T-Rex on theHunter.com: What really happened

Dear Hunters,

On Saturday night two images of a dinosaur appeared on our home page announcing that T-Rex is a new species in theHunter. Those images were not official and were posted by an unauthorized person. Thanks to the community, we discovered them quickly and took them down. The developers responded immediately and, following a thorough investigation, the issue was resolved within a couple of hours.

A community member and player had discovered a slight security loophole in the method we use to add banner images to our main page and, instead of reporting it to the Expansive Worlds team (as required by our Terms and Conditions) he used it to add those unauthorized images. We know the personal details of the culprit and the necessary legal actions against him will be taken. (Legal actions will be taken for violating paragraphs 10, 13, 20, 21, 22 of our Terms and Conditions which the player agreed to when registering at theHunter.com.) We want to thank those members of the community who helped us to identify the player.

To reiterate, this minor vulnerability was only affecting one small web-function for posting images and had nothing to do with the game itself or our database, hence we were not hacked. As far as access to sensitive data is concerned, no one has had any access to our database or our data in any way, thus you can be sure that your account details have not been compromised. To address the password question which has been touched upon numerous times in the community over the weekend, all passwords in our database are safely encrypted. Another important concern we want to reassure you about is that we never store any payment details on our servers. All payments are handled by our payment providers exclusively, so your details are safe.

A detailed technical description of what has happened:

The method for adding a banner image on theHunter.com is a part of our web API. One of the authentication layers of this API was missing, making it possible for someone to post an image by using a certain URL with some parameters added to it. The URL for adding banner images was guessable for someone determined enough to find it, and in this case the culprit would have had to make a HTTP POST request towards the URL in question, adding the title, link, image and so on, as parameters. Authentication has now been added to prevent further exploits.

We completely understand the security concerns that were raised in the community following this incident, however we want reassure you that it’s only one small web-function that had a vulnerability and we’ve taken all the necessary steps to ensure nothing like this can happen again in the future.

Best regards,

theHunter team

Share this