Pokémon Go Desperately Needs a Bug Bounty System

By Bryan Lufkin on at

This past weekend, many Pokemon Go gyms were rendered unplayable. Players trying to battle at sites like Big Ben were greeted not by a ‘mon but by an egg that glitched the game, protecting these gyms from being defeated. Eggs appeared in New York City, London, and elsewhere—and almost all of them were placed there by the same person.

He goes by Netops in the game, on a throwaway Kik account, and on Ownedcore, a forum dedicated to finding exploits in World of Warcraft (and more recently, Pokémon Go.) While he describes his professional ventures as “a form of network security,” he’s also worked to find exploits in “many of the top MMO games” to duplicate items and in-game currency. (He wouldn’t say whether these exploits resulted in any real-world compensation, for obvious reasons.)

Eggs in Pokémon Go can’t be released, but Netops discovered that eggs have ID numbers just like monsters, meaning they can be “deployed” to gyms. Using a Python-based API from Github, an Android emulator, and a “sniping” script, he was able to send requests to Niantic to deploy eggs to gyms anywhere in the world, so long as he had the gym’s ID and it was owned by the same team. He posted his findings, albeit obliquely, to Ownedcore.

While many in the Pokémon Go community cried foul at the prospect of unbeatable gyms ruining gameplay, Netops claims he did it as a simple prank, hitting only a fraction of the gyms he could have, and refused to cash in any of the ill-gotten PokéCoins he got in the process. “I attempted to remove all eggs from the gyms they where deployed to last night,” he wrote. “I was able to remove all but 9, as the account that 9 belong too was banned.” It’s unclear if Niantic has taken action to that end yet, but the exploit itself has since been patched.

Momentarily breaking a game is undoubtedly a dick move, but the egg exploit is only one of the countless ways players have been getting under the hood of Pokémon Go—from collectives like the Silph Road to black hat communities like r/pokemongodev and Ownedcore. Some of these exploits are used for individual gain, sale of accounts and currencies, or simply seeing how much can be gotten away with before the inevitable account ban. “I can’t play [games] without wondering exactly how an action is performed, know what data is sent, how the server handles requests, if you could break how it handles requests etc. It’s a bit of an addiction I must say,” Netops wrote.

Any wildly successful game experiences a similar influx of ethical and unethical players looking to find an edge (or a business opportunity). And Netops, for his part, claims to have only posted his exploit publicly because there was no way to get in touch with Niantic, which has become renowned for its silence towards fans and press.

Those who release games... should understand the power of responsible disclosure and the concept of a bug-bounty rewards system... If there was one thing I could get across to Niantic, as well as many of the top online games of today, it’s that maintaining a relationship with the community of players that both enjoy delving into the security of a given application and or enjoying the game in the traditional sense, is very important.

Bug bounties are maintained by game companies (Riot, for instance, the creators of League or Legends) and tech companies (Google, which Niantic spun out of) alike. And while the egg exploit was patched relatively quickly, it had the potential to render an entire aspect of Pokémon Go totally inoperable. Even as Niantic cracks down on cheaters, lesser bugs, GPS spoofing, botting, and sniping are still rampant.

Players are speculating that in-game trading will be the next major update—and that it could come in a matter of weeks. “Once trading is in the game, the ultimate goal is the exchange of high cp/iv rare pokémon. So the ability to duplicate pokémon is the end goal,” Netops said, drawing on his past experience. Before that day comes, Niantic should first offer an olive branch—or at least a free t-shirt—to exploiters. They aren’t going away, but they do have the potential to destroy gameplay for casual users.