Bungie shuts Destiny 2 text chat to stop malicious exploit

  News
image_pdfimage_print
A screenshot of a character in Destiny 2
Enlarge / It’s quiet… too quiet…

Over the weekend, players in the Destiny 2 community started to notice a game-breaking bug that could be activated just by sending in-game chat messages to other players. Bungie responded on Saturday by temporarily disabling all in-game chat while it investigates the issue.

“The team is aware of the exploit right now that is causing some players to be kicked and are actively working on identifying what’s causing the issue and addressing it,” Destiny 2 Community Manager Liana Rupert wrote on Twitter just before chat was disabled across the game.

Scrub those inputs

The damaging exploit involved a string over 200 characters long, composed mostly of Chinese characters, according to multiple players who came across it over the weekend (and who shared the forbidden text with Ars Technica). The specific way those Chinese characters are encoded in Unicode means each one can take up more memory space than a single-byte ASCII character.

Observers suggest that difference means the message, as encoded, could overflow into other areas of in-game memory, even if the message itself seemed to meet the usual character-length checks meant to prevent this. The result of that overflow was a so-called WEASEL error that immediately crashed the recipient’s game, as can be seen in this sample video.

Before the shutdown, players could be hit by the exploit through the game’s targeted “whisper” chat messages or through local chat messages sent from members of your own Fireteam.

Destiny‘s text troubles come months after Amazon’s New World MMO faced trouble from players who figured out how to process HTML strings in the in-game chat box. This led to multiple exploits including one that flooded players’ screens with pictures of giant sausages and another that crashed games when players hovered over a specially formatted link.

Bungie had already scheduled a hotfix rollout for Tuesday, August 2, so this whole issue could be fully resolved rather shortly. But let this be a lesson to all you coders out there: make sure you’re fully sanitizing your inputs before letting them get sent across your gaming chat!

https://arstechnica.com/?p=1870721