PlayerUnknown’s Battlegrounds Main Menu Is Vulnerable to Hacking

Update: This security hole has been plugged. See my next post for details.

Update update: There was a false-alarm report that this problem returned. Read about it here.

PlayerUnknown’s Battlegrounds (or PUBG for short) is a new, extremely popular video game. It focuses around “battle royale” gameplay, pitting up to 100 players against each other in a fight to be the last one standing.

The game and its developer (Bluehole) are very ambitious, and have been wildly successful with PUBG. Despite the game not yet being officially “released”, it has topped two million concurrent players, made tens of millions of dollars, and has a burgeoning e-Sports presence. This sort of exposure and success comes with certain expectations — performance, stability, visuals, AAA-competitive marketing, etc — which have not always been met. This article is not about them; it’s about security.

First, let’s look at the very basics of the problem. What is it, how big of a deal is it, and what does it mean to you?

Bottom Line, Up Front

The PUBG main menu is a webpage loaded remotely in an unsecured HTTP connection, making it vulnerable to cross-site scripting (XSS) via a man-in-the-middle (MITM) attack, or other ways to mess up HTTP requests. This means very easy and credible phishing, spying on user behavior, plus other possible attack angles.

Again, in English this time… The PUBG loading screen and the various user interface elements in its main menu are not technically part of the game you (a player) “install”. When you launch the game, they are fetched from an official server and rendered on top of the actual game (the 3D model of your character standing around). This rendering is done via a transparent “browser” that treats them as if they were an actual webpage.

The blue arrows are pointing to UI elements that are actually a “webpage”

The connection through which these elements are loaded is not secure. That means that, while the data is moving from the PUBG server to your computer, it can be intercepted and modified. In other words, someone operating any part of the connection between you and the PUBG server could manipulate the data and change what you see in your main menu, or make the main menu do things it normally would not — for example, report what in-game items you own to a third party.

That sounds serious. Why are you making this public? It is indeed serious. Normally I would not make such a big deal over a bug in an “early access” game, but as I mentioned earlier, PUBG is itself a big deal. Early access or not, this bug impacts the security of tens of millions of people. I have already reported the bug with Bluehole’s support and their forums more than two weeks ago. As it was not fixed expeditiously, and is a serious issue, I feel it is my responsibility to inform the community of the risk.

What is the actual danger to players? For a hacker to take advantage of this vulnerability, they need to either have malware already on your computer (in which case you have bigger problems) or they need to be a “middle-man” in between you and PUBG. That means that, if you are doing any of these things, you are at risk:

• Playing via a public unsecured wireless connection (e.g. at a Starbucks)
• Playing using a wired or wireless network set up by someone whose quality of IT you might not trust (e.g. a university network, or Xfinity)
• Playing via any wireless network, given the recent revelations about WiFi security

If a hacker does manage to take advantage of this, they can at the very least modify what you see on your screen, easily making it look like an official part of PUBG.

I even went ahead and created a proof of concept. After seeing the animated Bluehole splash screen and the game music starts, you could be confronted with this:

Looks very official, right? It’s completely fake, and delivered from a server completely unrelated to PUBG or Bluehole, and could send me your login details if you input them (it does not, though).

It is also possible there are far more nefarious things for the hacker to do. I am not a security researcher and do not have enough code access to say for sure. At the very least, this security hole has been used by Xfinity to advertise inside the game itself.

What’s the next step? Short of not playing PUBG at all, there is little way for players to completely avoid this risk. To reduce it as much as you can, only play on your home network, using a wired connection, or wireless if your router is not in range of any potential hackers.

More importantly though, this needs to be fixed as soon as possible. Since PUBG is “being developed with community feedback” (according to its Steam page) it needs your feedback on this issue for it to be tackled in a timely fashion. Please drop a word to the developers in their forums, in a review, or on social media. With your help, PUBG’s security can be as impenetrable as this pan:

And Now, A Story

This is where we get into the technical weeds. If you’re not interested, please feel free to tune out.

I have a confession: I did not find this issue by myself. I was tipped off by a friend who pointed me to a post someone made on the PUBG forums more than six months ago, complaining that Xfinity is able to inject ads into the main menu, as they do with other insecure websites. Their shady ISP practices aside, this is a massive red flag. Shockingly, the issue was not addressed at all, and the thread ended with a resounding “meh”:

Nope, not an April 1st joke!

Being a web (-ish) developer myself, this piqued my curiosity so I dug into it.

The Investigation

Doing so, I found that every time the game loads, a HTTP GET request is sent to http://front.battlegroundsgame.com/index.html. Its contents?

$ curl http://front.battlegroundsgame.com/index.html<script>var url = window.location.search;url = url.replace("?", '');location.href='https://prod-live-front.playbattlegrounds.com/2017.09.14-2017.10.02-556/index-steam.2017.09.14-2017.10.02-556.html?'+url;</script>

My actual reaction, as those in the chatroom I was in can attest

That’s it. That’s what loads the entire UI.

Not only is it not valid HTML in the first place, and served over a completely unsecured plain HTTP connection, but this would be bad practice even if those things weren’t a problem!

Naturally, I continued down the rabbit hole by loading that URL in a browser:

Loading that URL actually loaded the PUBG UI! It also produced a wealth of information from looking at the queries themselves:

• PUBG downloads almost 3 MB of stuff every time you load it
• The latest update to the UI was on October 17th (two days ago as of the time of writing)
• The UI is built in a Javascript-ish environment and packaged with a standard Webpack main/vendor/polyfill setup. More on this later. (Also, why do you need polyfills for a standard embedded browser?!)
• Interaction with the actual game engine (Unreal) and embedding of the browser view is done using Coherent UI
• File inclusion seems sloppy, since “mock” files are making it into production

The Javascript files themselves are minified, so gleaning much from them is difficult… but not impossible. There’s some fun stuff in there:

• The UI is built using the latest version of Angular 4; neat!
• A sort of “ping test” is performed to figure out if you are in China, and if you are, some XunYou resources are loaded… looks like some Chinese software distribution stuff?
• The UI’s data is organized using Redux, and using the appropriate browser extension allows messing with it
• Update: The index page also contains a Google Analytics tracking snippet! Who doesn’t love to have analytics on how many people load their main menu?

Also, here’s some fun for social justice activists: the player objects have a default gender (male) and other physical properties, and various tokens that didn’t get minified have a weird “bro” related naming theme:

l.connection.sendMessage("UserProxyApi","InvalidateBroFriends",n)

Then, as the cherry to top it off, the console log contains confidence-inspiring lines such as:

[EGN] engine received DestoryLobbyCharacter:0 Array [ ] mock.entry.js:7:3

I don’t know what that’s about. Anyway… It looks like how I’d expect an “early access” code base to look. That unsecured HTTP request is a much bigger deal, so… Back to security talk!

The Bug Report

Given that I know that the HTTP flaw I found can be exploited, I hastened to write a bug report to Bluehole about it. Going to their support site, I found that…

… it does not use secure communications itself, and for an authentication page, at that. That does not bode well.

I reported it anyway, and within a day I got a response from a Game Master acknowledging the report and requesting that I share it on the PUBG forums as well. The public PUBG forums. The ones where the whole world could see the problem. I did, and it seems to have gotten a similar amount of attention as the thread that got me on this track in the first place.

Given that there’s been an ample amount of time since the first mention of this issue to come up with a fix — or at least, a stopgap to not expose literally millions of players to hacking — here I am doing this write-up.

It is not just a write-up, though! For I have…

The Demo

There were some screenshots of it before, but here it is in all its glory: https://github.com/fsufitch/pubg-mainmenu-hack. Update: I remembered to actually set the repository to “public” and it should actually be accessible now.

Disclaimer: this is not some of my best coding work. It’s messy and terrible, but it works. Do not code like this.

It consists of a simple Go-based server that serves an index.html file, loading a bunch of “evil” JS code that injects itself into the UI, attempting to phish the user. Of course, I am not actually saving anyone’s info, and the “login” form is a dummy, but it does provide a striking visual:

Legit or not?

This hacked UI is live and available at http://104.239.228.225/index.html. (Update: I have disabled the server since it is no longer relevant but is still costing me to keep running.) You can visit it with a web browser, or you can fool your own PUBG into loading it by adding the following line to your hosts file:

104.239.228.225 front.battlegroundsgame.com

That is found at %SystemRoot%\System32\drivers\etc\hosts for a Windows environment. Removing the line will disable the hack.

If you really don’t feel like editing that file, I put together a simple program that does it for you. It’s super suggestively named, just like malware that could do this without your knowledge. Instead of compromising your computer though, all it does is add the hosts line, wait for you to push Enter, then remove the line.

Edit: Some comments I have received indicated that a hosts-file injection is not a “real” vulnerability, as a ton of things are vulnerable to that.While true, this hosts injection is a simple way to demo this problem, since an easy-to-apply, portable MITM demo is much harder to put together.

Video of this story as it happened

That’s the end of the PUBG security adventure… For now. Here’s hoping that Bluehole will continue improving PUBG on all fronts, stop putting users at risk, and become truly “e-Sports ready”. Thanks for reading!