The developers behind a popular âopen source MMO RTS sandbox game for programming enthusiastsâ on Steam, named Screeps: World, have been forced to update their game âin order to protect both playersâ and their âown reputation,â following the discovery of an alleged âremote code execution vulnerabilityâ that would enable players to take control of other playersâ computers. Even worse, the person who helped discover the vulnerability in question alleges that Valve âignoredâ their reported findings.
If youâre noticing an overabundance of quotes in the previous paragraph, thereâs a good reason for that, as this story spawned out of a rather nasty back-and-forth on X between Screeps: Worldâs developers Screeps, LLC and an âinformation securityâ aficionado by the name of Isaac King.
As King explained in his initial post, Screeps: World apparently allowed âany other player in the game world to gain remote access to your computerâ through the use of a programming exploit. For context, Screeps: World is a programming game that lets players write their own code in JavaScript, which is then used to craft their own custom-made AI units.
As of this writing, the game is currently sitting at a âVery Positiveâ review score on Steam, having amassed roughly 1,876 reviews and, according to VG Insights, over 113,000 individual purchases.
If you want the exact explanation of the reputed vulnerability, I highly suggest reading Kingâs highly detailed write-up of the exploit on his blog. I will, however, warn you in advance that it requires (at least) a base understanding of JavaScript to fully understand.
Thankfully, King includes an analogy for ânon-programmersâ in the conclusion: âimagine if there were one particular kind of unit in Starcraft that, if you trained it, let people hack your computer. And when pointed out, the game designers said âwell this is self-inflicted, the players all chose to train that unitâ.â
King also explains that the developers have been aware of the issue since July 2024, as one of Screeps, LLCâs two developers replied to a report on GitHub detailing the vulnerability. The dev in question replied, stating that they âdo not see this as a serious security threat.â However, a user from the Screeps Discord noted that the vulnerability had been successfully abused in the past.
Once the initial post on X began to gain traction, the official Screeps X account replied stating that the accusation was âat the very least, a clickbait exaggeration, and at worst, malicious defamation intended to cause reputational damage.â Nevertheless, they also stated that the alleged vulnerability has, as of January 25, been removed from Screeps: World.
The potentially more worrying side of this is that King noted in his blog post that heâd reported the issue to Steam directly, but didnât receive a reply: âI reported the game to Steam, which of course they ignored. Their terms of service make them not liable for any hacks caused by malware on the platform, so if itâs getting sales from which they can take a cut, why do anything about it?â
Weâve reached out to Valve to corroborate this, and will update the piece if they reply.
