TERA's Chat System Reportedly Leaves Game Open For Exploits

**UPDATE** Nov. 13

Although not explicitly stated by En Masse, it appears that the hotfix did go through on the 11th and chat has been returned to normal. That said, players logging on after the hotfix have noted that their personal settings for the game have been undone. So, just to be on the safe side, you might want to turn your volume down before logging into the game.

**UPDATE** Nov. 10

En Masse Entertainment posted a response to this later in the day yesterday stating that they are "taking these claims very seriously, but as of this time, [they] have no evidence" that the exploit is being used in the way described or that it's compromised player information.

In the meantime, they've applied a patch that will prevent all chat except guild chat as a precaution while they investigate.

**Original Post** Nov. 9

Using chat in TERA may not be the safest thing to do. No, I don't mean due to general toxic community behavior. Rather, I mean that it can apparently be exploited by players due to the fact that it uses HTML.

Recently Redditor Gosukek made note of the fact that the way En Masse Entertainment handles the game's chat leave players open to a wide variety of questionable activity. These include things like sending clickable links or external images -- even on megaphone. This means that every connected client opens images, whether the chat is visible or not; something which could result in less savory people having access to everyone's IP address.

Other alleged activities believed to be allowed would be to crash people's clients using the whisper feature, or even by spamming it in global. And even more nefarious, someone could possibly delete other player's characters or items, although Gosukek refrained from explaining exactly how that works.

The document Gosukek put together also references Remote code execution, stating:

"Remote code execution This is the big one, if you skip past everything else PLEASE READ THIS. Due to several factors that I will not go into detail with, there is a very real possibility that this could be used to remotely execute code on clients computers. This means the potential for this to be used to spread malware, viruses, keyloggers, all kinds of juicy shit, is VERY REAL and VERY VERY VERY VERY VERY F* SERIOUS. This is a HUGE deal and I cannot f* state that enough. This is beyond a simple data breach and the fact that it has been swept under the rug is appalling (I will talk about this more in the drama section). I know that this is scary, but you should be f* scared, this is potentially a very serious issue. I have not tested it myself as it's 2spooky even for me, however by all accounts it should work."

Needless to say, if true, there appears to be a lot of risks associated with using the TERA in-game chat, and apparently there's not a whole hell of a lot you can do about this -- unless you want to make use of tera-proxy as a mode of protection. But let's just say that option is ethically questionable. Not that this matters to everyone since the whole banning incident back in May.

However, just in case there is a solution in the works, we have reached out to En Masse Entertainment for comment (in addition to the post they already made.) Should they respond, we will update this post. In the meantime, you can read Gosukek's writeup on the issue and check out any comments on the Reddit post.