When AI Bots Play Dirty: How One Game Became Ground Zero for AI Exploits
An experimental browser game intended for fun turned into an unexpected battleground for AI bots trying to dominate the leaderboard. The creator's journey of patching vulnerabilities highlights the rapid evolution of AI and the constant game of cat-and-mouse that developers face.
In the area of gaming, there are few things as thrilling as a spontaneous challenge. For a small browser game called Hormuz Havoc, it wasn't just the gameplay that caught attention but rather the onslaught of AI bots that scrutinized its mechanics to climb the leaderboard with alarming efficiency.
The AI Invasion
What started as a light-hearted satire where players step into the shoes of an American president managing a Middle Eastern crisis quickly transformed into an AI battleground. Within mere hours of release, a group of friends turned challengers unleashed a horde of AI bots, aiming to exploit the game's leaderboard.
The initial wave of AI attackers made use of the Claude browser extension to directly access the game.js file. At the heart of the game, this file revealed key scoring formulas and action effects, elements that human players would encounter only through gameplay. But these bots bypassed the need for playing altogether, optimizing their actions directly from the source code. The result? Scores 2.5 times higher than those of their human counterparts.
Patching the Holes
To combat these cyber intruders, the game’s creator moved all critical logic server-side, transforming the client into a mere conduit. This strategy effectively obscured the scoring dynamics from the prying eyes of AI. Yet, as any developer knows, the compliance layer is where most of these platforms will live or die. The change prompted a new tactic from the bots: brute-force attacks, targeting random number generation (RNG) functions.
The relentless AI innovations didn't stop there. Another bot exploited a flaw in the session token system. It replayed the same token for a turn until the random outcome was favorable, effectively maximizing the score by cherry-picking outcomes. This maneuver pushed scores up by another 1.5 times.
The Battle Continues
Such rapid adaptation raises a pointed question: Are AI bots outpacing human ingenuity? While additional security measures like consuming a turn nonce atomically were implemented to close this latest loophole, the game of cat-and-mouse continues. The leaderboard now separates human players from AI-assisted ones, showcasing the current limits of AI bot capabilities.
While the cunning AI exploits weren't entirely unexpected, it serves as a stark reminder of the evolving landscape of cybersecurity. As AI systems grow more sophisticated, developers must stay vigilant, anticipating and patching vulnerabilities faster than they can be exploited. You can modelize the deed. You can't modelize the plumbing leak.
Hormuz Havoc may be a small-scale example, but it’s an insightful microcosm of the broader challenges and opportunities AI presents. Is this the future of gaming, where AI exploits become as celebrated as the games themselves?
Get AI news in your inbox
Daily digest of what matters in AI.