It didn’t take long for Jeff, our family glitch tester, to figure out how and why we lost most of our family members overnight (1). This is a rather serious exploit and would have major consequences if fully disclosed. Zynga needs to fix it as soon as possible and take action against the players who have already used it destroy other families. It is a security breach and the e-crimes department needs to be aware. The rest of this post will assume you are a total douche on a mission to remove members from another family.
The first thing you need to do is gain access into the family you are targeting. A link can be created by using the Mafia Wars Profile link of the family Godfather/Godmother. To see if it worked, I hacked into my boyfriends Facebook account (yeah that’s bad too!).
I clicked on the hacked link and was instantly added to the {ASS} Family. My boyfriend is not Facebook friends with any {ASS} members (including me!). He isn’t a big fan of the game and won’t be happy to see Mafia Wars was once again unblocked on his account.
Here is Justen on the {ASS} Family Roster.
Once you gain access into the family you are targeting it’s rather easy to boot any member who isn’t a Godfather/Godmother or Underboss. Simply go to any player on the roster, right click next to their name and click on “Inspect Element”.
From there, you need to locate a specific bit of code and right click on it and select “edit as HTML”.
Now you need to insert the following hack code. Obviously I’m covering some of it up as this isn’t something that anyone should be doing.
Once you do all of this correctly, the little red x will appear next to the players name.
Now comes the easy part. Just click on the little red x that you summoned.
Click on “Yes” and that player will no longer be a member of the family. Anyone with the know how can do this to any family.
As you can see this process is very time consuming. Someone really went out of their way to do it over 60 times to remove the majority of the members in my family. To prevent this from happening to your family, it’s best that you make all members a Underboss as the hack will not work on the Godfather/Godmother and Underbosses. If you wait for Zynga to fix it and do nothing, you may find your family victim to this exploit.
Many thanks to Jeff Sanford for figuring out how this was done and providing easy to follow instructions so I could reproduce it. It’s scary that it works but explains why my family lost members. Those responsible should be very concerned.
That totally sucks that someone could do that to another family.... Hope they get it fixed asap...
ReplyDeleteI am very distressed to find ut that you have a boyfriend
ReplyDeleteWow. Unless Zynga gets on this pronto you are going to get major flack for basically showing every javascript programmer out there how to do this. Also, there are many ways to exploit these programming errors (Zynga is obviously not authenticating certain requests on the server side, as they should be). Any programmer (such as myself) could easily come up with a way to automate this process.
ReplyDeleteVery nice job figuring this out!...Zynga owes you guys many thanks too, they should appreciate the efforts your team went through to uncover this xploit, and reward your honesty AND appologize for all the crap you guys went through when this happened to your family...kuddos to {ASS} and TEAM SPOCKHOLM!!....
ReplyDeleteThanks for the info. Wondering how you make everyone an underboss etc. Guess you have to be the god father or God mother?
ReplyDeleteI agree with anonymous you just showed everyone how to do this!!! My brother is a programmer and just removed 2 of my minis from a clan in 5 minutes after I asked him bout it. Way to go.
ReplyDeletehappend to my clan :/
ReplyDeleteI didn't provide the link and I blurred the code. If players can figure it out from these sketchy details then they probably already knew how. My job was to show through screen captures that this exploit does work. All the contacts I had at Zynga are no longer there so how can I report it other than an email. We all know they read every post I make so this is the perfect way for me to let them know. If they would like to contact me so I have someone to report these issues to, they are more than welcome to do that. I'm just the messenger so don't blame me if there are problems, blame Zynga for allowing it to happen in the fist place.
ReplyDeleteI think you went way too far in posting the step by step how to. Blurring the code was not enough & someone with even an inkling of coding experience could now figure out how to do it with a bit of trial & error. I enjoy your blog & appreciate all the effort you put into it for us all but posting this was in really bad form & stands to do way more harm than good.
DeleteNow we must all cross our fingers that Zynga plugs the exploit & fast before your how-to instructions are used by the masses...
that could explain why strange people have been showing up in our family :(
ReplyDeleteYeah, we had a player show up in our family yesterday that us admins didn't add to the group. I think I'm going to remove them just to be safe.
Deletethe reson why strange people have been added to our familys is due to you have to take the recruiting off other wise zinga likes to add any one and every one to the family
DeleteIf you have a member of your family who was an underboss or GF/M in a previous family they might add people to their new family just by friending people who are not in a family.
DeleteThanks for the heads up Jen. Sending a link to this article to my family's GM and my fellow admins.
ReplyDeleteahh thanks that explains why my family has been losing players and have to add them back manually ..
ReplyDeleteUnfortunately, this is not even the worst you can do with a program like Firebug and some decent knowledge about Mafia Wars and HTML/Javascript. I'm not comfortable sharing the other exploits I've discovered but I always report them to Zynga in hopes they will fix the fact that anyone can interact with the client-side code and use these exploits.
ReplyDeleteIt's just a matter of time before some malicious people figure out the really nasty stuff you can do, including the exploit mentioned above.
Any programmer (such as myself) could easily come up with a way to automate this process.
ReplyDeleteIt took less than 15 minutes to write the code including auto run on all families .
not tested LOL
Wow, that's ridiculous.You do nothing but help us all. Why are people so ignorant.
ReplyDeleteThe problem with making everyone an underboss is all have permissions to add people to the clan, start or accept family battles etc and the people mysteriously showing up in some of your clans is most likely do to current admins/underbosses sending invites thru gifting unaware using zmc agent...If underbosses are not careful they can send an invite to someone requesting to join unaware! .....thanks for the heads up Jen hope zynga fixes this soon we have enough glitches to deal with!
ReplyDeleteOh holy crap.. This is devastating News, and Daniel Waldron, I really hope you get through to Zynga with your findings, because this I am sure will rip the game a part for a lot of users.. Thanks for The warning MwLootLady, and now Daniel with his unknown exploits, that he thankfully will not show us, before Zynga Fixes it ! The game is already so much faulty an at a frailty.. We dont need this right now, and we have lost some many daily players already, so hope they will wake up now !
ReplyDeleteDoes this exploit allow the hacker access to other Underboss privileges? For example, we have had Family Battles accepted at and none of the Underbosses or the GM knew how it happened. We assumed someone was afraid to admit an accidental click on the ZMC, but now second guessing that assumption...
ReplyDeleteWe think so but couldn't verify that or figure out how. Our message of the day was also changed and none of the 5 who could change it did. There is probably much more that can be done with this but when I posted this Jeff had only been looking for about 10 minutes and that is what he found.
DeleteOur allies were just hit with this but thanks to you sharing your experience with it, they were watching out for it and caught it before too many people were removed and have placed all those removed back into the family module. Those of us without hate vendettas and petty jealousy issues truly appreciate all the hard work you put into getting pertinent info out for everyone. You have saved many people some serious headaches trying to figure things out alone. Thanks again for your time and efforts in making the game a better place to play <3
Deletesad that people have to screw things up,in a game that already has enough glitches and problems,mainly hackers,etc,thx 4 the heasds up,gonna make sure our family is alright ,your alot of help ,thx so much
ReplyDeleteProbably not a good idea to publicly show folks how to exploit this feature in MW. I know you want to help families but some who are not nice and don't have scruples might jump right on this to hurt families and individuals alike.
ReplyDeleteAgain, don't shoot the messenger. I'm not a computer literate person and if someone like me can get the complete instructions then so could anyone else. My intentions were to stop people from using it by 1. Omitting the link to gain access to a family and 2. by not mentioning the code you need to find in order to change it and 3. by blurring the code you need to ad to manipulate it. If that wasn't enough to stop people then it's not my fault. If I left it as there is a glitch, then people would have demanded evidence and blame the problem on Zynga like the group we accused of doing this did. Zynga could have fixed it within an hour of this post but it still persists. There is also more to it as the person(s) who originally did this was able to make him/herself and underboss. We prevented them from being able to remove us but they are still changing our names and messages. This is very serious and I can't be blamed if someone with computer skill takes advantage. Blame Zynga for not patching it!
ReplyDeleteI blame Zynga for just being a joke in general. Mafia Wars has been a shell of itself for a long time now, a far cry from the beginning when it was fun to play. I think it's pretty sad that people out there do stupid things like this to ruin it for the rest of us, but truthfully Zynga has screwed us more than any hack ever has.
DeleteSome people are just flat evil!! Thanks for sharing this MWLL! Going to tell my godparents we need to all be underbosses till this issue is settled..YOU ROCK BTW..thank you so much for all you do us!!!
ReplyDeleteThis just happened to my family!
ReplyDeleteThanks for sharing I really appreciate that your keeping us up to date. This is important and needs to be know MWLL does rock :)
ReplyDeleteZynga has so many glitches its over a yr and a 1/2 and not fixed any of mine
Someone always has to mess it up for everyone. The group I belong to just had this happen to us, we lost almost our entire group. We are now in the process of trying to put the family back together again. Does Zynga not know this is going on?
ReplyDeleteThanks 4 the Heads up! I think we will keep our family full at 101 with a few extra drones that aren't doing much until we find active players to replace them. If they can't join the family, they can't promote themselves and kick everybody out!
ReplyDeleteYou explained how to do it because.........????????
ReplyDelete(whew) Zynga heard and corrected it.
ReplyDeleteNow, if someone does this. He/She would get a message
"Unable to demote this member"
wow! step by step instructions! thanks!
ReplyDeletezynga didn't fix this it is still happening :///////
ReplyDeletewish we knows this before it ruined our family.....we have no way of getting back on coz of 1 member is currently not available to help out. (he's dead if u must know)
ReplyDelete