1. 8
    1. 2

      This is so funny. That’s great. Shame it was reported (fuck WOTC!) but what a fun, silly little potentially-catastrophic bug.

    2. 2

      I once reported a bug in MTGO where under certain circumstances it wrote the user’s password in plain text in the name of a file in their install folder. It went unfixed for four months until reached out again to ask wtf?

    3. 1

      Also recently, a YouTuber was accidentally sent packs of an upcoming set rather than the correct, already-released one, and then WotC sent the literal Pinkertons after him.

      (for those unfamiliar, the Pinkerton Agency have… let’s call it a reputation)

    4. 1

      I’m wondering, how legal is that? Isn’t there a clause against reverse-engineering in the license, or something like that? Could WotC have taken legal action against the author? These kind of exploits are really cool, but I’m always wondering that.

      1. 1

        The author reached out to WotC as part of responsible disclosure.

        MTGA just became truly free-to-play!

        (Except not, because I reported this vulnerability to them and it has been patched. Shoutout to the WotC security and engineering teams for being lovely to work with and patching this bug in a timely manner!)

        They could have been dicks and reported the author but it would lead to other people not doing their security work for them for free recognition.

        1. 1

          But in theory, couldn’t have WotC caught the author in the middle of this (maybe noticing somehow that someone just got infinity credits) and gone ballistic directly?

          1. 1

            Yes, that is a risk.

            I guess they have internal audits where the incoming gems are matched against outgoing cards, and they’d have figured it out then.

    5. 1

      So, like one card these days?