flaw.
One YouTuber has managed to discover a security exploit in Marvel Rivals, which can potentially allow hackers to access players’ devices.
YouTuber claims Marvel Rivals players are at risk due security flaw
Before anything else, the YouTuber who went by the name shalzuth mentioned that his intention “isn’t about fear mongering,” but rather “understanding how this class of vulnerability works and why it’s so important for game developers to design hotfixes and patch updates in a secure and safe way.”
Without sharing the exact technical details, he mentioned that the exploit is related to a “flaw in how the patch system works.”
DexertoThey explained that, originally, it was “designed so the game developers could run code to update parts of the game on your device.” However, there’s a flaw that can allow someone to use this to “execute code on your device,” which is what the security industry calls “Remote Code Execution (RCE).”
In the video, he created a “test environment” using his gaming laptop as well as a travel laptop. By using an “exploit tool” and injecting a Python script, it was possible to gain control over the other device as soon as it connected to the Marvel Rivals server.
“At this point, my laptop is owned, it’s sending all my passwords to some malicious user,” he said. He also explained in the video as well as his blog that the issue with the game is that it “has no real way to verify” if it’s connected to the real game server.
Combine this with the game running with admin privileges for the sake of anti-cheat, a “rogue user” is able to inject Python effectively to their target.
It’s a scary thought – but there is a limitation to this. He suggested that one way this could happen is if you played the game on the exact same WiFi as the hacker, which means those playing at public places like cafes, schools, and so much more are at risk.