South Korean game developer Bluehole, Inc., issued a hotfix for its popular title TERA this weekend, following the circulation of a report revealing that the game's HTML-based chat function could be abused to spread malware.
In a series of forum postings, Bluehole subsidiary and North American publisher En Masse alerted gamers on Nov. 11 that it would be performing emergency maintenance on the MMORPG (massively multiplayer online role-playing game) in order to repair the bug, which “allowed the posting of images external to the TERA client in chat.” Previously, on Nov. 10, En Masse suspended all chat (except for a feature called guild chat) to prevent attackers from exploiting the service, while it and Bluehole investigated the issue.
En Masse said that it first became aware of the vulnerability from a post made to a TERA subreddit, as well as Discord, a voice and text chat app for gamers.
According to the vulnerability disclosure report, which was written by players themselves, an in-game chat error in TERA could have enabled remote code execution on clients' computers, allowing attackers to potentially spread malware. Other malicious activity was reportedly possible as well, including deleting other gamers' items and characters, crashing clients, and looking up players' IP addresses. Prior to issuing the patch, En Masse stated in its forum that it had “no evidence that the vulnerability is being exploited in these ways or that any player information has been compromised.”
First released in South Korea in 2011, TERA debuted in North America and Europe in 2012 – meaning the vulnerability existed for years before its public disclosure.