Support road.cc

Like this site? Help us to make it better.

TECH NEWS

Shooting the messenger? Zwift bans user for exposing in-race 'weight doping' hack

Tech firms usually thank users for exposing loopholes, but Zwift has cited a breaking of its terms of service and imposed a ban. Updated with Zwift's responses

Indoor training app Zwift has banned a user who exposed a hack that allows riders to change their weight within a race, thus gaining a potentially unfair advantage over fellow racers. Zwift maintains that the user raised the issue incorrectly, which led to the 30-day ban.

Incorrectly entering a bodyweight that is lower than your actual weight is a common issue within Zwift, as riders exploit this metric to allow their avatar to ride faster. ‘Weight doping’ as it is commonly referred to can be guarded against in elite Zwift competitions through weigh-ins; but in day-to-day races, there is little to counter users lowering their weight illegitimately.

Zwift Cheating Report 2021.JPG

The hack that has landed the user in trouble is one that has apparently been around for quite some time, with Zwift being aware of it since at least January 2021. Further to the above image, a now-deleted post by the WTRL - organisers of several races - suggests that they have been monitoring users for this hack for nearly two years in their popular series of races.

Zwift WTRL Hack Statement

The hack, if you're wondering, is a pretty simple one. While you’re racing, you open up the Zwift companion app and when you reach the bottom of a crucial climb, you edit your rider info to drop a significant amount of weight, with the banned user's tests finding that the change takes about 15 seconds to be effective.

This allows your avatar to sail up the climb, and you can either stick with the front group that you have no business being a part of or worse, build an unassailable lead before changing your weight back to its true value at the top of the climb.

The hack can go supposedly undetected, because as long as the user reverts back to their normal weight before the finish, the regular weight is the one published on ZwiftPower at the end of races.

Speaking to road.cc, the user claims that "ZADA [Zwift Anti-Doping Agency] had reported the issue to Zwift previously, and that measures of control were applied post-race for Premium League and certain WTRL events, but not for the vast majority of the races organized at Zwift."

When asked as to why they tested the hack, the user told us that they initially "did not believe it because it looked so easy that it would have been upsetting." Nevertheless, they "thought it was a good idea for an article on Zwift Insider to kill some myths about cheating."

In the world of tech, computer-savvy users will often expose security weak points in a website or app’s code. Sometimes this is rewarded by the website in question with a job, and some just do it for a bit of kudos. This makes Zwift’s approach a little confusing, especially when you consider that it is an issue that they know about.

Zwift however, in an email to the user, stated that the user's actions of making the hack public in “an extensive guide” was the reason for the ban, as Zwift states that this contravenes its terms of service.

Speaking to road.cc of Friday afternoon, Zwift's Director of PR Chris Snook said that the ban only excludes the user from "engaging with other users for that duration and prevents them from showing in events, races and race results" rather than excluding them from the platform entirely.

Chris continues, saying that the ban was imposed because the terms of service forbid the user to "use our Platform other than for its intended purpose and in any manner that could interfere with, disrupt, negatively affect or inhibit other users from fully enjoying our Platform or that could damage, disable, overburden or impair the functioning of our Platform in any manner."

One software manager that we spoke to says that while Zwift might rightly be annoyed that the user had gone public before informing Zwift of the hack, had the hack already been reported, which in this instance seems to be the case, the lack of action by Zwift to fix the issue would simply create a lack of confidence in Zwift from the community. After all, why would you bother reporting an issue numerous times if a fix hadn’t yet been implemented?

This was, the banned user says, the aim of the article. They would like to see Zwift take an active approach to close the door to this easy cheat, so those that like to take their racing seriously can do so with the knowledge that it is fair. They also feel that the current 'shoot the messenger' approach to preventing cheating is the wrong one, and that a "focus on identifying and chasing the cheaters rather than banning people" would be preferable. 

Where this leaves the banned user and Zwift is unclear. The user will likely serve out the 30-day ban and, as they have removed the WordPress article in which they tested the hack, there shouldn’t be an extension of the ban from Zwift. Zwift, meanwhile, still has a relatively easily exploitable hack that can really spoil the racing experience for lots of users.

To that end, Zwift told us that "we are working on a resolution for this bug and would always ask that anyone that discovers a bug contacts us to help resolve the issue."

Add new comment

37 comments

Avatar
Spiregrain | 2 years ago
1 like

Good to see this was recinded. Publishing / discussing details of the issue is not a"use of the platform" and could not be a breach of the term of service quoted

Avatar
Secret_squirrel | 2 years ago
2 likes

It's worth noting that Zwift has recinded the ban, has promised to fix the bug, and set up a bug bounty program. 

Avatar
Secret_squirrel | 2 years ago
2 likes

Maybe should have taken a leaf out of the profession. If hunters.

Document the bug to Zwift with a 30 day notice period for a response. 
 

Then you get kudos for a professional attitude and Zwift get even more slated if they ban.

Avatar
Jimmym1302 | 2 years ago
5 likes

Sometime ago I contacted Zwift and showed them some hacks including one which allowed me to Everest in 45 minutes and I didn't even have to pedal, they then used what I said to stop a lot of cheating and all I got was a lifetime shadow ban for my efforts. I simply closed my account and now don't care about Zwift.

Avatar
wycombewheeler replied to Jimmym1302 | 2 years ago
0 likes
Jimmym1302 wrote:

Sometime ago I contacted Zwift and showed them some hacks including one which allowed me to Everest in 45 minutes and I didn't even have to pedal, they then used what I said to stop a lot of cheating and all I got was a lifetime shadow ban for my efforts. I simply closed my account and now don't care about Zwift.

shadow ban?

Avatar
mdavidford replied to wycombewheeler | 2 years ago
1 like
wycombewheeler wrote:

shadow ban?

I think it's something to do with Peter Pan.

Avatar
Jimmym1302 replied to wycombewheeler | 2 years ago
1 like

You can ride but you are invisible to everyone else riding.  Great for sandbagging!

Avatar
Ride On | 2 years ago
1 like

Give RGT a go. For me a much better app and it's free.

Avatar
TheBillder | 2 years ago
1 like

Wasn't there a video a couple of years ago of a speed sensor in a salad spinner being used to whiz along in zwift? Just underlines the point that it's a platform to be used for fun* and fitness. As soon as the usage gets serious, its limitations become problems. What next, another smart trainer with a weight sensor (presumably mrktd wtht ny vwls)?

Tech platforms with this kind of approach to vulnerability reporting don't deserve to survive. They should thank the spotter and get working on fixing it. It can't be all that difficult to work out that the user is in an event and prevent profile updates.

*Not my kind of fun, but each to their own.

Avatar
visionset | 2 years ago
2 likes

An utterly ridiculous concept, constantly astounded by the number of folk on my strava timeline that take part. Now a real advancement would be a filter so I don't have to scroll past them.

Avatar
Uhuru | 2 years ago
3 likes

What a scumbag move by Zwift. The original blog post was obviously constructive and not meant to encourage cheating. And Zwift's followup email threatening a prolonged shadowban shows that the company is simply being vindictive, and is more intereested in avoiding bad PR than protecting the spirit of fair play.

Avatar
sizbut replied to Uhuru | 2 years ago
1 like

It would have been constructive if he had been sent it to Zwift first, not posted to the whole world and not to Zwift at all. And the threat of extending the ban was because he still didn't take down the public listing after being asked. Not exactly unreasonable. Now, if I accidently discovered all your credit card details, what would you want me to do?

Avatar
Awavey replied to sizbut | 2 years ago
0 likes

its been reported to Zwift multiple times apparently so I dont see the blogger has any onus on them to keep sparing Zwifts blushes if they wont do something about it and fix it.

and fwiw this should be an utterly trivial change to simply lock editing certain profile attributes whilst you are zwifting, the companion app knows when you are riding, infact its so trivial Id actually always assumed that would be the case anyway.

Avatar
sizbut replied to Awavey | 2 years ago
1 like

Bullshit - if he had told them and given them a chance to respond then he would been whole justified in going public. But no, he didn't just post to the world first, he posted how to do it. Its quite reasonable to treat that as malicious intent. The title of this arcticle is "Don't shot the messenger" - but what do you do when the messenger doesn't deliver the message to you. 

Avatar
mdavidford replied to sizbut | 2 years ago
0 likes

But they'd had plenty of chance to respond - they knew full well it was happening. The message wasn't "Hey - here's this thing that people could exploit" - it was "Hey - here's this thing that people are exploiting and Zwift has chosen not to address".

Avatar
philhubbard replied to sizbut | 2 years ago
0 likes

I've seen posts of him reporting this to Zwift multiple times over the last 2 years which have been ignored until he decided to go public 

Avatar
mdavidford replied to sizbut | 2 years ago
3 likes
sizbut wrote:

Now, if I accidently discovered all your credit card details, what would you want me to do?

If you'd discovered my card details because I'd posted pictures of them all over social media, and many other people had already replied to those posts telling me what a bad idea it was but I still hadn't taken them down, I wouldn't really blame you for writing a blog about what a silly arse I am.

Avatar
pasley69 | 2 years ago
2 likes

I know nothing about Zwift, but if they have run true to form, along with most other owners of popular applications, they will have sacked the original programming team as a cost saving measure and now have problems maintaining, upgrading, repairing the software.

Avatar
PRSboy | 2 years ago
6 likes

I recall watching a YouTube video a year ago at least where a fella explained the hack. 
 

Zwift should ban that Eric Minn bloke for not fixing it. How hard would it be to block users from changing personal data mid ride?  I really enjoy the game, but for a software platform it really is somewhat clunky. 
 

Height doping is a thing too... shorter riders are more aero. 

Avatar
reynard2ki replied to PRSboy | 2 years ago
0 likes

Handicapping taller riders is ridiculous. A flexible tall rider can be more areodynamic than an inflexible short rider. Apparently Zwift is unaware of a guy named Fillipo Ganna, who is 1.93m (6'4").

Avatar
Sniffer | 2 years ago
0 likes

https://zwiftinsider.com/freeluciano/

More in the story. It doesn't mention how the cheating works, but maybe gives a perspective.

Avatar
brinyboo | 2 years ago
2 likes

I have never rode an app before, but I am pretty sure that if I weighed< 85kg, I would be considerably more talented realtime.🤟

Avatar
kevinmorice | 2 years ago
3 likes

Zwift "racing" is a joke. Several local athletes to me take part regularly and are all listed under 70kg, one of them maybe is, on his lightest day, most of them are the other side of 90kg. 

Whether they change this during a race or not doesn't matter when it is such a blatant whole-race cheat. 

Avatar
Sniffer replied to kevinmorice | 2 years ago
1 like

I like to race occasionally on Zwift.

No faith at all that is an even playing field but what does it matter if you are C Cat like me anyway.

Just a good way to replace the summer chainy with some hard efforts. Just take it as fun, it is nothing more than that.

Avatar
OnTheRopes | 2 years ago
10 likes

So will Zwift now ban Road CC Kit from their platform for giving this hack even bigger publicity?

Avatar
adamrice | 2 years ago
8 likes

Zwift is relying on security through obscurity. That's a bad idea, and makes me wonder how they're handling more sensitive data.

They're also apparently unaware of the Streisand Effect.

Avatar
mdavidford replied to adamrice | 2 years ago
3 likes

It's not so much security through obscurity as "There's no problem here - LA LA LAAAA!" *sticks fingers in ears*

Avatar
Rendel Harris | 2 years ago
5 likes

Very surprised Zwift hadn't cottoned onto this before and blocked it, I found out about this because sometimes I would set out and suddenly find I was whistling up the first climb with little effort; I would then realise that Mrs H (54 kg) hadn't changed the weight setting back to mine (82 kg) after using the trainer. Rather than bothering to go back and start again (especially on the Alpe where there is a tedious 5 km plus route to be ridden to get to the foot of it) I just switch back to my real weight in game. I don't participate in races on Zwift so I've never used it to cheat, but it didn't take a genius to realise that the potential was there.

Avatar
wycombewheeler replied to Rendel Harris | 2 years ago
0 likes

is this a way of two people sharing a single zwift account? Is this legit? because Mrs WW and I have had two seperate accounts for years, each with our own settings.

Avatar
Rendel Harris replied to wycombewheeler | 2 years ago
2 likes
wycombewheeler wrote:

is this a way of two people sharing a single zwift account? Is this legit? because Mrs WW and I have had two seperate accounts for years, each with our own settings.

Perfectly legitimate as far as I'm concerned, you can't change the name or sex of your avatar but you can change their height and weight at will. All we do is I have the main account, so it saves my rides as the main stats, Mrs H just doesn't save her rides but enters them manually into her fitness app. The only reason I could see for having separate accounts would be if we were both absolute fanatics, racing et cetera all the time, or if we both wanted to use Zwift at the same time, which doesn't apply as we only have one trainer. It's actually advantageous for Mrs H to use my account as I use it a lot more than she does so she gets the benefit of access to the bikes and routes I've unlocked.

Pages

Latest Comments