About the Street Fighter V Colors/FM exploit… impacts and explanations on how Capcom failed big time.

So I took a closer look at this Fight Money exploit that Capcom has warned us about today. As a recall, the exploit published by multiple users on reddit, with a video tutorial, unlocks all colors and gives around 1 million FightMoney on your account even if you are on PS4!

How does the exploit work?

Basically, when you finish a survival game, the game sends to the server some codes to say “I finished Easy Survival with Ken in Story Costume” (something like SVL0003FF00,SVL10030100, the 3 means Ken, the 01 means story costume). The server answers “OK, Here’s your account balance and unlocked items” and the game notifies the user with “You’ve received 10k FM and some colors”.

So, if you are able to replace these codes with all values possible for SVL… then you have unlocked every survival modes and received that much Fight Money.

How is this possible?

That’s where Capcom failed bad. REAL. BAD. There are two failures in term of security. The first one, the most important, and I can’t believe I’m saying this… the server communication is made on an insecure https channel.

Quick explanation. When you’re on HTTPS, the server sends you an ID card and the encrypted content based on the ID (that you can’t fake). So, if I try to put myself in the middle of it, technically the game is talking to me and not the server, unfortunately I can’t provide the same ID card. Usually, the game or the browser would not allow an ID that does not correspond to something it trusts.

In the end, as SFV does not check the connection, you can put you in between the game and the server. Then, you are able to listen and modify everything they talk about. Note that this kind of exploits works more often than it should, especially on mobile applications. For example, lately it has been found that Pokemon Go has the same issue.

Trust me on this: securing https channels on both sides is fairly easy and is something that should be done everytime and especially when money is on the line (remember that FM can be replaced by real money). Not doing this is a clear demonstration of amateurism by the developers. And I’m putting this in quote because I cannot stress how important this is:

Capcom wanted to make a real-money shop when they clearly can’t secure the channel to their server.

The second issue is more minor but shows how bad they manage the rewards. Once you are connected to the server, you just need to tell him “hey I finished this”, and the server grants you FM for just telling it. There is no further checks, nothing more is sent to the server. Also, this call to the server is made very often (every time you go to training for instance) so you can perform this anywhere, no need to be in survival.

Impact on the 1-round survival mod

This is not directly related to the 1-round survival mod on PC! Although the practice is questionable, there is no network injection. As we have seen, the server is not aware of how you unlocked the colors, the game does not send the number of rounds or the score to the server or the replays. So the only ways to detect this mod would be:

  • detect the mod in the game and disallow it: but tracing past activity is clearly not possible
  • try to compare the timings of survival unlocks: if you’ve won two consecutive survival in extreme mode in a few minutes that is suspicious. But that means that they must have the full history of the account with timings which may not be the case.

Therefore, if you perform this mod once in a while, you are very safe. If you have spammed, well technically you can be detected but that’s to be seen as the network exploit is easier to detect.

Is there anything secure here?

I’ve fiddled a bit with it, I’ve not explored a lot but here’s what can’t be done easily:

  • You can’t log in to another account. There is an authentication code that changes and is bound to your steam id (or psn id). But maybe someone can reverse this at some point?
  • You can’t give yourself shop content on your online account. These are validated by the server, you can just give orders. [edit: see note below]
  • You can’t change the outcome of an online game result. Both players sends their results to the server by giving the list of their actions and the replay file. The server then answers. But I maybe that can be a tool for rage quiters depending on how the server handles those game reports (if you don’t send your report, maybe you won’t lose points? I hope not).

Note that locally tons of things can be done like give yourself DLCs but it will not be bound to your online account.

EDIT: Apparently, you can buy premium costumes with FightMoney on the store (which is not possible currently). The protocol allows it but the server should refuse as it is not stated as legal by the game, but… it allows it.

EDIT: As stated by /u/trouserkingcobra on reddit, once you give yourself DLCs using another similar method this is valid locally and the server does not reject anything. You don’t need to redo the injection as it was validated on your local save. This is showing off that currently they cant claim back shop items.

History of the discovery and why it was published just now?

In terms of history, after looking through reddit posts and other stuff, apparently the exploit was known by some but not published until this post on r/kappa and then the famous video tutorial. Understand that details on exploits like this are not always published because it may trigger the software developer to fix them. So the exploit stays between experts who have a deep knowledge on how computers and the game work (basically “if you’re smart enough, you can figure it out”).

And most of the time, this behaviour is the right one. For instance, try to imagine TOOLASSISTED giving its knowledge to everyone with tutorials on how to run its code on the ladder. Well, ladder would be hell on earth.

Consequences?

Obviously I can’t talk on Capcom’s behalf here, but as of today the exploit still exists and can be performed in a non-tracable way if you are patient and careful enough. And as long as they don’t verify their certificates in the game, there always will be workarounds, and there are plenty of other stuff you can do with this kind of injection.

Once the client is secure (if ever), then it will be impossible to inject and workaround will be harder to perform (especially on PS4). [EDIT POST 1.06 Patch: this still works…]

As of punishements, well that’s a tricky question because even EVO has used this abuse to unlock colors for their streaming station. If colors were the only problem that would be great, but now some people have received free 1M fight money which clearly is a problem in terms of business model. We’ll see how it turns out.

EDIT: Apparently, Capcom has been warned by dantarion of this major security issue. They clearly have no excuses.

Related link: a clear study by Ryan Markel on the API calls behind this

One clap, two clap, three clap, forty?

By clapping more or less, you can signal to us which stories really stand out.