MTG Arena: TextMeshPro injection via. WOTC DisplayName = 100% win rate against Desktop and iPad opponents
TextMeshPro markup injection leads to whited out screen.
Overview
I discovered a TextMeshPro injection on MTG Arena which I reported through the Hasbro Responsible Disclosure program to prevent public knowledge/abuse. I received no response and posted a bug on the MTG Arena bug tracking site https://feedback.wizards.com:
- Upvote it here to prioritize a fix: https://feedback.wizards.com/forums/918667-mtg-arena-bugs-product-suggestions/suggestions/50749187-textmeshpro-abuse-with-wotc-displayname-100-win
I discovered this by decompiling the DLLs while I was testing out my bespoke static analysis tooling on the decompiled C# code.
Report
Summary
MTG Arena does not sanitize user Display Names. A nefarious user can create a Display Name with TextMeshPro markup to have an unfair advantage (100% win rate) against players using Desktop and iPads. This can cause frustration with other gamers and lead to loss of revenue if paying customers decide to leave the platform.
However, in performing this abuse, a player has lost a lot of game functionality themselves. For example, they must also play on mobile only or play with a modified client on an affected device.
It is easy for any user to create a new account (no email verification before you can play), a very easy exploit for users to abuse.
Due to the reasons listed above, I’d classify this as a low (maybe medium) risk/issue.
Proof of Concept / Reproduction steps:
Register a new WOTC account at: https://myaccounts.wizards.com/register
Create a character Display Name with TextMeshPro size markup and >= 4 unicode block elements: <size=9999>████
Upon playing, you will notice match screens will show a large white box (the name).
Example photo, me playing a game against Sparky:
I have also confirmed a real opponent sees the same thing on Desktop when battling this user.
I did not test on an iPad myself, however, I believe they are affected as online videos of iPad use (example link) show names displayed on screen, unlike mobile phones which are not affected (tested on Android).
Mobile devices are unaffected as Display Names are not shown at all times during the match. The user abusing this will have to use a mobile device (or an otherwise patched client) to get past the tutorial and play human opponents.
Remediation:
Sanitize user input before passing to [TextMeshPro] sinks and/or restrict WOTC display name character set.