Update: The vulnerable endpoint was fixed some time before September 7, 2022.
Scenario
I recently spent some time messing with
Deus Ex: Mankind Divided, seeing as it's the latest (and possibly last) installment in one of my
favorite video game series. At first I did a bit of reverse engineering on
the game files; when I got bored of that, I decided to take a look at the
game's network traffic. This led me to discover not only a player
information disclosure, but techniques for cheating in the semi-online
features. Highlights include:
- Unauthenticated access to player email addresses (if the victim has their platform account tied to their Square Enix account)
- The ability to obtain infinite premium currency
- The ability to view and modify other players' characters and inventories
This blog post specifically focuses on the player email disclosure
vulnerability.
