Zwift plugs cheating hole that allowed in-game height and weight adjustment

Zwift late Thursday pushed an update to the game in an effort to prevent cheating.

Zwift made the announcement regarding the updates to the companion app in a forum on its website.

“Today we are beginning a series of security changes to address an exploit in game where a Zwifter could change their weight while in an activity in an attempt to gain an unfair advantage in competition. This exploit could be detected on Zwift servers, but would be hidden from public view, therefore impacting community racing. The first fix, which is live today, addresses competitive integrity and ensures greater fairness, specifically in events,” reads the statement.

Also read: Zwift addresses weight-doping hack, and temporary ban of a user who flagged it

The updates, which Zwift terms “security changes” are meant to address an exploit that permitted a Zwifter to change their avatar’s in-game height and weight in order to gain an unfair advantage.

The updates made on Thursday, March 3 include:

• weight and height will remain locked when you are in an event
• changing profile height and/or weight in an event via zwift.com during an event will generate a generic error message
• changes to one’s height and/or weight in the companion app during an event will not be saved
• height and weight changes can be saved when logged out of the game, or when logged into the game, but not in an event

Avatars with lower weight will have a higher watts/kilogram score, which is especially important when climbing. Adjusting an avatar’s height lower can be advantageous when sitting in on the flats or when descending; a shorter avatar has a lower drag coefficient and so is more aero and will go faster for the same effort in the game.

Changing these performance characteristics while in the middle of a Zwift event and then subsequently restoring them before the end of an event was providing an advantage to those who used these cheat methods. These exploits could be detected on the Zwift game servers but were not detectable to other Zwift users.

Zwift also noted the recently announced bug bounty program is still being developed and will provide details once the program is ready to be launched.

Last week the weight-cheating exploits were exposed when Luciano Pollastri spun up a website to call attention to these cheating methods, which were claimed to have been available and known to Zwift for two years.

Zwift quickly “shadowbanned” him, disallowing any competitive results during the ban and also rendering his avatar invisible to others in Zwift.

This immediate response by Zwift, which considered the information that Pollastri posted to the website in violation of the game’s terms of service, was seen by many as overly harsh and drew criticism of the poplar virtual cycling environment.

Less than 36 hours elapsed before Zwift CEO Eric Min jumped into the fray and removed the shadowban placed on Pollastri.

Since this incident, just one Zwifter was found to have attempted to use the exploit identified by Pollastri.