A few days ago, I made a post about some players having suspicious loot items in their accounts (1). I pulled the original post when it became clear that this was due to an widespread exploit and was not family specific. I unfairly targeted a single family and apologize for that. I have since learned all about this exploit and will explain it the best I can. Zynga has quite a mess to clean up as it has been going on since January 5th when Family Property consumable requests were made (1). What makes it worse is players could be sent suspicious loot items without even knowing about it! The exploit was patched today and players can no longer use it.
Any player was able to send another player ANY loot item that is in the inventory. It was done by manipulating the requests for Artillery Shells and/or Reinforced Concrete. The item IDs of Shells or Concrete were replaced with the loot item of choice and 20 of those items could be sent and therefore received. Below is a Artillery Shell request. When 20 players click on it, I get an Artillery Shell and so do they. The exploit worked exactly how these requests do but instead of a Artillery Shell both players got a loot item.
The reason this exploit was bad news is players could use ANY Mafia Wars profile ID, create a request and “bounce” 20 items into any other players account (provided they were Facebook friends). There are innocents who got loot items and didn’t even realize it. Those using request scanning scripts also reported getting suspicious items. If manipulated request links were posted, players using scanners got the items. Loot was not the only thing that could be gained by this exploit. Treasure Chest Keys and Collectable Stat Cards could be sent. In addition to boosting equipment attack/defense scores, players could boost their reward point balance and skills! In a game which is all about skill points, this is not good news to players who earn and/or pay for theirs.
Many players using the exploit were not very smart about it and that lead to it’s discovery. Our inventory items are displayed on our profile page and our active defense items can be viewed by anybody (1). Learning you were beat by a Emerald player owning hundreds of Harbingers would be cause for further investigation.
The not so brilliant exploiters who created requests for items which are impossible to own more than one of, are not released yet or don’t exist are the ones who drove this exploit into the lime light. Owning hundreds of rare Boss Fight items is suspicious enough but I saw profiles with multiple Grand Prize Mission items, Death By Ice Reward items, unreleased Ice Season loot, Collector’s Edition loot, Ruby Level Group Sale items and many Collectable Stat Card Grand Prize items!
There were several instances of players using this exploit to target other players/families. Items were unknowingly sent to players and the innocent were reported by the same players who sent the items. If you find that suspicious loot items were added to your inventory, the best thing to do is contact Customer Support to have them removed or dump them into your Family Property to get them out of your inventory.
I don’t know how Zynga is going to undo the damage that this exploit has created. Many players pay real money for loot items, skill points and reward points. Most are now worried that those items purchased with real money or earned the hard way will be wrongfully removed in the event of a rollback. Zynga will need to figure a way to distinguish those that were purchased/earned from those acquired through the exploit before attempting rollbacks. It’s recommended that you take video images of your stats and inventory items in the event that a rollback happens and they screw it up.
|Article written by Jennifer Patterson, Creator of the MW Loot Lady Blog, The Mafia Wars Loot Lady Facebook Fan Page and Co-Host of The Informant Podcast. |
All material is protected by copyright law