Tera Online’s Chat Suffers From An HTML Exploit

By | November 10, 2017

An exploit has been discovered within the game Tera Online involving the in game chat, allowing users to insert HTML elements into chat that link to resources on external websites.

Screenshot from Gameforge’s forums. user input is not escaped properly, allowing the user to include an img element pointing to an external web address

Basically, the in game chat in Tera uses HTML for markup. The problem is that exploiters have found a way to utilize a type of attack similar to XSS(cross site scripting). XSS can be used to trick the server into referencing to resources on external websites controlled by an attacker, such as an image, when the user’s input is ultimately outputed back to another user(such as when a chat message is loaded, in this case).

This has led to a huge scare in which users have speculated that it could lead to remote code executions on client’s computers, and therefore leading to malware or worse. This is highly unlikely based on my knowledge of web development. Tera uses a software framework known as Scaleform for its user interface. Scaleform uses HTML for markup, including images, as we’ve seen. I researched Scaleform’s HTML implementation and found that the htmlText property that exploiters found a way to modify does not support referencing scripts, and therefore cannot be used to execute remote scripts.

Even if this exploit allowed remote execution of javascript files, it most likely couldn’t do much more except cause extremely annoying inconvenience such as lagging up a users computer while the game stays up, play annoying media, etc, assuming that Scaleform’s implementation of Javascript is secure.

Currently Enmasse Entertainment has been deleting posts on their forums that mention the exploit, out of concern that the spread of information regarding the exploit will increase the prevalence of it. The exploit allegedly affects all versions of Tera in all regions. Gameforge has confirmed the issue, but requested that the OP remove specific details on how the exploit is executed.

According to Gameforge, the European publisher of Tera, they have contacted Bluehole Studios(the developer) regarding the vulnerability.


Edit: After discussing the issue with sources, it has come to my attention that the exploit can be used to reference internal actionscript functions, which may be used to execute existing functions arbitrarily. While these won’t cause damage to a users computer, it can lead to the game having unexpected behavior. Additionally, users have speculated about an underflow error with the libpng library that allows for arbitrary code execution if a modified .png file is loaded, an error that was patched In 2015. It is unknown if Tera uses an unpatched version of this C library or not. While this exploit has not been proven to work in Tera, users are concerned regarding the possibility that it could exist.