One day I was scrolling through cracked.com (as I do almost daily) and while reading an article titled “5 Security Flaws In Games that Caused Catastrophes”, I found that I had made #1 on the list!
This was NOT my life’s goal.
This article requires a little explanation.
In anticheat, we are always looking for good signals that help us understand that people are cheating. We had two new signals that worked really well, and my boss (Alf) really wanted to enable them.
- One of the signals detected when iPogo was used to spoof.
- One of the signals detected API hooking, which means that someone is injecting their own code within the game (which is common cheating behavior).
Both signals worked exactly as expected, but the problem was that somebody working on the game discovered a bug running on a very old phone OS and they decided that the best way to work around it was to hook part of the app in a weird way when that version of the OS was detected.Hence, in some cases Niantic was hooking the API and causing the signal to be triggered. We didn’t realize that this was the case before enabling the signal.
Why was this not caught?
It should have been caught, but as very few players used this old phone OS, it was only responsible for about 50 players being wrongfully punished (Savitha and I went through all of these players very carefully). In comparison, the iPogo signal punished about 50,000 players. Hence, the 50 bad punishments flew under the radar.
If only 50 players were wrongfully punished, why did this make #1 on the list?
There are two reasons (both of which refer back to statements that I made in chapter 19):
First, when I said that “Pretty much all cheaters that get punished will loudly claim that they were punished for no reason”, I meant it. Most of the 50,000 players complained that they were unjustly punished (they were not).
Second, I pointed out that the prior anti-cheat system tried to re-create state in a way that broke the three strike system. On the old system, it was common for players to continually only get a warning whenever they were caught cheating, but the new system worked correctly such that they started seeing real suspensions (and a few bans).
So players were freaked out that they were caught cheating and that this time, getting caught had real consequences. But the majority of those complaining knew that they were cheating.
In retrospect, we probably should have phased the signal in over time such that the punishments didn’t all happen at once (but Alf was very insistent that we not phase it in).
The fallout
Obviously we received some bad press over this, and this did cause some people at Niantic to lose trust in the anti-cheat system for a while. But it didn’t last very long – they just requested that we don’t make any major changes to anti-cheat without first consulting them.
Of course we corrected any issues for the 50 people wrongfully punished, but I don’t remember if we ever backed off of the 50,000 iPogo users that were punished.
The article’s line about punishments impacting players attending GoFest was real, however. For the next GoFest, we temporarily disabled all punishments so that even banned players could theoretically play during GoFest. I think that we did this for one year, however. In subsequent years, we scheduled punishments close to GoFest to take effect after the event rather than before.
My final callouts
While I love reading Cracked, I they made two mistakes that I need to call out:
- Their headline incorrectly refers to this as a “security flaw” (it is not). A security flaw typically means that people are able to steal information or to run code on the device in a non-authorized way – neither of which were the case. Security bugs are a huge deal, but this was simply a normal bug.
- They refer to this as an “anti-piracy” measure, which is very different than “anti-cheat”. Anti-piracy refers to measures that prevent people from copying a game so that you can play it without paying for it.
But I 100% agree with their last line.