Testing In Production

December 31, 2021 Renoir
Screenshot from Ingress comm showing the Log4Shell exploit message.

Log4Shell Exploit In Comm

A couple of weeks ago, eagle-eyed scrapers noticed an unusual message in Ingress comm from agent d0gboy. The message attempted to exploit a newly discovered vulnerability in the Java logging library Log4J, commonly referred to as Log4Shell. The exploit uses a Message Lookup Substitution feature to replace specific strings with dynamically generated ones. Some of these methods can download, deserialize, and execute code.

WARNING: Do Not Try This At Home Kids!

It is a violation of the Niantic Terms of Service to “attempt to access or search the Services or Content or download Content from the Services through the use of any technology or means other than those provided by Niantic or other generally available third party web browsers (including without limitation automation software, bots, spiders, crawlers, data mining tools, or hacks, tools, agents, engines, or devices of any kind).” A few years ago, Niantic banned agents from using comm if they used a similar exploit to reboot iOS devices. Consider yourself warned.

Agent d0gboy happens to be the de-facto leader of the Enlightened faction on the west coast of the United States. D0gboy also moonlights as a security engineer for Niantic. The comm message that he sent was designed to test for the vulnerability by attempting to resolve a DNS request that would include the hostname of any vulnerable assets that executed the code. The DNS service for canarytokens.com records the request and reports it back to d0gboy so he can review it and take necessary actions to protect Niantic systems against this vulnerability.

However, the way this vulnerability works, the comm message wasn’t just testing Niantic systems. Every vulnerable system that processed that message would have executed that code, including any vulnerable web browsers visiting the intel site. Inadvertently, d0gboy tested both Niantic and customer systems with the same comm message.

Niantic likely explored other areas, including submitting places of interest (POI) with similar test strings in the title, description, and address fields. These tests would have exercised the Wayfarer infrastructure. Approving the POI could have pushed them into Ingress and Pokémon Go to test those infrastructure stacks, the game clients, and anything else that interfaces with them. There’s also Niantic Social and the community forums that could have received similar treatment. But, just like how the comm message inadvertently tested customer systems, these tests would run the risk of testing lots of systems outside of Niantic.