Indoor training app Zwift has banned a user who exposed a hack that allows riders to change their weight within a race, thus gaining a potentially unfair advantage over fellow racers. Zwift maintains that the user raised the issue incorrectly, which led to the 30-day ban.
Incorrectly entering a bodyweight that is lower than your actual weight is a common issue within Zwift, as riders exploit this metric to allow their avatar to ride faster. ‘Weight doping’ as it is commonly referred to can be guarded against in elite Zwift competitions through weigh-ins; but in day-to-day races, there is little to counter users lowering their weight illegitimately.
The hack that has landed the user in trouble is one that has apparently been around for quite some time, with Zwift being aware of it since at least January 2021. Further to the above image, a now-deleted post by the WTRL - organisers of several races - suggests that they have been monitoring users for this hack for nearly two years in their popular series of races.
The hack, if you're wondering, is a pretty simple one. While you’re racing, you open up the Zwift companion app and when you reach the bottom of a crucial climb, you edit your rider info to drop a significant amount of weight, with the banned user's tests finding that the change takes about 15 seconds to be effective.
This allows your avatar to sail up the climb, and you can either stick with the front group that you have no business being a part of or worse, build an unassailable lead before changing your weight back to its true value at the top of the climb.
The hack can go supposedly undetected, because as long as the user reverts back to their normal weight before the finish, the regular weight is the one published on ZwiftPower at the end of races.
Speaking to road.cc, the user claims that "ZADA [Zwift Anti-Doping Agency] had reported the issue to Zwift previously, and that measures of control were applied post-race for Premium League and certain WTRL events, but not for the vast majority of the races organized at Zwift."
When asked as to why they tested the hack, the user told us that they initially "did not believe it because it looked so easy that it would have been upsetting." Nevertheless, they "thought it was a good idea for an article on Zwift Insider to kill some myths about cheating."
In the world of tech, computer-savvy users will often expose security weak points in a website or app’s code. Sometimes this is rewarded by the website in question with a job, and some just do it for a bit of kudos. This makes Zwift’s approach a little confusing, especially when you consider that it is an issue that they know about.
Just seen this on Facebook. These folks posted (in apparently good faith) a well researched blog describing how an app loophole let users change their weight mid-race on Zwift to cheat.@GoZwift, instead of thanking them, have retaliated by banning them. Idiotic practice by Zwift pic.twitter.com/kM7R3CYGlB
— Jon (@ormondroyd) February 24, 2022
Zwift however, in an email to the user, stated that the user's actions of making the hack public in “an extensive guide” was the reason for the ban, as Zwift states that this contravenes its terms of service.
Speaking to road.cc of Friday afternoon, Zwift's Director of PR Chris Snook said that the ban only excludes the user from "engaging with other users for that duration and prevents them from showing in events, races and race results" rather than excluding them from the platform entirely.
Chris continues, saying that the ban was imposed because the terms of service forbid the user to "use our Platform other than for its intended purpose and in any manner that could interfere with, disrupt, negatively affect or inhibit other users from fully enjoying our Platform or that could damage, disable, overburden or impair the functioning of our Platform in any manner."
One software manager that we spoke to says that while Zwift might rightly be annoyed that the user had gone public before informing Zwift of the hack, had the hack already been reported, which in this instance seems to be the case, the lack of action by Zwift to fix the issue would simply create a lack of confidence in Zwift from the community. After all, why would you bother reporting an issue numerous times if a fix hadn’t yet been implemented?
This was, the banned user says, the aim of the article. They would like to see Zwift take an active approach to close the door to this easy cheat, so those that like to take their racing seriously can do so with the knowledge that it is fair. They also feel that the current 'shoot the messenger' approach to preventing cheating is the wrong one, and that a "focus on identifying and chasing the cheaters rather than banning people" would be preferable.
Where this leaves the banned user and Zwift is unclear. The user will likely serve out the 30-day ban and, as they have removed the WordPress article in which they tested the hack, there shouldn’t be an extension of the ban from Zwift. Zwift, meanwhile, still has a relatively easily exploitable hack that can really spoil the racing experience for lots of users.
To that end, Zwift told us that "we are working on a resolution for this bug and would always ask that anyone that discovers a bug contacts us to help resolve the issue."