Sam Curry and his team discovered a severe ORM injection vulnerability in a closed beta online game, which they exploited to gain admin access and drain in-game cryptocurrency wallets. The breach involved exploiting hidden admin panels, API errors, and email leakages to escalate privileges and move funds. #ORMInjection #CryptoWalletLeak
Keypoints
- The vulnerability was found through exploiting client-side match-and-replace tricks and API error messages revealing ORM models.
- They used error leaks to identify sensitive models like user passwords, staff, and superusers.
- Retrieving admin email addresses was accomplished via brute-force with ORM filters, enabling password reset attacks.
- The team leveraged email leakages to access admin accounts and escalate privileges.
- Full control over the gameβs crypto wallet was achieved and funds were drained before responsible disclosure.
Read More: https://blog.p1.gs/writeup/2025/07/06/Hacking-a-crypto-game/