Highlights
- Screeps: World developers patched a critical RCE vulnerability after initially dismissing researcher Isaac King's report.
- The flaw involved malicious HTML injection via JavaScript.
- Screeps LLC updated the game to salvage their reputation, though they insist the security threat was never actually exploited.
The developers behind the popular "open source MMO RTS sandbox game for programming enthusiasts" known as Screeps: World have been forced to update their game "in order to protect both players" and their "own reputation" following a heated dispute over a critical security vulnerability. The controversy erupted after security researcher Isaac King alleged that the game contained a Remote Code Execution (RCE) flaw that could allow malicious actors to take control of other players' computers. Although the development team at Screeps LLC initially dismissed the report as "clickbait exaggeration" and "malicious defamation," they released a mandatory hotfix within 24 hours of the story going viral to patch the exploit. The dispute centers on how the game handles JavaScript, the coding language players use to automate their units.
According to King, who posted a detailed breakdown on X and his blog in January, the vulnerability allowed hackers to inject harmful HTML commands through the game's console logs. To explain the severity to non-programmers, King used a stark analogy: imagine a unit in Starcraft that, simply by being trained, allowed an opponent to hack your physical computer. While the developers argued that this required "highly specific, deliberate actions" from the user and that no verified harms had occurred, King claimed the threat was significant enough that it could compromise a machine simply through gameplay interactions.
Despite the studio’s aggressive public stance, where they insisted the Steam client’s sandbox was secure and accused reporters of spreading fear, the developers rolled out a patch in January. In a statement released to their community, Screeps LLC assured that over the past 10 years, this approach has never been used by any user to cause harm, though they admitted the update was necessary to protect their reputation amidst the backlash.
Prior Security Warnings and Valve’s Silence
The issue, however, appears to predate this week's drama. King noted that similar concerns were raised on GitHub as far back as July 2024 but were reportedly dismissed by the developers at the time, with one developer stating they did "not see this as a serious security threat." Complicating matters further, a user on the official Screeps Discord noted that the vulnerability had actually been successfully abused in the past, contradicting the studio's claims that the exploit was merely theoretical.
Perhaps the most alarming aspect of the story involves the platform holder itself. King alleges that he attempted to warn Valve about the security risk but was met with silence. "I reported the game to Steam, which of course they ignored," King wrote, suggesting that Valve’s Terms of Service might shield the platform from liability regarding malware in third-party titles. He questioned why the platform would intervene if it is still generating sales from which they take a cut.
Financially, Screeps: World remains a success within its niche. Data from VG Insights indicates the title has sold approximately 113,000 units. It currently holds a "Very Positive" rating on Steam based on 1,876 user reviews, though recent feedback has become mixed as players debate the validity of the security concerns versus the developers' defensive response.
