I once reported a bug in MTGO where under certain circumstances it wrote the user’s password in plain text in the name of a file in their install folder. It went unfixed for four months until reached out again to ask wtf?
Also recently, a YouTuber was accidentally sent packs of an upcoming set rather than the correct, already-released one, and then WotC sent the literal Pinkertons after him.
I’m wondering, how legal is that? Isn’t there a clause against reverse-engineering in the license, or something like that?
Could WotC have taken legal action against the author?
These kind of exploits are really cool, but I’m always wondering that.
The author reached out to WotC as part of responsible disclosure.
MTGA just became truly free-to-play!
(Except not, because I reported this vulnerability to them and it has been patched. Shoutout to the WotC security and engineering teams for being lovely to work with and patching this bug in a timely manner!)
They could have been dicks and reported the author but it would lead to other people not doing their security work for them for free recognition.
But in theory, couldn’t have WotC caught the author in the middle of this (maybe noticing somehow that someone just got infinity credits) and gone ballistic directly?
This is so funny. That’s great. Shame it was reported (fuck WOTC!) but what a fun, silly little potentially-catastrophic bug.
I once reported a bug in MTGO where under certain circumstances it wrote the user’s password in plain text in the name of a file in their install folder. It went unfixed for four months until reached out again to ask wtf?
Also recently, a YouTuber was accidentally sent packs of an upcoming set rather than the correct, already-released one, and then WotC sent the literal Pinkertons after him.
(for those unfamiliar, the Pinkerton Agency have… let’s call it a reputation)
I’m wondering, how legal is that? Isn’t there a clause against reverse-engineering in the license, or something like that? Could WotC have taken legal action against the author? These kind of exploits are really cool, but I’m always wondering that.
The author reached out to WotC as part of responsible disclosure.
They could have been dicks and reported the author but it would lead to other people not doing their security work for them for
freerecognition.But in theory, couldn’t have WotC caught the author in the middle of this (maybe noticing somehow that someone just got infinity credits) and gone ballistic directly?
Yes, that is a risk.
I guess they have internal audits where the incoming gems are matched against outgoing cards, and they’d have figured it out then.
So, like one card these days?