Hacking agar.io

If you remember from previous posts on here, I managed to successfully hack the popular agar.io game to remove the advertisements. I thought I would follow-up with some pertinent information about the company Miniclip who makes the game. Please read on, you’ll be glad you did.

Over the months since then, those posts on my site have been quite popular. They’re quite possibly the 3rd-highest content for organic search engine hits here on WordPress for my blog. At some point, I would guess that my posts became known by the game makers themselves at Miniclip who have actually invested time and effort to try to block me from their game.

The first level of pushback from them came when they tried to prevent me from entering my name 👁‍🗨⚙ in the interface by messing with the character kerning between both characters, making it look stupid, basically (something like this 👁‍🗨          ⚙). So of course, I just changed my name to ⚙👁‍🗨 instead and played on.

This worked for some time (a year?) After this and for some unremembered reason, I wanted to temporarily change my name. When I went to change it back, I found that Miniclip now blocked me from entering either character—they actively prevent the use of these two characters in the game simply for the purpose of spiting me!

So I changed my name and played on. But perhaps three days ago, my iPad was bricked. I actually had to stay on the phone with Apple support since it wouldn’t get past the initial registration screen. So I had to restore the iPad and then apply a previous backup. After all that things seemed to be back to normal.

And then I played the agar.io game and it bricked itself during game play. You guessed it: Miniclip has added this evil code to their game for taking out users they don’t like.

From the wiki page on Miniclip:

On 1 September 2005, the United States Computer Emergency Readiness Team issued an advisory concerning Miniclip:

The Retro64 / Miniclip CR64 Loader ActiveX control contains a buffer overflow vulnerability. This may allow a remote, unauthenticated attacker to execute an arbitrary code on a vulnerable system…. Although the ActiveX control is no longer in use by either retro64.com or miniclip.com, any system that has used certain pages of these web sites in the past (prior to September, 2005) may be vulnerable.[7]

In 2006, several security firms reported that some Miniclip users had installed a “miniclipgameloader.dll” which contained the hostile code identified as “Trojan DownLoader 3069”.[8] In the same year, another download related to Miniclip installed “High Risk” malware called “Trojan-Downloader.CR64Loader”.[9]

So Miniclip already has a history of installing malware in their games for the purpose of hacking their users.

I would strongly suggest boycotting Miniclip and uninstalling any of their apps as a result of these findings. I will be reporting them to Apple iTunes as a result of this.

five minutes to admin status

You’d think that a work or home computer would be reasonably secure since companies like Microsoft have 70,000 employees and perhaps some of them are dedicated to the task of keeping you safe.

Would it surprise you to know that it takes me on average about five minutes to hack into a Windows (NT/XP/7/8/10) computer?

No, really. In about two minutes and with physical access to the computer in question, I can insert a USB drive, boot it into another operating system and make a couple of adjustments. Rebooting then without the USB drive (perhaps another three minutes), the system is hacked and I have admin access.

If you wanted to protect your computer from this kind of hacking attempt, you’d need to physically lock it up when you’re not there.

BadUSB

Not that I use this technique, but there’s even a hack now in which something innocent-looking like a keyboard or USB thumb drive or a camera could go rogue. We’re used to devices like this to be well-behaved. If it’s a keyboard, it behaves like a keyboard. But just because they usually behave, that doesn’t mean that someone couldn’t program it otherwise.

In this case, hackers pushed code to the small firmware area of a USB drive so that it initially behaved like a USB drive… only later to change its mind and report to the operating system that it now wanted to be a keyboard. I don’t think anybody saw that coming.

So… re-formatting the USB drive would make the problem go away, right? No. In this case, the actual code is on a different chip in the device so you—the consumer—have no way to get to that chip.

But it gets worse. The device could pretend to be an Ethernet card or almost anything else. It could log your keystrokes, alter files, send emails using your email program, install software, it could transmit your keystrokes via radio waves so that someone remotely could pick them up.

If you wanted to protect your computer from this kind of hacking attempt, you’d be super vigilant about which devices you plug into your computer.

Broadpwn

As if that weren’t enough, someone hacked what is quite possibly the most used wi-fi chipset in all mobile devices, the Broadcom chip. At least six billion smartphones are affected by this exploit which was described this summer.  If an Internet worm is created which uses this exploit, it could jump from one device to the next and right past login prompts, anti-virus software and firewalls without stopping.

If you wanted to protect your computer from this kind of hacking attempt, you’d need to immediately upgrade your smartphones and other portable devices which include wi-fi.

Conclusion

At the moment, there doesn’t appear to be an unhackable operating system. I can’t imagine being someone in the military or the government or in charge of a bank right now because it’s just an ugly time for security. You seemingly can’t trust even a computer mouse in a world like this.

I suppose it’s best then to suggest that you backup your important data frequently enough so that you don’t lose everything at some future date.