Olympic Esports Series Selection ‘Tic Tac Bow’ Contains Serious Vulnerabilities

Credit: IOC

The Esports Advocate has learned that Tic Tac Bow, one of the games selected for the Olympic Esports Series, is deeply flawed and contains what one person claims are serious vulnerabilities. TEA was tipped off earlier this week by Redditor MonkeyMatt about the exploits in the game.

On March 14,  a user named “Ph0t0shop” began talking about being able to cheat at the game on Discord. From March 14 – 19, they detailed how—through data mining—they had learned how to compromise the Android game (it hasn’t been released on iOS yet) in a number of ways including giving away in-game items, currency, and trophies, putting themselves at the top of the global leaderboards, and creating codes to give away various in-game items. In the #general thread of an unofficial Tic Tac Bow Discord server, Ph0t0shop proved multiple times that he was capable of manipulating his standing on the leaderboard in the game and creating codes to give away various in-game items to people in the channel. 

More alarming than being able to manipulate components in the game are Ph0t0shop’s claims that it contains vulnerabilities serious enough to expose user data, among other things ( he later walked back the comment, noting that there’s “not that much” user data to harvest). Ph0t0shop also claims that the original intention of all this was to expose vulnerabilities in Tic Tac Bow and to show that it was not worthy to be selected as an official “esports” title of the Olympic Esports Series.

TEA can confirm that the International Olympic Committee is aware of the situation and has been in contact with developer Refract Technologies, but the company was likely aware already—according to the Discord thread—because several users reached out to report the vulnerabilities and the company took the game down for more than 17 hours over the weekend for “maintenance.” Nevertheless, Ph0t0shop claims that this has not fixed issues with the client side vulnerabilities, which is where the exploits were used.

If Refract does not deal with these vulnerabilities Tic Tac Bow could be pulled as an official game selection, from what we have been told by sources speaking on background familiar with the situation. 

“We are aware of the issue and that Refract continues to work on improving the game and increasing security measures,” Chris Wells, head of communications at World Archery told TEA in an emailed statement early Wednesday morning. “The application collects no personalised user data. Competition integrity has been considered for the in-game events related to the OES.”

When asked about the relationship between Refract and World Archery (the two entities finalized a partnership last year), wells told TEA: “World Archery applied to the IOC for inclusion in the OES in a joint submission with Refract. Refract first approached us several years ago and we formalised a partnership in mid-2022.”

The IOC declined to comment on this story. TEA also reached out to Refract for comment and will update this story should the company respond. 

TEA previously detailed the financial entanglements between the Global Esports, Refract, World Archery, World Taekwondo, and even the Singapore National Olympic Council in this report on how these relationships affected the selection process.  

Editor’s note: This story was updated with the proper spelling of the Discord username “Ph0t0shop” (we wrote it as “Ph0toshop”).