Let me just preface this by saying that stealing is wrong. The software developer/reverse engineer we’re about to discuss did, in fact, steal $20 Million worth of Magic: The Gathering Cards in a single request…but they immediately reported the vulnerability and it has been patched. While the hacker in question, Dan Mayer, hasn’t stated whether they received a reward (I’d like to think they did), Dan did state that “the millions of dollars worth of digital cards isn't the reward here. The reward, hopefully, is knowledge.”
Basically, Dan performed the heist with an arithmetic overflow, also known as integer overflow, by submitting a single request to purchase a quantity of card packs of one digit greater that the 32 bits that C# can handle: 0xFFFFFFFF + 1
Read exactly how Dan did it all, here on his website: https://www.mayer.cool/writings/Heisting-20-Million-in-Magic-Cards/
Have you ever found and reported a vulnerability? If yes, perhaps you can reply with some details in the comments below. Just don't violate any NDAs!
Wow, it's been a crazy time for MtG and WotC. It was less than a month ago that (another) Dan (aka Oldschoolmtg) was "raided" by WotC via Pinkerton:
https://kotaku.com/mtg-aftermath-leaks-pinkertons-wotc-magic-the-gathering-1850368923
Magic the Gathering is serious business.
