Part 11/13:
Perhaps the most striking vulnerability is the lack of proper authentication mechanisms. The code relies solely on the IP address provided in the UDP packet to verify sender identity. This opens the door to IP address spoofing—a common attack where a malicious actor impersonates another machine on the network.
The researcher demonstrated how to craft custom UDP packets, set the source IP to a trusted teammate’s address, and inject malicious messages without requiring access to the target system. Because the game’s server trusts IPs without additional validation, these spoofed packets could potentially manipulate game states, kick players, or inject false data, depending on how the game’s logic processes incoming communication.