A hacker has made some disturbing claims about Marvel Rivals and its potential vulnerability.
Shalzuth made this post on his blog:
“Security vulnerabilities in online games aren’t just theoretical – they happen more often than you’d think. Recently, I discovered a Remote Code Execution (RCE) exploit in Marvel Rivals that could allow an attacker on the same network to run arbitrary code on another player’s device.
The Elephant
The issue is the game uses remote code execution for their hotfix patching system – but the game doesn’t verify that it’s connected to the real game server, and the cherry on top is that the game runs with admin privileges for the sake of anti-cheat.
This type of exploit, known as Remote Code Execution (RCE), is one of the most dangerous vulnerabilities a game can have. It means an attacker could potentially run harmful commands on your PC without your knowledge – just by being connected to the same Wi-Fi.”
Shalzuth went on to share video evidence that Marvel Rivals can be hacked using RCE on the PC, and also on the PlayStation 5. You can watch the respective videos below.
How common are RCE exploits? Literally every Call of Duty game made before Call of Duty Infinity Warfare is vulnerable to RCE exploits to this day. Here’s a tweet from Windows Central’s Jez Corden revealing that FromSoftware was investigating an RCE exploit affecting Elden Ring. RCE exploits are a popular way to mod and hack older video games.
But then, perhaps we shouldn’t be too surprised that NetEase didn’t quite nail down Marvel Rivals’ security measures. It took a month after launch before they disabled mods, because fans were making their characters look like all manner of non-Marvel universe characters.
Subsequently, it was only last month when NetEase decided to put a blanket ban on mouse and keyboard adapters. Funnily enough, rumors also spread last month that they were deliberately adding fake heroes in their game files to catch some of their leaker hackers.
NetEase’s Marvel Rivals teams may include some less experienced devs, but we know for sure they also have some veterans, between their Guangzhou and LA studios. Its LA studio game director is Thaddeus Sasser, who’s worked on the biggest AAA shooters for id software, Activision, Ubisoft, and Electronic Arts.
So we don’t think this was a case of a ‘new’ Chinese studio that’s too inexperienced to know what they’re doing. It may be that NetEase put a bit too much trust on their audience, hoping that there wouldn’t be bad apples to ruin it for everybody.
After all, Marvel Rivals doesn’t have an anti-cheat system in place either. That’s allowed it to earn Playable status on Steam Deck, but they may regret these choices down the line.
For now, we’re going to wait and see if NetEase responds to this claim publicly or privately, and if they make what seem to be necessary changes in due course.
