05-12-2023 08:02 AM - edited 05-12-2023 08:12 AM
Let me just preface this by saying that stealing is wrong. The software developer/reverse engineer we’re about to discuss did, in fact, steal $20 Million worth of Magic: The Gathering Cards in a single request…but they immediately reported the vulnerability and it has been patched. While the hacker in question, Dan Mayer, hasn’t stated whether they received a reward (I’d like to think they did), Dan did state that “the millions of dollars worth of digital cards isn't the reward here. The reward, hopefully, is knowledge.”
Basically, Dan performed the heist with an arithmetic overflow, also known as integer overflow, by submitting a single request to purchase a quantity of card packs of one digit greater that the 32 bits that C# can handle: 0xFFFFFFFF + 1
Read exactly how Dan did it all, here on his website: https://www.mayer.cool/writings/Heisting-20-Million-in-Magic-Cards/
Have you ever found and reported a vulnerability? If yes, perhaps you can reply with some details in the comments below. Just don't violate any NDAs!
05-12-2023 08:40 AM
Wow, it's been a crazy time for MtG and WotC. It was less than a month ago that (another) Dan (aka Oldschoolmtg) was "raided" by WotC via Pinkerton:
https://kotaku.com/mtg-aftermath-leaks-pinkertons-wotc-magic-the-gathering-1850368923
Magic the Gathering is serious business.
05-12-2023 08:50 AM - edited 05-12-2023 08:51 AM
Sean, I think the proper reply to that specific card is "nothing and stick 'em with the pointy end"
05-12-2023 12:08 PM
Hahaha
05-12-2023 12:08 PM
Thanks for sharing that, Sean!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide