The mid-age browsergame “KingsAge” is maintained by Gameforge. The essence of this game is to create your own kingdom and fight again other players to expand your kingdom. Gameforge offeres seperate “worlds” for each language, where 1000 up tp 25000 players are active. We discovered multiple cross site scripting vulnerabilities in the game.
The first cross site scripting issue was discovered in the messaging-system, but it was fixed in the Update to version 2.2.3 on the 19th of june in 2012. An exploit would have needed the interaction of the victim, because it would only trigger, if the vicim exports a message sent to him. Setting the text color to the background-color of the message box using bb codes, would have made it quite hard to discover the exploit.
The second cross site scripting issue could be found in the “Tools” section of the browsergame. This feature allows the gamer to create and save notes. The input was not validated and lead to a xss issue. This bug was fixed in some previous updates, without our interaction - maybe someone else discovered it ;).
However, we contacted the data protection officer of gameforge on sunday. Unfortunaly we received an automated email, that says that the in-box is only opened every friday. We were even more suprised, when we received a response from Mr. Gräber on monday, saying that he forwarded the information to the right department. After five weeks have passed without any reaction from kingsage, we wanted to call the company, but we only found an support hotline, which was an answering machine.
Four days later, the project manager Mrs. Berger contacted us, and said that the issue will be fixed with the next version of kingsAge and she thanked us for our effort. She didn’t say, when the new version will be released. Finally, we had to a half month until the update was released and the cross site scripting issue resolved.
It’s kind of sad, that it took GameForge more than two month to fix one simple cross site scripting vulnerability. However, we want to thank Gameforge Productions GmbH for the coorperation and wish you a lot of fun with their browsergames.
The team of internetwache.org
Screenshots:
