Do Console Servers Insufficiently Verify Client Data?

In the last weeks two glitches for the console version of the game leaked on our very own forum. They seem unconnected at first, but might be exploiting the same flaw in server/client communication. The first one is (or was as it might have been patched yesterday) related to weapon restoration. Under certain circumstances players are apparently able to restore their weapons without having all Reagents. The trick is rather simple. When you bring up the restoration window for a certain item, you have to spam square (on the PS4) and the process might get through.

Click, click, click

The other glitch also works by clicking faster than it’s good for the game. And because it might allow players to open more lockboxes than they should be able to, it actually hurts Cryptic and PWE a lot. Enchanted Keys is probably the item that generates the most revenue.

[su_youtube_advanced url=”https://www.youtube.com/watch?v=GSB3MoT6y0Y&feature=youtu.be” https=”yes”]

As you can see in the video found by dyukiller, the user spam opens lockboxes while only having one key. If you slow down the video you can see that the “open” option is triggered rapidly.

It might be the same flaw

As said, both exploits come in different areas, but might be taking advantage of the same flaw. Under certain circumstances buttons and options don’t seem to be properly turned off. Hence they can be pressed or activated when it shouldn’t be possible. In the example of restoration it seems that the button to restore the weapon is enabled by default until the server tells the client that some Reagents are missing. But if you click the button before this confirmation happens, the process will get through.

With the lockboxes we have a similar issue. This time however it’s not about an option being unlocked although it shouldn’t, but an option not being locked fast enough. The boxes are opened so fast that the server’s “you’re out of keys” arrives after players already opened more than they should have been able to. Both glitches could be combined with artificial lag to make server responses even slower.

No Client Data Verification?

The fact that options in the game are wrongfully unlocked does not cause trouble though. What makes this whole thing so amazing is the fact that the client data does not seem to be properly verified. The server should check whether the client is actually able to restore the weapons or open the lockboxes. If you blindly trust client data, you will run into trouble. This is indeed one of the stupidest things you can do in your client/server communication protocol.

Granted, we don’t have all the information and most certainly do not know what causes the issue on the server side. But right now it seems evident that something big is happening on console servers. And if our suspicions are true, than the underlying issue could potentially be exploited in even more areas.


Have you encountered or heard about some of the mentioned glitches in the game? Share your experiences and thoughts in the comments below or visit the corresponding thread on our message board.

Neverwinter UN:Blogged is always looking for writers to contribute to the blog. If you are an active player and search for a way to spread your opinions, analysis, diaries or reviews to more than 40,000 regular visitors, then don’t hesitate and get in touch with us on our contact page or message board! We are currently especially looking for console and PVP content, but that’s not exclusive. There is no frequency requirement, you post how often you want.

NWO_Unblogged

We are always looking for people that contribute to this blog. For more information contact us via blog@nwo-uncensored.com or check the forum.

6 thoughts on “Do Console Servers Insufficiently Verify Client Data?

  • May 3, 2017 at 8:12 am
    Permalink

    I am not so sure , i tried the speed trick many times since the game lauched some times i tried to refined stuff or speed my lockbox last keyt just to see if get a chance to fail the system …before it has never worked ! there is enough checks server /Client sides. My thought is that these guys are able to create a another condition to perform this shit It’s not just speed

  • May 3, 2017 at 10:27 am
    Permalink

    YOU SHOULD GIVE ME CREDIT BY FINDING THE VIDEO! –‘

    • May 3, 2017 at 10:48 am
      Permalink

      Absolutely. Sorry, we edited the post.

  • May 4, 2017 at 2:16 am
    Permalink

    Looks like he opened the kickboxing from within the actual useful items tab and when there is a server not responding note on the screen. Didn’t see the message, video is to blurry but the boxes opened up like ten seconds later. Worth a try though it might get you banned once they are able to track that data.

    • May 4, 2017 at 4:31 am
      Permalink

      you will fail miserably it’s not as easy as it look . There is another recipe this guys knows to make it works it;s not just about smashing buttons

  • May 5, 2017 at 1:20 pm
    Permalink

    You could redeem winter parcels many times too. Looked like the more lag there was, the more freebies there were

Comments are closed.