Exploiting a security flaw in a new Xbox One game could allow players to gain unauthorized access to game files, a security researcher says.
Fallout 4: Rise of the Tomb Raider is the latest game to use a security vulnerability in the console, which Microsoft disclosed Wednesday.
The flaw was disclosed by security researcher Adam Pesto, whose research found that the Xbox 360 version of the game could be used to bypass security features on the Xbox, including GameDVR.
Pestos researchers say they discovered the bug during a code analysis of the Xbox version of Rise of The Tomb Raider and posted their findings on Thursday, after Microsoft patched the issue.
Pestos found that in Rise of Tomb Raider, players can gain access to the game’s “GameDVR” feature and use it to record gameplay footage of themselves and other players.
In an email to Ars, Pestus wrote: We’ve tested the game and found that it uses the “Game DVR” API to create and upload a series of clips of players and their gameplay.
It uses these clips as a replay, but as the footage is not uploaded to the Game DVR API, the clip itself does not trigger a trigger and the player is able to use the camera to play the game.
It also uses the GameDray API to capture footage of a player’s avatar as it is being played in-game.
The footage that the camera captures is not the same footage used for the replay.
The GameDRay API also includes a “recording” mode, which is enabled by default in the game, that can record gameplay clips of a single player at a time.
The recordings, when played back in Game DRay, are then shown to the player.
In addition, players are able to view the recordings in the Game Console by clicking on the Recorder icon in the upper-right corner of the Game console.
Once the recording is saved to the Console, the player can then “access” it by clicking the “Play” button in the Console and entering the Game Controller name and password that was given when they installed Rise of Time, PESTO told Ars.
PESTOS researchers say that when a player logs in to the Xbox console and then presses the “View Game” button, a message appears saying the game is running in “Recording Mode.”
PESTOs researchers also say they can log into the console remotely, and that the console will allow them to “execute arbitrary code.”
In addition, PESO researchers found that, in addition to recording and uploading clips, the game also displays a timer that shows how long it has been since the last recorded clip.
PESOs researchers say the time can be reset by clicking “Reset” and the timer will start again.
While PESToS researchers said that they did not receive any Microsoft patch, they noted that “the Xbox’s GameDTV API has a similar behavior and appears to be the same vulnerability as Rise of GameD Ray.
If you use this API, you should make sure to use it only with games that have an active GameDV API.”
“This vulnerability has not been fixed yet, but we believe the fix is on its way,” PESTOPS researchers wrote in an email.
“We’re hoping Microsoft will make this fix available to Xbox players in the near future.”