Network Security, Patch/Configuration Management, Vulnerability Management

TERA video game patched after report of RCE bug in chat feature

South Korean game developer Bluehole, Inc., issued a hotfix for its popular title TERA this weekend, following the circulation of a report revealing that the game's HTML-based chat function could be abused to spread malware.

In a series of forum postings, Bluehole subsidiary and North American publisher En Masse alerted gamers on Nov. 11 that it would be performing emergency maintenance on the MMORPG (massively multiplayer online role-playing game) in order to repair the bug, which “allowed the posting of images external to the TERA client in chat.” Previously, on Nov. 10, En Masse suspended all chat (except for a feature called guild chat) to prevent attackers from exploiting the service, while it and Bluehole investigated the issue.

En Masse said that it first became aware of the vulnerability from a post made to a TERA subreddit, as well as Discord, a voice and text chat app for gamers.

According to the vulnerability disclosure report, which was written by players themselves, an in-game chat error in TERA could have enabled remote code execution on clients' computers, allowing attackers to potentially spread malware. Other malicious activity was reportedly possible as well, including deleting other gamers' items and characters, crashing clients, and looking up players' IP addresses. Prior to issuing the patch, En Masse stated in its forum that it had “no evidence that the vulnerability is being exploited in these ways or that any player information has been compromised.”

First released in South Korea in 2011, TERA debuted in North America and Europe in 2012 – meaning the vulnerability existed for years before its public disclosure.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.