Where the journey began. Courtesy

This is a story of how an afternoon causing mischief with a little bug in a video game led me to on a quest to purge a potentially dangerous exploit from software used by businesses and governments around the world, and also provided me with a practical lesson on why to report issues you find in code, even if they seem small at first.

It all started one afternoon this past Fall in an undergraduate class on entrepreneurship I was taking at Harvard Business School. We were learning about how to work effectively in small teams by participating in one of the Business School’s simulations, which is used to teach professional executives lessons on teamwork.

We were put in groups of five and told that our goal was to work together as a team to (virtually) summit a mountain. Each of us was given a link to the simulation website and once we logged into the site we were greeted with a screen telling us about the unique role our assigned character was to play within the team. One person was the leader, one was an experienced mountaineer, one was a medic, and I was of course given the exceedingly useful role of environmentalist 😒🌳

The simulation was basically an old school, turn-based, menu game, implemented in the browser with Javascript and HTML. Like an executive training version of Dungeons and Dragons, on each turn every player had to make a choice of where to move on the mountain as well as how to use their equipment. We received points for completing common team objectives and unique individual ones (mine was of course to protect nature by cleaning up trash in the middle of the mountain).

The entire game was run through a set of forms on the website, but in addition there was also an ever present chatbox at the top of the page, which let you send instant messages directly to other players, or to the whole team. As my teammates squabbled over virtual supplies, I started to mess around with the chatbox and quickly realized that it was not escaping any HTML input I was entering.

This meant that I could run whatever Javascript code I wanted on any one of my teammate’s simulation pages via cross-site scripting (if you aren’t familiar with cross site scripting and why escaping HTML is important I would highly recommend this video).

Endowed with this new power, I sent code to my teammates which made a message popup on their screen informing them that bonus points would be awarded if the trash on the mountain was cleaned up and the person with the role of medic (who was being particularly combative) didn’t make it to the summit. The virtual trash was pretty quickly collected and the medic abandoned. I dedicated the remainder of the game to turning my teammates against each other one by one with the lure of bonus points, and reveling in the chaos that ensued.

This bug in the simulation site definitely let me cause a lot of mayhem (all in good fun of course), but it was in no way a severe issue. The problem was internal to the game, so in the worst case a rogue student could use it to mess with classmates, but it couldn’t be use to steal important information or hijack accounts like other notable cross site scripting bugs. I figured that the Business School professor who created the game had a student throw the site together in a late, caffeine-fueled night, and the bug was a one-off oversight.

I could have just let it be, but I knew that if there was an exploit like this in live code I had written I would want to be informed of it. So I decided to do the responsible thing and report the bug after class.

This was when things got interesting.