@dtech said:
While it is clear that these are major WTF's I would argue that this is not due to missing integrety check but rather to a much more basic WTF: not checking user input
You'd think that MMO developers would have learned not to do that after a WoW exploit was found that could make your character go magnitudes faster years ago (by modifying the speed modifier in memory, the server blindly accepted the clients calculations)
This wouldn't even be a TDWTF-worthy WTF if it were just a case of not checking user input. As one point or another, just about every MMO has fallen pray to speedhacks or teleportation bugs, because they put too much trust in the location data being sent by the client (a certain amount of trust is needed to prevent synchronization problems from lag). Invincibility hacks happen when the server permits the client to dictate hit point totals and the like; that's an even stupider mistake, but at least hit point totals are supposed to change.
The fact that this JSON exploit allows someone to change one item (a pail of Muddy Water, for example) into another item (like extremely rare and valuable Class IV materia, or even armor) reveals that the server is just taking whatever the client says at face value and updating database entries accordingly. It is one thing to fool the server about where your character is. Characters do move. But there's no legitimate means in-game to transmogrify items into other items. There should be no code which permits this! Even item duplication bugs are more understandable, because items are, in fact, legitimately created. The only rational conclusion is that the server actually trusts the client more than it does itself, and alters the database entry for that item to point to a different id in the master items table. Which is, to be generous to Square-Enix, a ludicrous failure of proper coding practice.