Threat actor claims ‘thousands’ of Call of Duty players banned after abusing anti-cheat vulnerability
Threat actor claimed to have banned thousands of Call of Duty players through a flaw in the game’s anti-cheat system.
As originally reported TechCrunchActivision announced in October that a flaw in its Ricochet anti-cheat system had led to some players being banned.
“RICOCHET Anti-Cheat has identified and disabled a workaround for a detection system in Modern Warfare III And Call of Duty: Warzone this impacted a small number of legitimate player accounts,” Ricochet said.
“We have restored all impacted accounts. A security review of our systems has been completed and monitoring will continue.
However, a hacker named “Vizor” claimed to have used a flaw in Ricochet to trick thousands of players into banning them.
For context, Ricochet is a kernel-level anti-cheat system that works by scanning a user’s system for signs of malware or cheatware.
Vizor discovered that Ricochet was looking for specific hardcoded strings of text to identify the presence of cheats and malware. One of these strings was the words “Trigger Bot”, which refers to a cheat in which a player will automatically shoot when an enemy player is in the user’s line of sight.
Armed with this knowledge, Vizor would send a private message to other players with the contents of one of these channels so that Ricochet would detect it and ban them.
“I realized that Ricochet’s anti-cheat was probably scanning players’ devices for strings to determine who was a cheater or not,” Vizor said. TechCrunch.
This is pretty normal to do, but scanning that much memory space with just an ASCII string and disallowing it is extremely prone to false positives.
“The same day I found out about this, I got banned by sending a whisper message to Call of Duty to myself with one of the strings of the message content,” Vizor said.
At one point, Vizor said he developed a script that would join a new match, send a message, then leave the match, repeating itself over and over again.
The scam lasted for months, during which time Activision allegedly added more conditions, which the threat actor then used to ban more players.
Although Activision did not respond to from TechCrunch request for comment, a former Activision employee said anti-cheat signatures may have been “weaponized.”
“If you know what signature the anti-cheat is looking for, I find a mechanism to get those bytes into your game process and you get banned,” the anonymous former staffer said.
“I can’t believe [Activision] prohibit people from analyzing the memory of the “trigger bot”. This is incredibly stupid. And they should have protected the signatures. It’s amateur time.
As Ricochet previously announced, the bug has been identified and disabled. It said all affected accounts had been restored; however, a number of players responded to the announcement saying that their accounts had not been restored and their appeals had been rejected.