Exploit found which can lead cheating

An issue was recognised (not a bug per se, but an exploit) and explained on here, but I assume it was removed so that others don’t copy it. Understandable, but I think it would good to have a post where we can get updates on a fix timeline and discuss it, without describing the exploit directly? After all, it is the Internet, it is impossible to pull a veil over such a thing completely.

I’m also interested in the policy on such a thing. It seems to me it is a really good thing if, when something like this is found, it is exposed through the community so that it can be quickly handled. Those who found it could have just kept it to themselves and exploited it, but instead they put Zwift racing legitimacy first. It is World Championship week after all, and I am sure Zwift will want to be seen to take these things seriously and act quickly.

Maybe just a sticky post with updates and comments turned off.


At least now I know why I keep losing races :smiley:


Not fair - why don’t those things get posted in my time zone! I need all the help I can get against those super humans doing 4.0w/kg for 500km+. :wink:

Especially when getting older and slower. :frowning:

I second this - I would like Zwift to acknowledge that they’re aware of the issue and that they’re fixing it. If you delete the post without acknowledgement, we don’t know what is being done, or if anything is being done.


I’d also like to add that ‘some’ have stated that the person who raised this, ‘advertised and marketed’ the exploit, when in fact he did an excellent study to prove unequivocally that the exploit works as explained to him, and then raised it because he is completely against cheating and wants it achnowledged and fixed.

Now some might say, why did he not just contact Zwift directly - well, in fact this exploit has been known for over 2 years and not closed. Evidence of this has been provided.

This person has now had their account suspended.

I enjoyed this translated saying I learnt earlier today: “When someone points to the sky, the fool looks at the finger”

I don’t know why I feel like I have to try and always be the bridge between the Zwift community and what is always an absolute horror show of PR management and communication from Zwift. I probably annoy a lot of people, but it’s like buying a season ticket for your club and watching them repeatedly kick the ball in to their own net. At some point you’re going to lose the plot, jump the advertising hoardings, and just say kick it that bloody way!

Focus on fixing it please, and not on the person who raised it with good intentions. Zwift racing needs to work on legitimacy to have any hope of being part of the Olympics, and these sort of tactics will only lead to underground sites that can’t easily be traced to an individual account, and before you know it there is a real storm.


Thank you. Still totally surprised.


You have got to be kidding me… what the actual F is Zwift thinking???

Not annoying, it is unfortunate that anyone in the community has to talk sense into the folks at Zwift HQ. These aren’t difficult decisions to make… cheating/sandbagging is bad… account security is good… water is wet…



Luciano, you’ve done a service for the Zwift community. When I read the blog post I considered whether posting the details was appropriate and concluded that it was for several reasons: (1) for a cheater, I believe this would be an obvious thing to try and so I would guess use of the exploit is widespread; therefore (2) it’s urgent to fix it; (3) it seems like this should be an easy fix (though I’m no programmer…); and (4) Zwift obviously struggles to keep pace with the bugs so attention should bring the issue to the top of the agenda. The potential damage is that there may be more cheaters, but if racing is already compromised then that is a matter of degree. But I can see that reasonable minds may disagree with my reasoning.


The thing is that the problem was known and reported for years and well spread among the community. In fact we tested this because a friend was suggested to use the cheat as a way to improve his Zwift results. And we were sooo surprised that we almost were dismissive with him: no, it can’t be that easy. In the video I take it almost as a joke to show him the problem did not exist. And then when it occurs and we see that the problem exists… then we were really in shock. The craziness of this is that I am suspended allegedly because I cheated on a TT without draft and without any influence on the race. In any case, thanks for your words.




Disgraceful, but entirely predictable, that zwift would suspend the whistleblower who made this public rather than fix the exploit.

Response of Martin @ WTRL also only too predictable, sadly. Of course he’s not responsible for it and can’t fix it.


In other industries, rewards are paid to recognise the efforts of people like Luciano and yet real Zwift cheaters, those that have actually manipulated Premier results for example, get banned from Premier but can still play in Zwift races.


Well carp. Ran outta loves to give with all the great stuff going on with Pen Enforcement. I’ll be back to spread the love…


@xflintx @shooj @Mark_Cote this is a horrible decision on Zwift’s part. With the past PR missteps which are well documented in this forum please review this and do the right thing and reinstate @Luciano_Pollastri_ZE account



Absolutely ,

Bug Bounty hunting is a recognised way to increase security (and although this is not a “security” matter leaking privacy data etc it sure is something that affects the legitimacy of what we are paying for ) and Zwift got this totally wrong if it is as described. I seriously trust and hope this was some naïve canned response from someone not fully aware of the context and it will be reversed now we have highlighted it.


I like how it says “Ride On” at the end of their emails telling people that they are not allowed to ride anymore.

Also, Zwift: WTF!?


Not at all. Fully confirmed.

How on earth was an exploit like this not picked up in QC?

1 Like

It was picked up, they just don’t care to fix it or don’t know how, so rather punish people for raising it and let those that know carry on…