InstantPlay Exploit Published

InstantPlay Exploit

InstantPlay Exploit (image by sk8m8trix)

Today James Rhodes posted a comment on the YYG GLOG stating that he has constructed a GM game which demonstrates a vunerability in the way InstantPlay handles game launching. It allows the GM executable to silently install a Firefox plugin with no confirmation. This apparently should be an easy fix: the InstantPlay plugin need only change the way it handles the game’s launching.

It should be interesting to see how long YoyoGames takes to patch this, considering the seriousness of the vulnerability.


17 Responses

  1. @James Rhodes
    Either your link is faulty or the mods killed it.

    More and more I’m moving away from Game Maker and YoYo Games. Main reason being the slow progress (or actually none at all) on the program itself.

    Think I’ll try move on to XNA and LOVE. I’ll always thank GM for teaching me how to make games.

  2. That’s a stupid main reason.

    But anyway, post the explanation somewhere besides the GMC so I don’t have to decompile it and figure it out 😛

  3. LOL, that is hilarious!
    its about time that somone showed yoyo just how insecure their instant play is.

  4. “It should be interesting to see how long YoyoGames takes to patch this, considering the seriousness of the vulnerability.”

    Truly an opportunity to test YoYoGames. I don’t think they have had such vulnerabilities in the past. The time they take to fix it will tell users how trustworthy they are as a company.

  5. @Joerdgs,

    I was receiving harsh critism for finding the exploit at the GMC, so KC LC saved me from a bashing and hid the topic so that only the YoYoGames staff would see it.

  6. Can’t an EXE file being executed do such things anyway?

  7. Yes, but standard EXE files are made instant playable.

  8. * Yes, but standard EXE files are not made instant playable.

  9. Can’t you include any type of file- including a standard .exe file- in the program and run it when the games starts?

  10. “The time they take to fix it will tell users how trustworthy they are as a company.”

    How quickly they respond, has nothing to with trustworthiness.

    @James Rhodes
    First off, excellent work.

    I was thinking of tearing you a new one last night, but I thought the topic to important, and didn’t want o hijack it.

    My issue was not that you discovered the vulnerability, but how you released it into the wild. I’m a firm believer in full disclosure, but not by actually creating and releasing an exploit.

    I think you should have created your proof of concept, even created a discussion describing it. But not actually provided the means to individuals recreate and execute the vulnerability to a partially unsuspecting public.

    Depending on the responsiveness of YYGs, then possibly release if they feel it is unimportant. When vulnerabilities are discovered, it’s important that vendors have a chance to protect themselves and their customers first.

    Anyway, wonderful work.

  11. Maybe you don’t understand. At no point did I give people the ability to recreate and execute the vunerability. I posted the proof of concept and created a discussion describing it.

  12. It is interesting, but:
    1. There’s not much that could be done to fix this. The only possible solution is running all games in GM’s secure mode, which removes a lot of features from the games.
    2. As far as I understand, this hasn’t really anything to do with Instant Play. This discussion is about features of Game Maker itself that could be used maliciously. The only thing InstantPlay has done is removing the Windows security warning when you try to run a game.

  13. This exploit focuses on the fact you can run the YoYoGames Instant Play plugin without user confirmation.

    I could have created my example in C++, and it would still make the same point.

    You can fix it. YoYoGames needs to use addEventHandler to hide their javascript.

  14. You mean you embed the InstantPlay code into another website and then secretly run a game?

    Bottom line: if you have InstantPlay installed, by visiting any website the webmaster can take complete control over your computer. Great.

    Good point there.

  15. I didn’t know it was possible to embed in other websites. I have tried along time ago, but failed to do so.

    If the webmaster embeds it in their website, they don’t even need to install the plugin on the user’s computer to run it automatically.

    Anyway, I’ve been informed that they are “looking into it”.

  16. There are many problems with the instant play / virus scanner on yoyogames

    A few months ago, I uploaded a ‘game’ that creates a .exe of an virus and it took over a month for them to delete it, even with the tags as “virus instantplay instant play hack scanner” and description explaining what it was.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: